mac OS X includes a GREAT firewall “ipfw” that’s the standard UNIX firewall battle proven.
A great many Mac users are connected to the web without their firewall turned on, yet successful attacks against the Mac are rare. That’s because Apple’s security model isn’t based on the firewall, and for good reason. Firewall’s limit access to all, not just intruders, and there has to be a better way. It turns out that there are better ways. User level permissions, sandboxing applications, and memory randomization are just a few things that work better than a firewall because they stop the bad guys while letting legitimate users and applications function.
Firewalls have been around a long time, and if they worked well, these other security measures wouldn’t have been developed. People generally don’t spend time and money developing things that aren’t needed. If they do, they aren’t able to sell them!
mac OS X includes a GREAT firewall “ipfw” that’s the standard UNIX firewall battle proven.
A great many Mac users are connected to the web without their firewall turned on, yet successful attacks against the Mac are rare. That’s because Apple’s security model isn’t based on the firewall, and for good reason. Firewall’s limit access to all, not just intruders, and there has to be a better way. It turns out that there are better ways. User level permissions, sandboxing applications, and memory randomization are just a few things that work better than a firewall because they stop the bad guys while letting legitimate users and applications function.
Firewalls have been around a long time, and if they worked well, these other security measures wouldn’t have been developed. People generally don’t spend time and money developing things that aren’t needed. If they do, they aren’t able to sell them!
Humm...I don’t want to start a battle here but true security takes many forms at many levels. No system is 100% secure and physical security being the end around for all. You are correct that a great many Mac users use the web with the FW off. Today, with no wild exploits, they are safe! It’s like leaving the door to your house open when your area has no burglars. This might be fine for a period of time but once the bad guys find out people in your neighborhood leave their doors open they could come calling! Would anyone really do that? Would you leave your front door open just because your area has never a break-in?
Now, on to your second set of points. You are also correct that there are on other things to help keep us safe. You listed “user level permissions, sandboxing applications, and memory randomization”. This is like setting up an alarm, and putting your money in a safe (user permissions) in side your locked house. First someone has to break in, then they have to find the safe that you keep moving (aka memory randomization), then they have to break into that safe. Makes for an experience only the most dedicated thief will make an effort to do. A thief like that probably won’t be too anxious to even make the effort given there are more valuable things to go after with less security..aka Windows.
The totality of the measures and the design of OS X make it difficult to exploit and thus far it has enjoyed a great security record. I fear however that if people start leaving their door open (forgetting for a moment the NAT equation) then it will happen and not because the design of the OS is flawed but because users are flawed in their use of it.
As for your last point...firewalls do work well and I have no idea where you could think otherwise. A properly configured firewall should have no impact on the user or what the user does. In fact they are so important that rather than leaving it to chance all the major OS’s include one by default. Again it’s like saying that homes don’t need locked doors since they all have them and you don’t see anyone dropping over to your house offering to sell you a door that locks, right?
My point is TODAY we are fortunate to have an OS that for many reasons has thus far seen few if any real exploits. If we want that trend to continue we all have to do our part from firewalls to not just opening anything that comes our way etc., (aka...stay off porn sites!)Apple is doing their part, with the exception I think of this little bump, but none the less security IS important and firewalls ARE an important part of that effort.
Today, with no wild exploits, they are safe! It’s like leaving the door to your house open when your area has no burglars. This might be fine for a period of time but once the bad guys find out people in your neighborhood leave their doors open they could come calling! Would anyone really do that? Would you leave your front door open just because your area has never a break-in?
Please say it isn’t so!!! Not another subscriber to the security by obscurity myth! You do know that the iPod has sold well over 110 million units, yet the only iPods to have malware at all are the fewer than 1 thousand that have had Linux installed on them, right?
A firewall is not comparable to locking your front door. Locking your front door is comparable to requiring a password to access a service, and it is a good idea. A firewall is more like building a wall around your house or business and stationing a guard at the one entrance. Get past the guard and you still need a key (password) to the front door. The guard is poorly trained and not very knowledgeable about what goes on in your home or business, so he stops everyone that doesn’t have special permission to enter. For a large company, this can be acceptable even though it is not ideal, since visits by salesman and contractors need to be controlled. For a small business or a home user, the guard creates too much overhead. Too much time is spent instructing the guard to let this person in, or keep that person out. For home owners and small businesses, both of which vastly outnumber large businesses both in sheer quantity and in productivity, neither a guard shack nor a firewall is an efficient use of resources.
Edit: I know I’m being argumentative here, but I’d really like it if some one could clearly show that I’m wrong! Unfortunately, it seems that firewalls mainly create a false sense of security while creating a hassle for legitimate users trying to access a network.
My premise assumes that the resources needed to create a firewall are time and money. I believe that time and money could be better spent securing the services that use ports to communicate with the network.
This may be the weakest premise for an argument since WMDs as the reason to invade Iraq.
A firewall, whether software or hardware, is merely one element within a network of communications components. What resources are you talking about? It’s as if you think resources are finite and there’s a single team of programmers who can only work on one component at a time. That’s silly.
I think you’re making this more complicated than it needs to be. It doesn’t matter if there are a thousand twenty four, 65 thousand, or 16.7 million ports, the fact is that the OS is, and should be, responsible for each and every one of them. Tacking on an additional layer of software isn’t a good idea. It’s an easy shortcut that has significant long term consequences.
You’re actually the one making the argument more complex than it needs to be. You’re the only person anywhere I’ve read who says the OS should be responsible for the security of each of the 65,000 ports. That’s silly on it’s face. Yet, you say that tacking on an additional layer of software isn’t a good idea but fail to point out that firewall’s do provide additional security, and yet you don’t say why a firewall is not a good idea, except that you don’t like the idea of a firewall.
There’s an old saying-- ‘the road less traveled often is less traveled for a reason.’ There is a reason why firewalls exist, both software and hardware. Firewalls add security capability. Assuming that all security belongs to the OS is a dream totally disconnected from reality.
I’m not saying that there shouldn’t be security. I just think that security should be one of the main jobs of every service that uses a port. As long as programmers know that there is a firewall, there is little urgency to secure their own code. They may not consciously think about the firewall, but they don’t have to in order for it to affect their work.
Obviously, you know little of network security services, otherwise you wouldn’t make such an immature statement. How much more difficult would software programming become if every programmer also had to worry about security TO the operating system. Silly, man. You’re fully on some hefty crack.
I think that Apple has come to the same conclusion I have: secure the OS and you don’t need the firewall or AV software. So far it looks like they’ve done a fairly good job of it.
This is the only point that’s worthy of consideration in your entire flurry of banal arguments. A firewall is NOT necessary for a measure of security. Otherwise, Apple would turn it on as the default in OS X. However, a firewall provides ADDITIONAL security, which is why Apple makes it available in OS X, and why firewalls are the STANDARD throughout the network world. STANDARD.
Your ideas about firewalls are in the daft minority, dude. Sub-Standard. Get over it.
OK, guys. Let’s settle down awhile on this one. We’ll all agree that security is a multi-faceted issue of which firewalls are merely one component, important enough to be there and provide benefit, but not the be-all, end-all of perfect security, right?
You’re actually the one making the argument more complex than it needs to be. You’re the only person anywhere I’ve read who says the OS should be responsible for the security of each of the 65,000 ports. That’s silly on it’s face. Yet, you say that tacking on an additional layer of software isn’t a good idea but fail to point out that firewall’s do provide additional security, and yet you don’t say why a firewall is not a good idea, except that you don’t like the idea of a firewall.
There’s an old saying-- ‘the road less traveled often is less traveled for a reason.’ There is a reason why firewalls exist, both software and hardware. Firewalls add security capability. Assuming that all security belongs to the OS is a dream totally disconnected from reality.
Obviously, you know little of network security services, otherwise you wouldn’t make such an immature statement. How much more difficult would software programming become if every programmer also had to worry about security TO the operating system. Silly, man. You’re fully on some hefty crack.
I think that Apple has come to the same conclusion I have: secure the OS and you don’t need the firewall or AV software. So far it looks like they’ve done a fairly good job of it.
This is the only point that’s worthy of consideration in your entire flurry of banal arguments. A firewall is NOT necessary for a measure of security. Otherwise, Apple would turn it on as the default in OS X. However, a firewall provides ADDITIONAL security, which is why Apple makes it available in OS X, and why firewalls are the STANDARD throughout the network world. STANDARD.
Your ideas about firewalls are in the daft minority, dude. Sub-Standard. Get over it.
Firewalls provide additional security by isolating the system from the outside world. Biology demonstrates over and over that isolation results in less security over time. Just ask the Incas and the Mayas, whose isolation made them highly susceptible to European diseases that eventually brought them down. If you need something closer to Macs, look at Windows, where multiple security holes remain years after their discovery, relying in vain on firewalls and their cousins: AV software, to protect them. Meanwhile, viruses spread through Windows with ease.
Yes, the road less traveled is less traveled for a reason, and that reason is that the commonly used road is easier on the driver, not necessarily on the vehicle. Firewalls are easier on the software developers, not on computer users.
If you’re going to call me names, you really should try to come up with better arguments. Asking Mac users to accept firewalls because they’re STANDARD certainly isn’t a good argument. If we were to do that, we’d use Windows!
Please say it isn’t so!!! Not another subscriber to the security by obscurity myth! You do know that the iPod has sold well over 110 million units, yet the only iPods to have malware at all are the fewer than 1 thousand that have had Linux installed on them, right?
Edit: I know I’m being argumentative here, but I’d really like it if some one could clearly show that I’m wrong! Unfortunately, it seems that firewalls mainly create a false sense of security while creating a hassle for legitimate users trying to access a network.
Ok...deep breath…
First, I DO NOT subscribe to the Windows fanboy “security by obscurity” myth. I have said MANY times if anything OS X Security record should make it more of a tempting target as the first real virus in the wild will be famous. Who cares about a new Windows virus these days. I think you misunderstood my perhaps failed use of an analogy but enough said there.
Second, all I can say to the arguments here is, I guess 40 years of computer security and thousands of books, millions spent on firewalls of all kinds, but whoa, wait hold on! Some person on the Mac360 site, cwtnospam has a better idea! Throw them out! Don’t need them!
Hey you’re free to leave them off if you’ve made a conscious decision to do so after assessing the risk. But please don’t tell other users they are not needed or ineffective just because you think so and to heck with what any security book will tell you for any platform.
I use a Mac partially for it outstanding security record and the underlying OS architecture that provides that and if Apple supplies a firewall, when I need to use one such as connected directly to a public network, I will. If you don’t that’s fine too!
Second, all I can say to the arguments here is, I guess 40 years of computer security and thousands of books, millions spent on firewalls of all kinds, but whoa, wait hold on! Some person on the Mac360 site, cwtnospam has a better idea! Throw them out! Don’t need them!
Another way to look at it is that after all those years of development, the one computer company that has done much better with security than the majority of companies that follow the industry STANDARD practices, has apparently made the decision that firewalls do not need to be a significant part of their security efforts. Yes, I’m only one guy on the internet, but it surprises me that I appear to be the only one to see that maybe the company with the better track record has thought this through a little better than the ‘me too’ companies that only want to sell a cheap box!
This isn’t about whether or not you or I use a firewall. This is about whether or not Apple should follow the industry with more sophisticated firewalls that IT specialists can spend time configuring, or whether they should think different and come up with a better solution.
Maybe we can focus on the specifics of the issue here and not debate firewalls in general?
Apple has invested a great deal into creating a firewall that is end user friendly. So the question to ask yourself is why, when they had a fine IT like Firewall to begin with, and an area of the OS that no one had an issue with, why did they think it important enough to make it easier for people to use? I mean following your argument Apple could have just left things as they were and people could keep turning it off in frustration. Instead it would seem Apple thinks a firewall is important too and has worked hard to provide an innovation making it easier for people to keep it on if desired. There is no argument that this is a good thing, the issue people have is that Apple removed the UI to make granular IT focused options and to manually make any needed settings. There are some of us that think, while a more friendly firewall is a good thing, that the removal of the UI was unfortunate. Because of that the issues people are finding are not easily worked around manually unless you go to the CL or use a 3rd party tool to access ipfw settings and THAT IS the issue.
Apple has invested a great deal into creating a firewall that is end user friendly. So the question to ask yourself is why, when they had a fine IT like Firewall to begin with, and an area of the OS that no one had an issue with, why did they think it important enough to make it easier for people to use.
That’s not what people are saying about Leopard, and it’s not what I see when I look at the firewall in Tiger. In Tiger and previous versions, the firewall is hidden away as the second tab in the Sharing preferences pane and it is noted for being inflexible through the gui. In Leopard, (which I don’t have since I’m planning to get a new machine in the next few months and I do have a few reasons for keeping Classic around on my current setup) it appears to be a bit more sophisticated, but the consensus seems to be that it’s got only minor evolutionary changes. When a company like Apple makes the kinds of advances they’ve made with Leopard and the built in firewall is relatively unchanged, it’s pretty clear that the focus is not on the firewall.
Apple has invested a great deal into creating a firewall that is end user friendly. So the question to ask yourself is why, when they had a fine IT like Firewall to begin with, and an area of the OS that no one had an issue with, why did they think it important enough to make it easier for people to use.
That’s not what people are saying about Leopard, and it’s not what I see when I look at the firewall in Tiger. In Tiger and previous versions, the firewall is hidden away as the second tab in the Sharing preferences pane and it is noted for being inflexible through the gui. In Leopard, (which I don’t have since I’m planning to get a new machine in the next few months and I do have a few reasons for keeping Classic around on my current setup) it appears to be a bit more sophisticated, but the consensus seems to be that it’s got only minor evolutionary changes. When a company like Apple makes the kinds of advances they’ve made with Leopard and the built in firewall is relatively unchanged, it’s pretty clear that the focus is not on the firewall.
Application Layer Firewall
Leopard ships with the original BSD IPFW, which was present in earlier releases of Mac OS X, and the new Leopard Application Layer Firewall. Unlike IPFW, which intercepts and filters IP datagrams before the kernel performs significant processing, the Application Layer Firewall operates at the socket layer, bound to individual processes. The Application Layer Firewall can therefore make filtering decisions on a per-application basis. Of the two firewall engines, only the Application Layer Firewall is fully exposed in the Leopard user interface. The new firewall offers less control over individual packet decisions (users can decide to allow or deny connections systemwide or to individual applications, but must use IPFW to set fine-grained TCP/IP header level policies). It also makes several policy exceptions for system processes: neither mDNSResponder nor programs running with superuser are privileges are filtered.
When you actually get a copy of Leopard I will look forward to your opinion.
The new firewall offers less control over individual packet decisions (users can decide to allow or deny connections systemwide or to individual applications, but must use IPFW to set fine-grained TCP/IP header level policies). It also makes several policy exceptions for system processes: neither mDNSResponder nor programs running with superuser are privileges are filtered.
There you have it! IPFW is command line based. There’s nothing about it that makes it “end user friendly.” In fact, I think it’s a safe bet that more than 90% of users will not touch it.
My opinion about the firewall doesn’t matter. What matters is that Apple is clearly focusing the bulk of their security efforts in other areas. I wouldn’t bet against them.
