Two Cents More™

I heard this from a friend of a friend who works at Apple here in NY doing support, so I cannot vouch for accuracy. What he said was, the IPFW in Mac OS X is still there in Leopard, just as it was in Tiger. Access comes from the CL or via a 3rd party application. What Apple has in place of IPFW is a proprietary ‘Application Firewall’ in Leopard.

Apple’s documents on AF can be found Here. MacUser has a few more details on the AF which can be found Here. Further corroboration can be found Here.

I suppose what all this is saying is that Apple thinks OS X Leopard (and Tiger before it) is a very secure OS, hence one reason why the IPFW and AF are turned off, as are all services in the OS. Once you turn on a specific service, then it appears that the AF turns on, too, but with nominal controls, especially when compared to the IPFW access in Tiger, which makes AF a bit easier to use for the average Mac user (with Windows heritage or not). Therefore, that means that Apple also recognizes the value and benefits of a firewall, as recognized by nearly everyone in this thread.

What Apple’s decision to go with a proprietary AF is to provide sufficient security for most Mac users, yet allow even more granular security for those of us who feel we need it, and it may spur the 3rd party IPFW business, which is always a good thing.

I think I understand where cwtnospam is coming from. But it’s the reality of the world that we have to deal with. Firewalls make sense for the industry as a defacto standard. Same for Apple. Most Macs and Windows PC’s connected to the internet are behind a router or firewall or combo. That’s especially true when WiFi is in the loop. They provide an extra level of security for Macs-- secured by a tight OS which limits services access, secured by a simple applications firewall which limits access by application, and secured by IPFW which is built in to OS X (when turned on), and eventually secured by a combo router/firewall/WiFi link in the chain.

All those components help Mac OS X remain secure, as it would have for Windows XP had Microsoft had a brain where their money is. Notice that there have been far fewer exploits reported in Windows Vista, which does have IPFW.

How secure is the Mac OS? Use the number of public exploits (not vulnerabilities-- all OS’s have those) as a guide. The best anyone has been able to come up with is a trojan horse, which, like phishing, has more to do with the user than the OS.

cwtnospam - 10 November 2007 03:15 PM

There you have it! IPFW is command line based. There’s nothing about it that makes it “end user friendly.” In fact, I think it’s a safe bet that more than 90% of users will not touch it.
My opinion about the firewall doesn’t matter. What matters is that Apple is clearly focusing the bulk of their security efforts in other areas.  I wouldn’t bet against them.

I am trying to help you understand that the issue is ipfw wasn’t CL based in Tiger that is what you are messing with when you make the settings in the Tiger UI. The new Leopard UI takes the place of that with the new Application layer UI and that’s fine for many users but some want a greater level of control which is the old ipfw Tiger UI and behavior or, in some cases, even more.

The only thing clear to me is Apple focused a great deal on the creation of this new Firewall, and you’re right I wouldn’t bet against them.

Wil Gomez - 10 November 2007 03:17 PM

Two Cents More™

I heard this from a friend of a friend who works at Apple here in NY doing support, so I cannot vouch for accuracy. What he said was, the IPFW in Mac OS X is still there in Leopard, just as it was in Tiger. Access comes from the CL or via a 3rd party application. What Apple has in place of IPFW is a proprietary ‘Application Firewall’ in Leopard.

Apple’s documents on AF can be found Here. MacUser has a few more details on the AF which can be found Here. Further corroboration can be found Here.

I suppose what all this is saying is that Apple thinks OS X Leopard (and Tiger before it) is a very secure OS, hence one reason why the IPFW and AF are turned off, as are all services in the OS. Once you turn on a specific service, then it appears that the AF turns on, too, but with nominal controls, especially when compared to the IPFW access in Tiger, which makes AF a bit easier to use for the average Mac user (with Windows heritage or not). Therefore, that means that Apple also recognizes the value and benefits of a firewall, as recognized by nearly everyone in this thread.

What Apple’s decision to go with a proprietary AF is to provide sufficient security for most Mac users, yet allow even more granular security for those of us who feel we need it, and it may spur the 3rd party IPFW business, which is always a good thing.

I think I understand where cwtnospam is coming from. But it’s the reality of the world that we have to deal with. Firewalls make sense for the industry as a defacto standard. Same for Apple. Most Macs and Windows PC’s connected to the internet are behind a router or firewall or combo. That’s especially true when WiFi is in the loop. They provide an extra level of security for Macs-- secured by a tight OS which limits services access, secured by a simple applications firewall which limits access by application, and secured by IPFW which is built in to OS X (when turned on), and eventually secured by a combo router/firewall/WiFi link in the chain.

All those components help Mac OS X remain secure, as it would have for Windows XP had Microsoft had a brain where their money is. Notice that there have been far fewer exploits reported in Windows Vista, which does have IPFW.

How secure is the Mac OS? Use the number of public exploits (not vulnerabilities-- all OS’s have those) as a guide. The best anyone has been able to come up with is a trojan horse, which, like phishing, has more to do with the user than the OS.

+10000000

NothingToSeeHere - 10 November 2007 03:29 PM

I am trying to help you understand that the issue is ipfw wasn’t CL based in Tiger that is what you are messing with when you make the settings in the Tiger UI. The new Leopard UI takes the place of that with the new Application layer UI and that’s fine for many users but some want a greater level of control which is the old ipfw Tiger UI and behavior or, in some cases, even more.

The only thing clear to me is Apple focused a great deal on the creation of this new Firewall, and you’re right I wouldn’t bet against them.

The major criticism of the firewall in Tiger, and apparently Leopard, is that to use it fully requires the command line because the gui is not comprehensive. The fact that Apple has done little to change this indicates to me that they haven’t focused at all on the firewall. In fact, from the original article, it would appear that they’ve forgotten about important parts of the firewall:

The firewall in Leopard is positively in conflict with what most security experts call common practice. First, Leopard’s firewall, unlike the comparable firewall in Windows Vista, is turned off by default. Second, Mac users can no longer access port by port restrictions as they could in Tiger.

Without port by port restrictions, it’s more likely than ever that users will need to use the command line to set up their firewalls the way they need them. That’s bound to discourage its use.

The major criticism of the firewall in Tiger, and apparently Leopard, is that to use it fully requires the command line because the gui is not comprehensive. The fact that Apple has done little to change this indicates to me that they haven’t focused at all on the firewall. In fact, from the original article, it would appear that they’ve forgotten about important parts of the firewall:

Actually, that was not the case in Tiger. Even Tiger’s limited GUI provided decent access to IPFW, including port-by-port access, and full stealth mode on both TCP and UDP access, both of which remain in Leopard, but only via IPFW, not in the new Application Firewall.

Command line access was NOT required to get plenty of use from the stock IPFW. Still, the average user probably never bothered with the firewall at all. I cannot count how many times I’ve asked Mac users if their firewall was turned on, only to hear the response, ’What’s a firewall?”

Without port by port restrictions, it’s more likely than ever that users will need to use the command line to set up their firewalls the way they need them. That’s bound to discourage its use.

What that really means is that nothing changes. The average Mac user didn’t bother with the firewall in Panther or Tiger, and is not likely to bother with it in Leopard, other than to respond to Leopard’s automated dialog box to allow access to a specific application or service when needed.

Those of us who prefer to tinker with IPFW or think we need some measure of additional security will find a way in Leopard-- first, by disabling the Application Firewall, then enabling IPFW, and finally, using either CL or a third party application to manage the firewall.

This whole discussion is almost a non-issue.

Apple obviously feels Leopard is sufficiently secure as is, out of the box-- IPFW off, applications firewall off until a specific service is needed, in which case it’s pretty much automatic. The average user is shielded from the complexities of services and firewall control, yet receives the benefits of default settings that do provide good security. That kind of security, while not necessarily ideal for the paranoid among us, obviously works well enough for Apple, and based upon the minimal number of exploits against ‘average’ Mac users, works well, indeed.

This could be summed up as a security effort facing diminishing returns. Maybe application programmers could worry more about security, but why? Is something broken? Maybe Apple could provide more access to IPFW (as it did with Panther and Tiger), but why? Is something broken? Those of us who want to dink around with services and firewall settings will do so, and begrudgingly fork over a few bucks for a third party utility, or learn how to use the command line to master intricacies of IPFW, which is still available in Leopard.

But why? Apple, without saying so publicly, has acknowledged by action that it’s an area of diminishing returns. Leopard, though not perfectly so in our perfectly created worlds, is very secure.

That said, what’s on my Mac is important to me. I make a living on my Mac. So, I add a few extra layers of security, just to be sure, and to make me feel better about this whole security issue. I run Little Snitch to check on outgoing network traffic. You’d be surprised which applications and utilities are phoning home these days. I also run IPFW using DoorStopX because it does a nice job of making IPFW access relatively simple, and pretty much locks down my Mac. Then, there’s Airport Extreme security in front of the Mac, and the DSL router/firewall/modem in front of Airport Extreme.

Remember, only the paranoid survive.