Is Leopard's Firewall Insecure or Broken? Maybe not.

Click Here for a More Up-to-date Summary of Leopard Firewall Issues Here at Geek Precis

More in-depth post here at Geek Precis


Frightening Analysis of Leopard's Firewall

Discussion on Slashdot discussing the actual facts behind the story.

It boils down to a pair of misunderstandings: 1) the security analysts expect Leopard to follow the "traditional" model where the firewall is independent of the OS and related services, and 2) Apple chose to frame the UI with practically accurate, but technically inaccurate phrasing.

Honestly, It always struck me as the worst of both worlds to have a software firewall implemented to mimic an external hardware firewall in every way possible. I actually am excited about a software firewall taking advantage of the benefits of being software and being resident on the client. Hardware firewalls cannot "know" anything about the processes and services running on the client, but a software implementation can take full advantage of this data. This is a feature I always liked about other solutions like Zone Alarm, even if I was bothered by their constant badgering and sometimes opaque interfaces to make changes after-the-fact.

Most users don't think in terms of TCP ports and ACL's, and this fact is a more serious security threat than most technical implementations. By making security hard to use and/or difficult to understand, many "solutions" make it less likely that security features will be used or used properly.

In this case, the security analysts fail to properly take into account the target market for the software firewall and how it will be used in the vast majority of cases. Apple touts Leopard's new Application-based firewall and want to give non-advanced users a way to control the security of their Mac. And it appears to do just that.

But Apple failed to understand how imprecise (technically inaccurate) language makes the system look bad. If the firewall is not actually closed, it shows some degree of poor judgment to say it is closed in the UI. Even if it is "closed" for all practical purposes for the vast majority of users.

In the end, I predict that Apple will release a patch (probably buried in 10.5.1 or 10.5.2) that changes the language in the UI and more obviously allows an advanced user to revert to a traditional firewall. I also predict the security analysts will not make as big a deal out of these changes, when they are made.

Next tempest in a teapot, please.




New Leopard Security Features Involved (from Apple's site)

Tagging Downloaded Applications
Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.

Signed Applications
Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.

Application-Based Firewall
Gain more control over the built-in firewall. Specify the behavior of specific applications to either allow or block incoming connections.

Sandboxing
Enjoy a higher level of protection. Sandboxing prevents hackers from hijacking applications to run their own code by making sure applications only do what they’re intended to do. It restricts an application’s file access, network access, and ability to launch other applications. Many Leopard applications — such as Bonjour, Quick Look, and the Spotlight indexer — are sandboxed so hackers can’t exploit them.