There are a handful of issues or problems with the new Leopard firewall. Here's the short version:
- Ipfw is still available, but basically does nothing and has no graphical interface.
- The interface and performance of the new firewall do not match. "Block All" does not block all.
- Leopard uses executable signing to "authorize" network traffic to certain services and applications. The signature data appears to be added to the actual binary, and some apps do not like to have their binaries modified and fail to run after failing a checksum or hash check.
- Apple has provided no information (that I'm aware of) to explain what is going on and why.
ipfw
The previous firewall is still installed and running. It just doesn't appear to be used for much. Anyone interested can still use it. I believe it is still operating at the port layer below the sockets layer, where the new application-based firewall appears to be running.
If desired, ipfw can still be configured via the terminal or a GUI utility such as WaterProof.Leopard's New Firewall Performance
As you probably know, Leopard's new firewall does not do exactly what it says it is doing in the GUI. I discussed this previously and you can find additional details all over the Net.
When the new firewall says it is blocking everything, it is not. Certain "privileged" traffic is still allowed. This is cause for concern, because some future exploit might find a way to take advantage of this functionality to secretly allow traffic to/from itself. Only time will tell how secure this actually is.
Application Signing
In order to increase security, Apple has implemented application signing. Apple's applications are cryptographically signed, and 3rd party ISV's can sign theirs too. This is intended to ensure both the integrity and identity of applications.
Some applications do not like to have their executable changed and will fail is they detect this. Many online games do this check to prevent cheating, and Skype appears to do this also. There are reports that World or Warcraft and Skype both fail, due to this modification of their binaries.
Apple Has Provided No Information
As far as I can tell, Apple has not had anything to say about the analysis and FUD flying around the Internet. Hopefully, they will explain things and maybe make some of the changes I've previously suggested.
Update: it appears Apple has posted some explanation confirming that ipfw is still running below the new firewall (via Securosis).
Background
Here at Geek Precis - initial, testing and analysis, and this article
Heise Security - initial, testing, and application signing
Securosis - investigation and good news
TidBITS
LeoFUD - initial FUD and code signing
Apple - firewall support docs and code signing
Books
0 comments:
Post a Comment