Mac OS X 10.5 Leopard: About the Application Firewall

Mac OS X 10.5 Leopard: About the Application Firewall

Apple has updated the knowledgebase article on Mac OS X 10.5 (Leopard) firewall. This is the new, additional firewall referred to as an "application" firewall. Unlike ipfw, which works at the packet level, the new firewall works at the application level allowing or disallowing applications to receive packets.


Links to previous Geek Precis Articles:

• When Will Apple Require Code Signing in Mac OS X?
• Leopard 10.5.1 Is Out With Security Fixes But Issues Remain
• A Summary of Leopard Firewall Issues
• Leopard Firewall - Testing Analysis and Speculation
• Is Leopard's Firewall Insecure or Broken? Maybe not.

About the Mac OS X 10.5.3 Update

About the Mac OS X 10.5.3 Update

Apple has released the Mac OS X 10.5.3 update.  As usual, it is recommended for all users and has a gazillion fixes and patches.

Leopard 10.5.1 Is Out With Security Fixes But Issues Remain

Apple has released Mac OS X 10.5.1 Leopard and has included numerous security fixes (as usual), but some issues remain. Download the update from Apple here.

All these fixes bode well showing Apple's quick response to issues raised by their users. I am still hopeful the application-based (socket) firewall will become a strong security asset to improve Mac OS X's reputation for security. Although I believe the traditional ipfw will need to play a role also.

I like the idea of a layered security approach where ipfw blocks things at a port and packet level, and Leopard's new socket firewall blocks things at an application level. (Of course a hardware firewall is still recommended for home network connections.) Combine this with a system that leaves unnecessary services off until needed and has few exploitable bugs, and you have a highly secure system with minimal inconvenience.


Fixed in 10.5.1

• The firewall settings no longer refers to "Block all incoming connections", but calls it more accurately "Allow only essential services". This should go a long way to fixing the confusion caused by mislabeling this setting.
• When "Set access for specific services and applications" is selected in the application firewall, the setting now functions properly when setting "Block incoming connections" on root processes. Previously, root processes were always allowed.
• Processes launched by launchd previously were not affected by firewall settings changes until they were restarted. This caused applications to be unexpectedly exposed, and this was especially noticeable when changing settings and testing as many security expert did.

Not Sure

• From Apple's 10.5.1 Release Notes:

"Addresses a code signing issue; third-party applications can now run when included in the Application Firewall or when whitelisted in Parental Controls."

This may refer to fixes for applications like Skype, World of Warcraft, and other apps that do their own integrity check. We'll see how things develop.

Open Issues Remaining in 10.5.1

• Processes running as root still are allowed to accept incoming connections, unless specifically blocked. This will continue to be a sore spot, as it leave open the possibility of an exploit or Trojan running as root to go about it's business unhindered. An important thing to consider: any process running as root could change any settings it wanted.
• ipfw is still not active, as it is running with only one rule (65535 allow ip from any to any).
  

Background
Apple Release Notes for 10.5.1
Apple Security Update Notes
Here at Geek Precis - initial, testing and analysis, and this article
Heise Security - initial, testing, and application signing
Securosis - investigation and good news
TidBITS
LeoFUD - initial FUD and code signing
Apple - firewall support docs and code signing




Books

• Mac OS X Security
• Maximum Mac OS X Security
• Internet Security for Your Macintosh
• Building Linux And Openbsd Firewalls
• Firewalls for Dummies, Second Edition
• Firewall Fundamentals
• Building Internet Firewalls (2nd Edition)

A Summary of Leopard Firewall Issues

There are a handful of issues or problems with the new Leopard firewall. Here's the short version:

• Ipfw is still available, but basically does nothing and has no graphical interface.
• The interface and performance of the new firewall do not match. "Block All" does not block all.
• Leopard uses executable signing to "authorize" network traffic to certain services and applications. The signature data appears to be added to the actual binary, and some apps do not like to have their binaries modified and fail to run after failing a checksum or hash check.
• Apple has provided no information (that I'm aware of) to explain what is going on and why.

ipfw
The previous firewall is still installed and running. It just doesn't appear to be used for much. Anyone interested can still use it. I believe it is still operating at the port layer below the sockets layer, where the new application-based firewall appears to be running.


If desired, ipfw can still be configured via the terminal or a GUI utility such as WaterProof.


Leopard's New Firewall Performance
As you probably know, Leopard's new firewall does not do exactly what it says it is doing in the GUI. I discussed this previously and you can find additional details all over the Net.

When the new firewall says it is blocking everything, it is not. Certain "privileged" traffic is still allowed. This is cause for concern, because some future exploit might find a way to take advantage of this functionality to secretly allow traffic to/from itself. Only time will tell how secure this actually is.


Application Signing
In order to increase security, Apple has implemented application signing. Apple's applications are cryptographically signed, and 3rd party ISV's can sign theirs too. This is intended to ensure both the integrity and identity of applications.

Some applications do not like to have their executable changed and will fail is they detect this. Many online games do this check to prevent cheating, and Skype appears to do this also. There are reports that World or Warcraft and Skype both fail, due to this modification of their binaries.


Apple Has Provided No Information
As far as I can tell, Apple has not had anything to say about the analysis and FUD flying around the Internet. Hopefully, they will explain things and maybe make some of the changes I've previously suggested.

Update: it appears Apple has posted some explanation confirming that ipfw is still running below the new firewall (via Securosis).


Background
Here at Geek Precis - initial, testing and analysis, and this article
Heise Security - initial, testing, and application signing
Securosis - investigation and good news
TidBITS
LeoFUD - initial FUD and code signing
Apple - firewall support docs and code signing




Books

• Mac OS X Security
• Maximum Mac OS X Security
• Internet Security for Your Macintosh
• Building Linux And Openbsd Firewalls
• Firewalls for Dummies, Second Edition
• Firewall Fundamentals
• Building Internet Firewalls (2nd Edition)

Good Leopard Reviews

• A very nice in-depth and technical review of Leopard from Information Week
• John Sirasusa@ArsTechnica - Mac OS X 10.5 Leopard Review, the usual definitive review

My previous list of reviews is here.

Leopard Firewall - Testing Analysis and Speculation

Click Here for an Updated Summary of Leopard Firewall Issues Here at Geek Precis

After all the discussion on the web concerning Leopard's new firewall, I wanted to do some testing in an attempt to better understand what was happening. I've divided my results and the related discussion into sections for easy digestion.

Summary
Apple has made significant changes to how the firewall functions in Mac OS X 10.5 (Leopard). In an apparent attempt to tightly integrate the firewall with their applications and services of their new OS, they have added a proprietary firewall to provide different/additional functionality and flexibility. The previous firewall (ipfw) is still there and running, but not really doing anything by default.

I think things are not as bad as some articles have made it seem, but I think Apple should make some changes to fix both the perception and the reality.


Background

• Heise Security Article - original analysis of potential flaws in Leopard's firewall
• My initial post
• Slashdot discussion
• Securosis analysis - some good testing
• ipfw - Wikipedia, FreeBSD
  
• IANA TCP/IP Port List - for good measure

More Good Links

• Bruno Morisson (Confessions of a dangerous mind)
• Leofud #1 #2
  
• Slashdot discussion
  

How Leopard's Firewall Performs
After reading everything I could find, I did some testing of my own. Here's what I found:


I started with a few basic services (File Sharing, Printer Sharing, and Remote Login) turned on in the Sharing preference pane. After testing that basic configuration, I turned everything off in the Sharing pane and disabled the sharing activated by my iLife applications to see how the firewall would respond with no user selected sharing active.

Leopard's new firewall does a few things that might be expected and a few that might be considered unexpected:

Expected

• Allows any traffic associated active shared resources (as determined by the Sharing Preference Panel). This is what previous versions of Mac OS X did by default.
  
• Blocks traffic destined for various "random" ports.
  

Unexpected

• The default firewall setting is to "Allow all".
  
• Allows any traffic associated with (signed) applications that have sharing activated (as determined by individual application UI's).
• Allows certain system traffic (Kerberos and NTP).

Basically, Leopard's firewall allows traffic associated with sharing that the user has selected in the usual way, allows traffic destined for "trusted" applications (if requested by the user in the application's interface), and allows traffic you will not find anywhere in the firewall interface.

Any shared services (e.g. file or printer sharing) the user has activated will be allowed access, unless the user manually deactivates that service share or manually blocks it in the firewall. And some services used by the system will accept traffic under almost any circumstances. This is odd, and I'm not yet sure what the intention is here.


What Apple Has Done
It appears to me Apple has added their own application-based firewall in a layer above the open source ipfw firewall (see below).


It looks like you can manually configure ipfw via the command prompt or use a GUI-based configuration utility (e.g. WaterProof) and restore the functionality that was previous exposed by the firewall portion of Tiger's Sharing pane. Ipfw is installed and running, but it appears to only have a single rule allowing any and all traffic. All the traffic allowed by ipfw would then pass to Apple's new firewall for further inspection. If a default configuration, Apple's firewall would be providing the only practical packet inspection and filtering; ipfw is there, but not really doing anything.


Why Apple Configured the Firewall This Way
I believe Apple decided ipfw did not provide the kind of flexibility and integration with their applications that they wanted in order to produce an elegant, user-friendly OS. They wanted a solution that was tightly integrated with the services and sharing provided by MacOS X 10.5 and Apple's applications.

In what I hope is NOT a return to the mistakes of the "old" Apple, they decided to create a new firewall from scratch rather than using well-developed and mature open source solutions like ipfw. In the past, Apple has chosen to take the proprietary (sometimes incompatible) path, and I fervently hope this is not a sign they are returning to that behavior.

I can understand Apple's desire to create a firewall configuration process that is easy to use to most non-geek users. The previous setup was easily understood by people with some networking knowledge, but fairly difficult to understand by non-techies. And it was often the case that 3rd-party configuration utilities and Apple GUI were not compatible and would could not work together without resetting the ipfw rules to match the configuration of the last UI used.

And I think there might be other justifications for this change including the sharing and services (e.g. Back to My Mac) Apple is offering and plans to offer, and a desire to integrate with some of Apple's new security features (i.e. sandboxing, application signing, and tagging downloaded applications). Apple is not likely to announce any plans that might use this new functionality, at least not before they are released.

But in the end, I think Apple has done themselves a disservice from a public relations perspective. Prior to this, Apple was universally praised for being more secure than its Windows competition. The news surrounding the firewall changes, while maybe overblown, is conspiring with the recent announcement of a Mac Trojan to make Mac OS X's security look weaker.

While the perception will likely last, only time will tell if the technical performance is better or worse than ipfw in previous versions of Mac OS X.


Recommendations
I recommend Apple do a few things to improve the situation:

• First, Apple must get out on this story and explain in detail what has changed and why. Without doing this, it is too easy to speculate and create FUD. I cannot understand why they have not responded to the bad press during Leopard's launch.
• Second, Apple should change the default behavior to set the firewall to "Block All Incoming". The user can then be notified if and when this setting needs to be changed.
  

After this they have a few options:

1. Apple could re-implement their application-based firewall as a control layer that works with ipfw to make the necessary changes instead of using a separate, proprietary firewall.
2. They could change the default rule in ipfw to block more incoming traffic that is not needed or wanted by any of the sharing features they appear to be so concerned about. At least this would close a few potential doors, while still allowing them to use their new firewall too.
   
3. They could provide an "advanced" mode and UI returning the firewall behavior to the previous configuration relying on ipfw and disabling the new firewall layer. This would give the advanced user the control he or she wants, although it might disrupt some functionality in the areas of remote access and sharing.

What I do not believe is a good option is for Apple to leave things alone and/or not change anything.







Tools and Software

• WaterProof - ipfw GUI configuration
• Apple's built-in port scan (/Applications/Utiltities/Network Utility)
• Nessus
• Bonjour Browser
• Observation Post

Books

• Mac OS X Security
• Maximum Mac OS X Security
• Internet Security for Your Macintosh
• Building Linux And Openbsd Firewalls
• Firewalls for Dummies, Second Edition
• Firewall Fundamentals
• Building Internet Firewalls (2nd Edition)

Leopard Benchmarks (more)

It appears Leopard benchmarks generally a bit slower on PPC and a touch faster on Intel only in 64-bit mode.

Here's a brief list of Leopard benchmarks from around the web:

• Ars Technica 2007-10-30
• Primate Labs 2007-10-27
• Low End Mac 2007-10-29
• Primate Labs 2007-06-20

Some individual's Leopard benchmark results from MacRumors:

• ivnj
• green86

Does anyone know of any other Leopard benchmarks posted? Leave a comment with your URL, and I'll add yours.

Is Leopard's Firewall Insecure or Broken? Maybe not.

Click Here for a More Up-to-date Summary of Leopard Firewall Issues Here at Geek Precis

More in-depth post here at Geek Precis


Frightening Analysis of Leopard's Firewall

Discussion on Slashdot discussing the actual facts behind the story.

It boils down to a pair of misunderstandings: 1) the security analysts expect Leopard to follow the "traditional" model where the firewall is independent of the OS and related services, and 2) Apple chose to frame the UI with practically accurate, but technically inaccurate phrasing.

Honestly, It always struck me as the worst of both worlds to have a software firewall implemented to mimic an external hardware firewall in every way possible. I actually am excited about a software firewall taking advantage of the benefits of being software and being resident on the client. Hardware firewalls cannot "know" anything about the processes and services running on the client, but a software implementation can take full advantage of this data. This is a feature I always liked about other solutions like Zone Alarm, even if I was bothered by their constant badgering and sometimes opaque interfaces to make changes after-the-fact.

Most users don't think in terms of TCP ports and ACL's, and this fact is a more serious security threat than most technical implementations. By making security hard to use and/or difficult to understand, many "solutions" make it less likely that security features will be used or used properly.

In this case, the security analysts fail to properly take into account the target market for the software firewall and how it will be used in the vast majority of cases. Apple touts Leopard's new Application-based firewall and want to give non-advanced users a way to control the security of their Mac. And it appears to do just that.

But Apple failed to understand how imprecise (technically inaccurate) language makes the system look bad. If the firewall is not actually closed, it shows some degree of poor judgment to say it is closed in the UI. Even if it is "closed" for all practical purposes for the vast majority of users.

In the end, I predict that Apple will release a patch (probably buried in 10.5.1 or 10.5.2) that changes the language in the UI and more obviously allows an advanced user to revert to a traditional firewall. I also predict the security analysts will not make as big a deal out of these changes, when they are made.

Next tempest in a teapot, please.




New Leopard Security Features Involved (from Apple's site)

Tagging Downloaded Applications
Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.

Signed Applications
Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.

Application-Based Firewall
Gain more control over the built-in firewall. Specify the behavior of specific applications to either allow or block incoming connections.

Sandboxing
Enjoy a higher level of protection. Sandboxing prevents hackers from hijacking applications to run their own code by making sure applications only do what they’re intended to do. It restricts an application’s file access, network access, and ability to launch other applications. Many Leopard applications — such as Bonjour, Quick Look, and the Spotlight indexer — are sandboxed so hackers can’t exploit them.

Leopard Benchmarks

Ars Benchmarks Leopard

Another Great Mac OS Review by ArsTechnica's John Siracusa

John Sirasusa@ArsTechnica - Mac OS X 10.5 Leopard Review

I already included his review in my list of resources, but his articles are so good, I thought I should make a separate entry. Good stuff.

More In-depth Articles on Leopard from Prince McLean (Daniel Eran Dilger)

After some nice previews, AppleInsider's Prince McLean (aka Daniel Eran Dilger) has written some nice introductory articles on different portions of Leopard. Here's a quick list of the links:


Meet Your New Desktop

Mail and iCal

Address Book and iChat

Core Graphics and New UI

Developer Tools

Present and Future Value

Leopard Resources - Great Places to Learn More About MacOS X 10.5

Here's a collection of links to various Leopard reviews and reference materials. I've tried to collect everything useful I have found about Mac OS X 10.5 in one place for easy use. Tell me if you know of any other good sources.

Reviews
John Sirasusa@ArsTechnica
Information Week
Leo Laporte
Daring Fireball
MacWorld
MIT Technology Review
New York Times
PC Magazine
Engadget
USA Today
AppleInsider
Wall Street Journal
ComputerWorld
CNET


Screenshots
AppleInsider
ComputerWorld


Performance and Upgrades
Gizmodo - Old Hardware
Gizmodo - 10 Things to Know Before Upgrading


Glitches and Issues
Leopard Does Not Support Classic
TidBITS - FileMaker
AppleInsider - No Wireless Time Machine Backup


Apple's Links
300 New Leopard Features
Video Guided Tour


Books
The Mac OS X Leopard Book
Mac OS X Leopard: The Missing Manual
Mac OS X Leopard For Dummies (For Dummies (Computer/Tech))
Special Edition Using Mac OS X Leopard (Special Edition Using)
Mac OS X Leopard On Demand
Automator for Mac OS X 10.5 Leopard: Visual QuickStart Guide


My Blog Entries
Tagged with "Leopard"
More on Wide Area Bonjour
Leopard Feature of Interest - Wide Area Bonjour
AppleInsider In-depth Articles by Price McLean (Daniel Eran Dilger)

Leopard Does Not Support Classic

From ArsTechnica

I'm not sure how I feel about the death of Classic. I haven't used it in a loonnngggg time, but it has been nice to think I could if I needed it. And I hate to see an friend head off to the bit bucket. On the other hand, with Classic completely gone, maybe that will free up some resources both on the development side and on the OS side. I wonder how many Classic-related work-arounds and kludges can be jettisoned now.



Leopard Info Sources

More Info on Apple's Wide Area Bonjour from Mac OS X 10.5 (Leopard)

Wide Area Bonjour is an extension to (local area) Bonjour which is Apple's zero-configuration networking protocol.

Under AppleTalk, Macs required no manual configuration to connect to a network. Macs would announce themselves, acquire a unique network address, and discover services available on the network. As Apple depreciated AppleTalk in favor of TCP/IP-based networking, they wanted a similar protocol to provide all the elegant simplicity of old AppleTalk. So, they created Bonjour, and released it as an open protocol called zeroconf.

(It was originally named Rendezvous, but they were forced to change the name by a software company in the financial space that had a technology serving a similar purpose. Obviously, they needed another French name; hence Bonjour.)

As many people know, TCP/IP (v4) requires a certain amount of configuration. Either you need a DHCP (or BOOTP) server to hand out the information to client computers, or you must manually enter it. To function, a computer needs a unique host addresses and a network address. These two addresses are combined to form an IP address. Also under most circumstances, a host will need a DNS server configured to translate domain names to IP addresses for actual use.

Bonjour uses mDNS, a multicast version of DNS, to handle domain name translations. It multicasts a request for a name-to-IP resolution, and devices configured to "listen" to that multicast address can respond. This is similar to how MAC-IP address resolution occurs, but that's another article.

The first versions of Bonjour only worked across a local area network. But with Wide Area Bonjour, the new version uses Dynamic DNS Update and regular unicast DNS queries to reach outside the local network. (this from Apple's Bonjour FAQ and RFC2136) But to do this, dedicated servers are required.

It appears to me Apple will host dynamic DNS servers (maybe via .Mac) to allow wide area functionality. The obvious possibilities are for SSH (remote shell access), SFTP (remote file transfer), and VNC (remote desktop/remote control) which will be called Back To My Mac.

But I think Apple will want to enable something a bit more flashy. I like to think they will implement things like iTunes library sharing (if the RIAA will allow it), iPhoto library sharing, and allowing developers to tie in their own services. I believe this could really make things interesting and might give Apple a real advantage vs. Windows.

Other links:
My initial post on Wide Area Bonjour
Leopard Info Sources

Apple's New Leopard Guided Tour (video)

Apple has posted a guided tour video or Mac OS X 10.5 (Leopard), so you can start to drool over features you won't have for a full week. You may want to have a friend bury you in the snow to pass the time more quickly. It really works.



Leopard Info Sources

New Security Features in Leopard

Leopard Security Features

Apple's new release of Mac OS X (version 10.5 Leopard) contains some features aimed at reducing both the potential for a virus, trojan, or worm infection and also at reducing the speed f any outbreak. Part of the problems with the various Windows security problems has been not only the ease of exploitation, but teh speed at which the infection spreads. Fast moving outbreaks do not allow users or the OS and security vendors to react. If you can slow the spread, you can reduce the damage and stall for more time for a bug fix.

Tagging Downloaded Applications
Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.

This could be a great way to help slow the spread of any trojans or worms that need the user to install the application. Sounds like an extension on Safari's secueity features for application downloads.

Sandboxing
Enjoy a higher level of protection. Sandboxing prevents hackers from hijacking applications to run their own code by making sure applications only do what they’re intended to do. It restricts an application’s file access, network access, and ability to launch other applications. Many Leopard applications — such as Bonjour, Quick Look, and the Spotlight indexer — are sandboxed so hackers can’t exploit them.

Apple seems to be limiting the potential damage if an exploit ever made it into the wild. By "sandboxing" some of the main network apps, it dramatically reduces the available vectors for remote infection or exploitation.

Library Randomization
Defend against attackers with no effort at all. One of the most common security breaches occurs when a hacker’s code calls a known memory address to have a system function execute malicious code. Leopard frustrates this plan by relocating system libraries to one of several thousand possible randomly assigned addresses.

I'm glad to see Apple catching up to what Microsoft has in place here. Windows' numerous security flaws may have forced Microsoft's hand, but I think it is a very good sign to see Apple proactively making this change. Again, it reduces the potential for infection/exploitation as well as slows the spread of any outbreak.


Leopard Info Sources

Leopard Feature of Interest - Wide Area Bonjour

Apple's Leopard Site

Wide Area Bonjour
Access your Macs, at home or on the road, with a single consistent host name. Use this host name whether you’re behind a NAT gateway or hopping across DHCP servers.

It sounds like this is the basis of Back to My Mac, which is a new feature in Mac OS X Leopard. It allows you to remotely access your Mac for file sharing or desktop sharing (remote control). If it works as advertised, it will be mch cleaner and easier than manualy setting up an SSH tunnel and configuring VNC and DynDNS.

Additional Bonjour links:
Apple Developer FAQ
More Detail

Leopard Info Sources

Apple's Mac OS X 10.5 Leopard is Officially Announced for October 26th

Apple has announced the official release date for Mac OS X 10.5 Leopard. It will hits the streets on October 26, as predicted all over the web.

Apple has a countdown on their main page.

Here are some links to some discussion of new features:
Leopard Tricks
AppleInsider articles from a previous post.

Leopard Info Sources

Some Great Articles on Apple's Upcoming Mac OS X 10.5 Release, Leopard. (And is Prince McLean also Daniel Eran Dilger?)

Here are some great articles at AppleInsider where they review features of Apple's new OS X release Leopard 10.5 . I really like this turn to analysis and in-depth reporting. I guess it qualifies as rumor, since Leopard has not been officially released.

The writing of Prince McLean seems very much like Roughly Drafted. Could Prince McLean be Daniel Eran Dilger? The more of these I read and the more McLean cites Roughly Drafted, the more it seems obvious. I do think the in-depth style fits a purely factual article better than a part fact, part conspiracy story.


Leopard Info Sources


Here are links to all of AppleInsider's "Road to Mac OS X Leopard" series:

Finder

Dock

Spaces

Time Machine

Mail.app

iChat

iCal

Preview

Dictionary

Safari 3.0

Dashboard, Spotlight, and the Desktop

Collaborative Info Sharing Services

Parental Controls and Directory Services

System Preferences

QuickTime, iTunes, and Media Features