Re: macnetworkprog digest, Vol 3 #511 - 13 msgs
Re: macnetworkprog digest, Vol 3 #511 - 13 msgs
- Subject: Re: macnetworkprog digest, Vol 3 #511 - 13 msgs
- From: Ryan McGann <email@hidden>
- Date: Tue, 2 Sep 2003 23:59:08 -0700
For those of you who are paranoid about security, you should consider
another firewall to protect yourself because the built-in firewall is
severely limited by its gui. In fact, can you think of a situation
where this firewall will actually protect you? I personally think the
best use of a firewall is to block outgoing traffic, something the
apple
firewall doesn't do.
If you were seriously concerned about security and felt that a firewall
would help, you should really use a firewall on another device. As long
as the firewall is running on the local machine, it can be disabled on
the local machine by any software with root privileges. A personal
firewall that runs on the same machine is just about the stupidest
thing imaginable. It makes me think of a person sitting on a raft with
a sail and blowing on the sail to try and move the raft.
Well that said can be said for almost any OS X security convention. On
OS X you can disable pretty much every security measure, including
Apple's, so Apple must assume that their product will be used in an
environment where root access cannot be obtained easily. And since I'm
willing to bet many people choose bad root passwords, that's a bad
assumption.
Yes, for the best security possible a customer needs to buy one of
(our) gateway products that includes IDS, firewall, spam filtering and
AntiVirus file scanning on inbound and outbound email in a hardware box
protected by several security measures including SmartCard and password
protection. But convincing Mac users to buy security products is hard
enough. Personal Firewalls are not meant to protect computer labs or
places where secure access to the terminal cannot be guaranteed, but
they work fine in a home environment.
As far as security goes OS X has a lot of problems. The worst IMHO is
Apple's authorization APIs that make entering your password for root
access so common, that Mom and Pop will enter their password for
anything without giving the slightest bit of thought to what's going
on. I'm not denying its usefulness to developers, but developers are
lazy two. I've noticed programs that pop up this dialog several times
during install and then when I launch them, they ask for my password
again. But that's another topic.
I completely agree. Since I could easily write a program to turn off
the kernel extension (using a sysctl) that controls the firewall
running
with root privileges, I don't see why allowing an application installer
with the same root privileges to modify the firewall rules is a big
upset.
Because getting root piveleges in Unix should be a big deal. It's not
supposed to be a "Hey I need your password for a second" like Apple's
UI makes it. But alas that's the world we live in. Yes you can do a lot
with root priveleges, but just because you _can_ doesn't mean you
_should_. Heck with root privileges you can overwrite the kernel and
get rid of IPFW all together, but...
On the other hand, it might be reasonable to extend the System
Configuration Framework to include settings defined under the
Sharing preferences panel. I suspect these settings already
live in a .plist file somewhere, they just need to be documented
and/or integrated as part of the System Configuration Framework.
I've had a bug in Radar to include more info in SystemConfig from the
Sharing control panel for two years now. It's not gotten past "Analyze".
(Yes they are in a plist...in Jaguar there's a lot in /var/db/ and in
Panther it's moved to /Library/Preferences).
But back on track here...I agree with the others who suggested that an
API that tests IPFW's ruleset would be nice. However, 3rd party
firewall products should be left to solve this problem on their own.
Ryan McGann
Macintosh Internet Security
Symantec Corporation
email@hidden
Office: email@hidden
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.