• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Panther and Firewall API?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Panther and Firewall API?

  • Subject: Re: Panther and Firewall API?
  • From: Ryan McGann <email@hidden>
  • Date: Wed, 3 Sep 2003 23:20:26 -0700
On Wednesday, September 3, 2003, at 10:00 PM, email@hidden wrote:

I'm not suggesting that everyone should buy a firewall. My point is that a personal firewall is worse than no firewall.
Really? I've got several computers hooked up without a router at home at the moment, Macs and PCs (my Symantec gateway product is being installed tomorrow). Right now my PC is still getting bombarded with hits on 135. During the height of SoBig.F I was getting over 8000 hits an hour. And I've also been hit with three different types of spyware on the PC that were blocked by our firewall's application control.

Developers constantly ask about how they can figure out if their product will work when the personal firewall is enabled. This implies that a personal firewall breaks legitimate products.
No, Apple's personal firewall breaks legitimate products. Not necessarily 3rd party solutions. I can't talk for everybody, but I know of at least three personal firewall programs, including ours, that circumvent this problem.

It seems the right way to solve this problem is to use the authorization framework and require authorization for operations such as bind, connect, sendto, etc. Instead of filtering at the packet layer on the local machine, which is fraught with problems, including no feedback to applications, filter at the API layer. If a customer is worried about traffic to and from their machine, a setting could be modified to require authorization to open an outbound connection or incoming connection. A user could choose to always allow certain applications to perform these operations. The authorization framework
already has functionality for most of this. It wouldn't necessary require typing a password, just the user accepting the applications request to perform a network operation.
The problem I have with this is: (a) you can't possibly know the application's intentions without having some pre-approved list and therefore (b) most users will tire of it in 30 seconds. The products on other platforms have dealt with both of these issues, plus many more, but it's a non-trivial problem. User studies become quite entertaining when users double click a program and see their computer yelling at them with dialogs boxes and requests to type their password.

The user didn't even have to enter a root password to do that! Even worse is the fact that a single click will turn on Windows File Sharing or Personal File Sharing in which other users on the network could instantly upload
viruses to the computer.
Which is why some sort of filtering should be done on the incoming traffic to port 80. That's why firewall and IDS products exist.

I have an application that uses ports 49152-65535; the ports are assigned dynamically. My interest in a Firewall API was to allow my app to request the firewall permits data transfer on the assigned ports without involving the User each time. I was thinking that the User would be prompted for authorisation once, when my app first accessed the firewall API.
The problem is not your application; it's Apples implementation of the firewall. Instead of being passive it should be an active firewall that asks the user to permit the port to be opened when your application binds to it.

What if the API was limited to opening and closing individual ports and certain ports deemed to be a security risk (such as telnet and ssh or possibly any port <1024) were not allowed to be opened by the API?
Opening any port can be a security risk as long as there's a vulnerability that you can take advantage. Who would've thought port 135 could take down entire mail servers, or 1434 could clog the Internet for hours (SoBig.F and SQLSlammer)?

Or more accurately, taking a firewall that was originally designed to protect UNIX servers, slapping a GUI on it, and calling that a "personal firewall" was not such a great idea.
This is exactly my point with Apple's "Firewall" panel. It's a half baked attempt that only interferes with developer's work. Having a firewall is not a bad thing IMHO. As an Apple UI evangelist told me, security sucks when it makes things harder to use. That's exactly what Apple is doing (which is ironic because the the UI evangelist was trying to say that's what our product does...)

Ryan
email@hidden

Arguing with an engineer is like wrestling with a pig in mud.
After a while, you realize the pig is enjoying it.
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: Panther and Firewall API?
  • Next by Date: Why send call crashes my App ?
  • Previous by thread: Re: Panther and Firewall API?
  • Next by thread: MoreAuthSample Behaviour
  • Index(es):
    • Date
    • Thread