Mac OS X Security Part Two: Firewalls

Last week we considered some of the hazards of cable and DSL internet connections, with a walk-through of each technology. Among other things, we saw that upgrading from dial-up internet to a full-time service such as cable or DSL also exposes your computer to the internet's intrigues full-time. Today let's look at firewalls, your front line defense against internet hacking.

A firewall is a hardware device or software program that stands between your computer and the internet so that it, not your computer, is directly exposed to the network. Like its namesake the cinderblock wall, it takes the heat when trouble comes. Firewalls differ in how they work and what they specifically do, but they all shield you. The best ones make you invisible to the internet while still leaving it accessible to you.

The internet talks a network language called tcp/ip, which stands for Transmission Control Protocol and Internet Protocol. The two halves of the name describe different aspects of the language as it relates to an entity known as a stack. But we digress. This language defines something called a port. An internet port is a software entity that acts like a doorway or connection point between your computer and somebody else's. The number of available ports has nothing to do with motherboard hardware options. Following the generally agreed upon standards, tcp/ip has 65,535 (2**16 - 1) tcp ports available to it, plus an equal number of udp ports. You would be hard-pressed to use all of those. The standards define which ports are used for what purpose, and quite a number of the lower-numbered ones have standard uses such as web serving. Some standard ports can be significant security holes. The higher numbers are often used for security purposes. The rest can be used as programmers see fit.

All firewalls monitor network traffic across these ports. How and how well they do this defines the quality and usefulness of a given firewall. Let's cut to the best-of-breed and consider BrickHouse for Mac OS X and ZoneAlarm for Windows. I need you to pay attention to ZoneAlarm for two reasons, even if you're running Mac OS. First, ZoneAlarm works like a firewall should. (Sounds like the jingle of a commercial!) Secondly, Windows users are more than 90% of the internet's users and they are in a precarious position that may affect you some day. It's in your interest to help your hapless friends get firewalled, and I'm going to show you how. Start by downloading a firewall now. BrickHouse will mount on your desktop. Merely copy it to your applications folder. ZoneAlarm comes as a self-installing archive. Double-click it to go.

Now you're ready. First, BrickHouse. Read the readme file, so that no-one can accuse you of not reading it. The $25 shareware price is voluntary, and you'll be pulling out your credit card as soon as you see how well this works. Now start BrickHouse. You need to login as someone with admin privileges; this is the first user that you set up on OS X, usually yourself. By default the firewall is off. You see, BrickHouse isn't the firewall; it's the graphical interface to the firewall that comes with OS X. Good, eh? Select the Quick defaults (they're good enough for now), press Apply, then Save. You'll get a query to apply the same settings upon a restart. Do it. You're live! If you don't do anything else today about firewalls, at least come with me this far.

Next, ZoneAlarm. Again, read the readme. Start the install with a double-click. The latest ZoneAlarm install utility is also a good tutorial, so take advantage of that. Follow the install prompts and take the defaults. We'll tweak a little now, and a little more later. Press the Alerts button, and check the option to log alerts. Now press the Security button, and set the two sliders to the top and check the two server checkboxes below. You now have a quality firewall setup. If this is your only computer, then these likely will be your permanent settings. If you have a little network of two or more machines and you want the machines connecting to each other, then you'll have to loosen the settings a little. But later, not now.

ZoneAlarm leaves a couple of windows on your screen. Close them and choose the option to not display them in the future. You can open ZoneAlarm anytime with a right-click on its toolbar icon. You have to teach ZoneAlarm, and it's a willing if somewhat insistent pupil. In addition to ports, ZoneAlarm also monitors the executable programs that make port calls. For each and every network application you use, you must give ZoneAlarm permission to allow it through. Check the Remember box in the dialog window, and you'll only have to do this again when you upgrade the application. Wait! That's pretty neat! ZoneAlarm not only keeps track of network applications, it also knows if the application's executable file has changed since you last gave it permission! Now that's power!

Let's try this out. Connect up and open your browser. It should just work in OS X, as BrickHouse allows the default ports. ZoneAlarm for Windows will query you for permission to allow your browser network access. Check the Remember box, and click Yes. Zonealarm allows nothing without your permission. In fact, it closes the entire network connection until you answer. This is painful, granted, but you maintain control. Perhaps too much control; you have to decide what to allow or deny. Only allow the network application through that you know you are using right now. Otherwise, Just Say No.

Firewalls were designed primarily to keep rascals out. But not all rascals are on the outside. There is a class of applications called trojans. These are stealthy programs that come in as email attachments mostly, and can also be carried as viruses. They "call home" to their masters when you're not looking. Believe it or not, some of these programs are legal, and you may have granted them access when you clicked OK to the fine print of some free download. The legal variety send home your personal information and clicking habits. The hacker variety, among other talents, act as slaves to a remote master, who commands hundreds or even thousands of slaves to do his bidding on cue. This is how denial-of-service attacks work. With ZoneAlarm they're all rendered useless, so long as you recognize them as bogus and deny them access. With BrickHouse, you're dead in this situation. Your only protection right now is in the newness of OS X. As far as I know, there are no trojans that run on OS X. That won't last long. Are you beginning to understand why I wax poetic over ZoneAlarm? If ZoneAlarm ever comes out in an OS X version, I'll be first in line.

By now you are getting the idea that not all firewalls were created equal. Steve Gibson, network expert, has a great website for checking how tight your setup is. He has gone to a lifetime of trouble in his research of all things network security, and shows how several popular firewalls are full of holes. He must be good, as the black-hats have seen fit to hit his website with multiple denial-of-service attacks. The account of it makes for a very good read.

OS X users need also to consider Classic mode, because two firewalls are required. Likewise, VirtualPC requires its own firewall. ZoneAlarm will do very nicely, thank you! So if you happen to run all three, you need three simultaneous firewalls! Norton has just released Internet Security for OS X, which includes Norton Firewall for X. The latter looks and works identically to its Classic counterpart, and runs under both also. So that could be your ticket. If you don't stay in Classic mode all the time, then you could risk it and not cover your Classic session. Regardless, you still need ZoneAlarm in your VirtualPC session. A more detailed study of these cases will be the subject of a future article in this series. By the way, VirtualPC for OS X is now available to current product owners.

Quite frankly, neither BrickHouse nor Norton Firewall would stand up to Gibson's standards, because neither one of them takes account of the actual applications that are looking for network access; they only monitor the ports. Mac users still have the protection in a relatively small user base that simply doesn't attract hackers' attention. With OS X that will change. We have some time to beef up our firewalls, but ZoneAlarm is the one to watch.

In case you feel like dismissing these ideas because you're protected by Windows NT or Windows 2000 Professional or Windows XP - nobody takes Windows 98 security seriously - think again. You're vulnerable. All of these operating systems come with security disabled. Unless you know what you're doing with NT security, you're wide-open. The black-hats know all the tricks, and they have made-to-order programs available for hacking you. Install ZoneAlarm, then let's sit down and discuss it, all night, if you wish. I don't care, because now you're protected properly.

Question. How can BrickHouse and ZoneAlarm be any good if they're free? Answer. Their authors acutely appreciate the risks, and want you protected. Of course, once you discover for yourself how excellent these products are, you'll want your office to purchase a commercial license, and you might even spring for your own personal copy too. ZoneAlarm Pro for Windows gives you even finer control over things than does the freeware version, which can be very handy sometimes.

I have talked about freely-available software firewalls. What else is available? Well, one option is a dedicated server computer with two network cards in it. All network traffic has to go through this computer before it gets to you. A Linux or Darwin firewall is done this way. Here is a great use for that early G3 or PC you were thinking of retiring. One of the advantages of this technique is that a big-time hack job might even destroy the firewall, but at least you walk away with your skin - and your other Macs. In an organization, a dedicated firewall like this is not an option; it's a necessity. Another option is a box called a gateway, which functions a lot like our linux server above without the big tower case. A good one has a firewall built in. Again, if it's destroyed somehow, the computers on the inside stay alive. One good combination for home is the D-Link DI-704 gateway and ethernet switch combo box, which is even a tad smaller than the competition's dedicated gateways, hubs, or switches. The DI-704 accepts up to four network gadgets, including a network printer or webcam if you like. You can get the same functionality in a wireless version too. There is no reason why you can't have both a hardware firewall on your system and software firewalls running on each computer. They work together very well.

Time for some tweaks. Open BrickHouse again. If you closed the window earlier but left the program itself open, pull down Tools, Configuration to get the graphical interface. Click the clock face to open the firewall log page. Press its clock face to enable firewall logging. Press Refresh once in a while to refresh the list. You need the log to test various configurations; it's possible to lock things down too tightly, and the firewall log is your window. BrickHouse is beta software, so expect some oddities. I have found that logging might appear to be running one minute, then disabled the next. Sometimes my custom rules don't appear to open up a port as configured. It's a bit spotty, as the Brits say. I can't get worked up about it.

Once you are comfortable with BrickHouse, you can use the Assistant to close down or open up specific ports used for common services. I suggest you close down all but Standard Services, and only open services you must, such as your personal web server if you have one. The firewall rules in BrickHouse V1.1b6 are carried out in the order they appear from the bottom. Typically you deny access to everything, then open up specific ports with specific rules. The red items in BrickHouse should appear below, and the green ones on top. Once you have played around a bit with this, try closing down everything, then open specific ports only as required. You might be surprised at how small a window you need to do everything on the 'Net you need to. Several common services are preconfigured, as you've discovered by now, but you may have to cook one or two yourself. Choose Custom, and go from there. I have one at work for X Window server use. It opens tcp port number 6000. Without it, I cannot display graphics sent from a remote computer. If you don't use X, you don't need this firewall rule. Friends of mine use ICQ; I don't. They tell me that the manual says ICQ requires tcp ports 1200-1300. So you'd do a Custom rule with those parameters. In the field for port number, type 1200-1300 to indicate a range of port numbers. My research tells me you need to up open port 5190. Sorry, you'll have to test this on your own. Functionality is similar for Norton Firewall, so play around with it and see what you get.

To test your firewall rules, you need two things besides some network applications such as ICQ or the Apache web server or ftp server included with OS X or, for that matter, Internet Explorer. Also, if you have a second computer from which to initiate some tests, that will be all to the good. So, first, you need your firewall log. Both BrickHouse and Norton provide these from pulldown menus. ZoneAlarm shows current entries under the Alerts tab. Secondly, you need to have the enable/disable function for your firewall handy. ZoneAlarm doesn't have one; you have to close the program unfortunately.

The basic procedure is to run your network application as-is. Does it work? If so, then you're done. If not and it's a firewall issue, check the firewall log for a Deny entry. It will show the port which the application attempted to access. Now cook up a rule to open that port, as I did above for X and ICQ. Retry the application. Does it work now? If not, check your log again. If the problem isn't obvious (e.g. a typo) then disable the firewall altogether temporarily and retry the application. Note that Norton has a wonderful feature to disable the firewall for a few minutes, then put it back. This is a great idea for easily distracted people like myself. If the application still doesn't work, then it wasn't a firewall issue in the first place.

BrickHouse provides tabs for different network connection types, such as standard ethernet, dial-ups, and AirPort. Even if you don't use these, I suggest you enable the firewall for each of them, anticipating a connection later. The last tab is for IP sharing, which you'd use if either you had two network cards (not likely) or you dial up with your Mac and share the connection with another computer networked to it (more likely).

ZoneAlarm makes a distinction between local network and the internet at large. I wish BrickHouse did this also, but it doesn't at the moment. For example, I use my ftp server on my Mac from time to time, but only with my old NT machine that is part of my local network. I never ftp to it from outside. To get around this, I modified my ftp firewall rule to only allow that one machine in. Select the ftp rule, press Edit Filter, and type in the address of your second machine in the Source field. If I had other machines here at home, I could add them also by merely typing in their addresses separated by commas. It would work exactly the same if you ran, say, a local web server that you wanted available just for your own machines. This is the kind of thing you'd do if you managed a local area network in your office. It's getting advanced, and we will cover examples of this later.

As I mentioned earlier, BrickHouse is not the firewall; it's the graphical interface for OS X's built-in firewall. You could do the firewall rules set yourself, but that's a fairly geeky operation. If you choose to build your own dual-NIC (Network Interface Card) firewall in a tower running some flavor of unix, then this is what you will be doing. I suspect that figuring out how to do a firewall rules set would be the least of your troubles in comparison to doing a raw unix installation. In my recent article Mac OS X and Toasters I alluded to the going rate in my office for an in-house expert to build a Linux firewall for you: the network cards and a six-pack of (decent) beer.

A reader emailed me to clarify a distinction with respect to speed that I made last time between the two current high-speed internet technologies for home use. He felt I might have left an impression that one might be inferior to the other. I certainly didn't mean to! I explained that cable internet works by connecting everybody in a neighborhood to the same physical cable, namely your cablevision trunk that runs down your back lane; whereas DSL works with a solo connection between you and your carrier, namely your own telephone wire pair. My point was that the latter is inherently more secure, all other things being equal (which they're not), simply because no-one else shares your telephone wires. The speed across it is all about the level of DSL service you've paid for, and is not affected by anything anyone else does within your DSL neighborhood. Cable speed, on the other hand, can indeed suffer if enough people on your trunk decide to do digitally-intensive things like digital video. My correspondent rightly pointed out that nowadays cable trunks can run at gigabit speeds, so that it's only a matter of cable companies allocating a reasonable number of users per trunk, much the way airlines allocate seats. My take on speed is that, barring failures, it's a non-issue. The worst DSL or cable connections are ten times faster than the best dial-ups. When the speed discussion is starting at that point, arguing about it is just power users' coffee chat. For old times' sake, why don't you dial into your ISP with that 33.6K modem and download something? Then do it again with your cable or DSL connection. See what I mean?

Next week we'll look at virus scanners. Ciao.