Re: Mac X-Server Security Questions...

[Javier Blanque <javier () blanque com ar>]

Hi Brad,
ipfw is a totally capable stateful firewall, but is necessary to 
configure it.
You can do it partially by way of the GUI but for making use of all its 
power, you need to go through the command line.
It's a stateful firewall within the same league as iptables at 
GNU/Linux or pf (packet filter) at the BSD variants.
You can close every address:port/protocol inbound or outbound at your 
network with any firewall, and if there is not known vulnerability with 
your firewall, you will be relatively secure internally (up to the 
point one of your users installs itself a trojan horse and opens a 
tunnel from the interior of your network to the internet, through your 
firewall or by way of a backdoor thhrough a modem or other not 
protected link).
This article from Peter Hickman at MacDevCenter (at Oreilly) may be 
useful to you... 
http://www.macdevcenter.com/pub/a/mac/2005/03/15/firewall.html, or this 
from Bil Hays at http://www.ibiblio.org/macsupport/ipfw/ or this by 
Damien Gallop at 
http://www.macwrite.com/criticalmass/mac-os-x-built-in-firewall.php
As for your comment on hardware vs. software firewalls, really there 
are no hardware firewalls, only black boxes and open boxes, where you 
can know or not what is installed, even the ASIC equipment have 
firmware programming. Every major black box firewall vendor based its 
products on known operating systems and built upon it. Cisco, Astaro, 
etc. all selected a relatively secure OS (BSD, GNU/Linux, etc.) and 
hardened it. And after that, they put its firewalls (a software 
application, module, or whatever you want to call it).
Please, don't do more bashing. When something breaks in the area of 
computer security, 90% of the time is a configuration problem and not 
the base tools.
I recommend you to build a two layered approach to your network, as a 
method to do not incur into security problems the next time, first 
install an external firewall (i.e.: pf based on OpenBSD) and an 
internal firewall (i.e.: SuSE firewall2 on SuSE GNU/Linux), and install 
the servers that have contact with the exterior at the DMZ or 
de-militarized zone in between. Your corporate data must be on your 
interior network and only the necessary data must be replicated or 
accessed (restricted by address:port/protocol) to the right server at 
the semi-public zone (controlled by the firewalls). This architecture 
serves you as it is heterogeneous (it is what you trust more), 
specially if you have windows and macintosh servers and clients. If you 
are not very experienced with pf and iptables, I recommend to use the 
FWBuilder rule generator initially, to learn and experiment with NAT 
and the most common schemes.
Sonicwall has its bugs too, as every major vendor, but the problem is 
mostly at the configuration step (we always need to remember the 
Paretto's law).
You need to plan first your architecture and security with an 
integrated vision. Of course being always patched and being informed 
about security alerts of your platforms is essential. Common sense is 
the silver bullet. We need to remember that we don't need to be 
speedier than the Tiger, we only need to be speedier than the other 
preys.
Best regards,
Javier Blanque

El 09/04/2005, a las 11:50, Brad Berson escribió:

> > > BTW #2:  ipfw is a joke
>
> > Can you (or someone) elaborate on this?
>
> Bear in mind that I'm just learning my way through this, but here goes.
> First of all it's a software firewall, which means it'll never be as
> good/effective as a separate appliance.  Second, it's only 
> superficially
> programmed through the GUI, and if you start fiddling with its native
> config your changes are likely to be obliterated next time you touch 
> the
> GUI.  Third, we found that while ipfw happily reported all the traffic
> going through, it wasn't actually denying traffic it was supposed to
> deny, and reportedly denying.  Fourth, when trying to figure out why
> that was happening, on the phone with Apple themselves, we were told
> outright that they don't support ipfw.  And we never did figure it out.
> Thanks a friggin' lot, Apple.  Hello Sonicwall!


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------