One sign of OS X’s overall security savvy is that it has its own built-in firewall, which is pretty good. But there are many other firewall add-on apps for the Mac, including Brian Hill’s Flying Buttress 1.4, Intego’s NetBarrier X4, Open Door Networks’ DoorStop X Security Suite, SustainableSoftworks’ IPNetSentryX 1.3.1, and Symantec’s Norton Personal Firewall 3.0.3 (see table below below for details).
Guarding the gates
How safe will these apps keep your Mac? In blocking traffic, the differences between these products are razor-thin. They all block bad network traffic and protect your Mac just as they should. But there are two areas where a couple of these apps fall short.
Hackers looking for a computer to exploit may ping yours to see if it’ll reply; if it does, the answer lets them know what operating system your computer is running—an excellent starting point for their nefarious games. In our testing, Apple’s built-in firewall, Flying Buttress, and Norton all spilled the beans about which OS our test system used.
The other hole we found in some of these tools is that basic firewalls simply allow or block traffic passing through your network ports. But some programs offer another level of protection—intrusion detection. They examine incoming traffic to see whether it’s doing anything unusual and warn you if they detect anything suspicious. IPNetSentryX and NetBarrier are the only programs we looked at that have intrusion-detection tools.
While these programs are similarly skilled in protecting your Mac, they differ in ease of use. While each one lets you specify which network ports you want to block or leave open, NetBarrier and Norton make it particularly simple; IPNetSentryX, on the other hand, requires some advanced network knowledge to set up properly.
And each of these apps provides some kind of reporting system, from basic text documents that log access attempts to e-mailed notifications.
Firewall software compared
|Apple||Mac OS X Firewall||free (A)||Already part of Mac OS; stealth mode and logging tools; can block UDP traffic.||Advanced configuration requires Terminal; reveals OS; logs could confuse network newbies|
|Brian Hill||Flying Buttress 1.4||$25||Excellent front end to OS X’s built-in firewall; GUI access to features otherwise available through Terminal; syntax checker.||Limited support; poor documentation; some configuration requires advanced knowledge; reveals OS.|
|Intego||NetBarrier X4||$70||Intrusion detection; anti-spyware tools; cookie management; monitoring tools; simple setup.||Default configurations are either too permissive or too restrictive; customized configuration requires some knowledge of network security.|
|Open Door Networks||DoorStop X Security Suite||$80||Excellent documentation; provides detailed information about logs and security instruction; excellent support.||Default settings too stringent; doesn’t warn against accidentally locking down services that you might need.|
|Sustainable Softworks||IPNetSentry X 1.3.1||$60||Intrusion detection; highly configurable; excellent logging and bandwidth utilization controls.||Requires significant technical knowledge to manage correctly.|
|Symantec||Norton Personal Firewall 3.0.3||$50||Simple setup and configuration; recognizes applications that require network access; easy to add new port or service security.||Stealth mode reveals OS.|
(A) Comes with Mac OS X.
Macworld’s buying advice
When it comes to keeping snoops out of your Mac, OS X’s firewall is all most users really need. It’s safe, secure, and free. But its interface is awfully basic; for any advanced configuration, you’ll have to head to Terminal.
Intego’s NetBarrier X4 gets our nod as the best OS X firewall, thanks to its ease of configuration, boatload of useful features, and excellent documentation. Norton Personal Firewall and DoorStop X Security Suite are also excellent options but offer fewer features. I personally like (and use) Flying Buttress. But its lack of consistent support and its limited documentation make it a poor choice for the average user.
IPNetSentryX is in a class all its own. It’s an intrusion-detection program that’s really designed for network professionals who know what to look for on their networks and who have a thorough knowledge of TCP, UDP, and IP. If you’re wondering what I’m talking about, IPNetSentryX is not for you. But if you’ve just begun to salivate, it will be a powerful addition to your network security toolbox.
[ Jeffery Battersby is a network analyst at the law firm of Finkelstein & Partners in Newburgh, New York. ]