Spotlight on Mac Security

Test Report: OS X Firewalls

Tested products included Intego NetBarrier X3 v10.3.4 (see Best Current Price ), Symantec Norton Personal Firewall 2004 v3.0 (see Best Current Price ), Pliris Firewalk X 2 v2.37, Sustainable Softworks IPNetSentryX v1.1, and the built-in Mac OS X firewall.

All tests were performed using Mac OS X v10.3.6 on a G5, a G4 notebook, and an iBook. Tests were performed using LAN, wireless, and dial-up connections; wireless testing included unsecured hotspots.

Installation and Configuration

Each of the firewalls allowed ports and protocols to be specified/configured, though some make it easier than others. All except IPNetSentryX allowed for application whitelisting and blacklisting (specifying which apps can and can’t communicate with the Internet).

None of the firewalls tested alerted us when we switched networks, established (or changed) dial-up accounts, or joined unsecured (non-WEP) Wi-Fi nets. All of them simply accepted the changed settings and/or new connections and silently allowed them.

During the tests, we were unable to deactivate/remove NetBarrier X3, Firewall X 2, and the Mac OSX built-in firewall. (In the case of NetBarrier X3, for example, root password was required to stop the memory processes). This creates a more effective barrier for malware, preventing it from automatically removing/neutering the protection.

In the case of Norton Personal Firewall, we were able to stop the memory process but unable to remove the program from the hard drive. However, even Norton’s own uninstaller could not remove the program; we had to download a new uninstaller from the Symantec support site. Note that when it was possible to manually stop the application, Internet access continued to function.

Port Scans

During port scans, all of these firewalls revealed the OS.

By default, with no firewall enabled, all ports on a Mac are closed, but not stealthed. NetBarrier fully stealthed all the ports and alerted us to port scans. Norton Personal Firewall did not alert us to port scan attempts, nor were all ports stealthed (ports 0 and 1 were closed but not stealthed with both default settings and maximum security settings). Though port 0 does not officially exist, valid packets can be sent to and from that port and its accessibility is a signal to attackers that the IP being targeted is valid. Firewalk X 2 left both 427 and 548 open by default on all port scans. IPNetSentryX and the Mac OS X firewalls stealthed all ports.

Outgoing Communications

NetBarrier was the only product that alerted us when we swapped one Internet application for another. (These sorts of “stolen rights” can be used to hijack permissions for another program). It also offered outgoing program notification—useful for both policy management and Trojan/backdoor/dialer notification.

Norton Personal Firewall alerted us when applications tried to open a closed port for outgoing communications. Firewalk X 2 includes an option to issue an alert if conditions match a particular user-created rule, but that requires the user “pre-think” possible attack scenarios and write rules accordingly. IPNetSentry alerted us only when using pre-selected applications. The built-in Mac OS X firewall offered no application alerting.

Evaluation

Driven by the popularity of iTunes and the iPod, inexpensive prices for the iBook compared to traditional PC laptops, and dissatisfaction with Windows, Macintosh use is on the increase, As the Mac platform becomes more popular, it will likely become a more common target of malware. This is particularly true for profit-motivated malware (as opposed to an anti-Microsoft virus writers intent on finding Windows vulnerabilities).

Unfortunately, these firewalls do not provide all the protection one would need if targeted by profit-motivated miscreants. Only NetBarrier offered permission-based outbound protection. Norton Personal Firewall did alert when an application attempted to open a closed port, but simple social engineering could overcome this (i.e. if the Trojan had the same or similar name to an acceptable application, unsuspecting users could be fooled). Hence, systems with these programs installed are still ripe for compromise by key-loggers, dialers, and other Trojans.

Products Tested

Firewalk X 2 IPNetSentryX Mac OS X built-in firewall NetBarrier X3 Norton Personal Firewall 2005
Company Pliris Sustainable Softworks Apple Intego Symantec
Version 2.3.7 1.1 built-in 10.3.4 3.0
Size on HDD 6MB 4.8MB n/a 12.1MB 20MB

Functions

Firewalk X 2 IPNetSentryX Mac OS X built-in firewall NetBarrier X3 Norton Personal Firewall 2005
Application filter (blacklist, whitelist) Yes No Yes Yes Yes
Understandable warnings/pop-ups Yes N/A N/A Yes Yes
Automatic Internet updates Yes (not by default; can configure to check for updates at launch) No Yes Yes Yes
Filter for incoming mail attachments No No No No No

Protection from Inside

Firewalk X 2 IPNetSentryX Mac OS X built-in firewall NetBarrier X3 Norton Personal Firewall 2005
Tool can be deactivated in memory No Yes No No Yes
Tool can be deleted from hard drive No Yes No No No
Outgoing program notification No (has option to alert if conditions match a particular rule the user has created) Not by default (can configure to scan by specified parameters, i.e. by IP, port, and application) No Yes No (but will alert if program tries to open a closed port)
Detects changed programs (“stolen” rights) No No No Yes No

Protection from Outside

Firewalk X 2 IPNetSentryX Mac OS X built-in firewall NetBarrier X3 Norton Personal Firewall 2005
Common ports stealthed? Yes Yes Yes (if firewall is disabled, all ports are closed, but not stealthed) Yes (detects port scan and prompts for action; all ports stealthed) No (does not alert to port scan; port 0 closed, but not stealthed; port 1 not scanned in standard/common scans)
Service ports stealthed? No (ports 427 and 548, used by AppleShare service, left open by default; If closed by the user, the ports will be stealthed). Yes Yes (see above) Yes (detects port scan and prompts for action) No (does not alert to port scan; port 0 closed, but not stealthed; port 1 not scanned in standard/common scans)
OS guessable? Yes Yes Yes Yes Yes

Internet/Network Connections

Firewalk X 2 IPNetSentryX Mac OS X built-in firewall NetBarrier X3 Norton Personal Firewall 2005
Detects additions or changes to dial-up accounts No No No No No
Detects log-ins to new networks No No No No No
Warns of unsecure Wi-Fi connections No No No No No

[ Mary Landesman works for AV-Test, an independent antivirus and security testing firm based in Germany. ]

1 2 Page 1
Page 1 of 2
  
Shop Tech Products at Amazon