Tested products included Intego NetBarrier X3 v10.3.4 (see Best Current Price ), Symantec Norton Personal Firewall 2004 v3.0 (see Best Current Price ), Pliris Firewalk X 2 v2.37, Sustainable Softworks IPNetSentryX v1.1, and the built-in Mac OS X firewall.
All tests were performed using Mac OS X v10.3.6 on a G5, a G4 notebook, and an iBook. Tests were performed using LAN, wireless, and dial-up connections; wireless testing included unsecured hotspots.
Installation and Configuration
Each of the firewalls allowed ports and protocols to be specified/configured, though some make it easier than others. All except IPNetSentryX allowed for application whitelisting and blacklisting (specifying which apps can and can’t communicate with the Internet).
None of the firewalls tested alerted us when we switched networks, established (or changed) dial-up accounts, or joined unsecured (non-WEP) Wi-Fi nets. All of them simply accepted the changed settings and/or new connections and silently allowed them.
During the tests, we were unable to deactivate/remove NetBarrier X3, Firewall X 2, and the Mac OSX built-in firewall. (In the case of NetBarrier X3, for example, root password was required to stop the memory processes). This creates a more effective barrier for malware, preventing it from automatically removing/neutering the protection.
In the case of Norton Personal Firewall, we were able to stop the memory process but unable to remove the program from the hard drive. However, even Norton’s own uninstaller could not remove the program; we had to download a new uninstaller from the Symantec support site. Note that when it was possible to manually stop the application, Internet access continued to function.
Port Scans
During port scans, all of these firewalls revealed the OS.
By default, with no firewall enabled, all ports on a Mac are closed, but not stealthed. NetBarrier fully stealthed all the ports and alerted us to port scans. Norton Personal Firewall did not alert us to port scan attempts, nor were all ports stealthed (ports 0 and 1 were closed but not stealthed with both default settings and maximum security settings). Though port 0 does not officially exist, valid packets can be sent to and from that port and its accessibility is a signal to attackers that the IP being targeted is valid. Firewalk X 2 left both 427 and 548 open by default on all port scans. IPNetSentryX and the Mac OS X firewalls stealthed all ports.
Outgoing Communications
NetBarrier was the only product that alerted us when we swapped one Internet application for another. (These sorts of “stolen rights” can be used to hijack permissions for another program). It also offered outgoing program notification—useful for both policy management and Trojan/backdoor/dialer notification.
Norton Personal Firewall alerted us when applications tried to open a closed port for outgoing communications. Firewalk X 2 includes an option to issue an alert if conditions match a particular user-created rule, but that requires the user “pre-think” possible attack scenarios and write rules accordingly. IPNetSentry alerted us only when using pre-selected applications. The built-in Mac OS X firewall offered no application alerting.
Evaluation
Driven by the popularity of iTunes and the iPod, inexpensive prices for the iBook compared to traditional PC laptops, and dissatisfaction with Windows, Macintosh use is on the increase, As the Mac platform becomes more popular, it will likely become a more common target of malware. This is particularly true for profit-motivated malware (as opposed to an anti-Microsoft virus writers intent on finding Windows vulnerabilities).
Unfortunately, these firewalls do not provide all the protection one would need if targeted by profit-motivated miscreants. Only NetBarrier offered permission-based outbound protection. Norton Personal Firewall did alert when an application attempted to open a closed port, but simple social engineering could overcome this (i.e. if the Trojan had the same or similar name to an acceptable application, unsuspecting users could be fooled). Hence, systems with these programs installed are still ripe for compromise by key-loggers, dialers, and other Trojans.
Products Tested
| Firewalk X 2 | IPNetSentryX | Mac OS X built-in firewall | NetBarrier X3 | Norton Personal Firewall 2005 | |
|---|---|---|---|---|---|
| Company | Pliris | Sustainable Softworks | Apple | Intego | Symantec |
| Version | 2.3.7 | 1.1 | built-in | 10.3.4 | 3.0 |
| Size on HDD | 6MB | 4.8MB | n/a | 12.1MB | 20MB |
Functions
| Firewalk X 2 | IPNetSentryX | Mac OS X built-in firewall | NetBarrier X3 | Norton Personal Firewall 2005 | |
|---|---|---|---|---|---|
| Application filter (blacklist, whitelist) | Yes | No | Yes | Yes | Yes |
| Understandable warnings/pop-ups | Yes | N/A | N/A | Yes | Yes |
| Automatic Internet updates | Yes (not by default; can configure to check for updates at launch) | No | Yes | Yes | Yes |
| Filter for incoming mail attachments | No | No | No | No | No |
Protection from Inside
| Firewalk X 2 | IPNetSentryX | Mac OS X built-in firewall | NetBarrier X3 | Norton Personal Firewall 2005 | |
|---|---|---|---|---|---|
| Tool can be deactivated in memory | No | Yes | No | No | Yes |
| Tool can be deleted from hard drive | No | Yes | No | No | No |
| Outgoing program notification | No (has option to alert if conditions match a particular rule the user has created) | Not by default (can configure to scan by specified parameters, i.e. by IP, port, and application) | No | Yes | No (but will alert if program tries to open a closed port) |
| Detects changed programs (“stolen” rights) | No | No | No | Yes | No |
Protection from Outside
| Firewalk X 2 | IPNetSentryX | Mac OS X built-in firewall | NetBarrier X3 | Norton Personal Firewall 2005 | |
|---|---|---|---|---|---|
| Common ports stealthed? | Yes | Yes | Yes (if firewall is disabled, all ports are closed, but not stealthed) | Yes (detects port scan and prompts for action; all ports stealthed) | No (does not alert to port scan; port 0 closed, but not stealthed; port 1 not scanned in standard/common scans) |
| Service ports stealthed? | No (ports 427 and 548, used by AppleShare service, left open by default; If closed by the user, the ports will be stealthed). | Yes | Yes (see above) | Yes (detects port scan and prompts for action) | No (does not alert to port scan; port 0 closed, but not stealthed; port 1 not scanned in standard/common scans) |
| OS guessable? | Yes | Yes | Yes | Yes | Yes |
Internet/Network Connections
| Firewalk X 2 | IPNetSentryX | Mac OS X built-in firewall | NetBarrier X3 | Norton Personal Firewall 2005 | |
|---|---|---|---|---|---|
| Detects additions or changes to dial-up accounts | No | No | No | No | No |
| Detects log-ins to new networks | No | No | No | No | No |
| Warns of unsecure Wi-Fi connections | No | No | No | No | No |
[ Mary Landesman works for AV-Test, an independent antivirus and security testing firm based in Germany. ]