Antivirus vs. egress firewall
Kevin LongFebruary 3rd, 2009
In a recent blog post at ZDNet, Jason O’Grady mentioned the benefits of running an application that monitors outgoing (egress) traffic on your Mac. OS X malcode has been in the news lately, with Trojaned versions of iWork and Photoshop CS4 appearing on the BitTorrent network, and Jason offers Little Snitch (an egress firewall application) as “one way to keep tabs on software that likes to call home” (such as a Trojan).
As our recent series on Mac AV suggests, I don’t run antivirus software on my OS X client systems. However, I do run Little Snitch. We neglected to mention egress firewalls as a worthwhile addition to good OS X configurations in that series, and would like to take the opportunity to do so here.
Our title could be construed as misleading. There’s certainly nothing to prevent users from running both antivirus and a robust personal firewall on their systems. Before installing security software on your system, the implications of doing so should be evaluated.
We outlined the risks of running AV in our blog series on Mac AV and will not reiterate them here. Instead, we’ll share some advantages and disadvantages of running an application like Little Snitch.
Egress firewall benefits
- Financial – Initial cost is small, and there is no annual fee
- Bandwidth – Aside from occasional application upgrades, there are no definitions to download
- System resources – Egress firewalls are simple applications that utilize fewer system resources than AV software
- Risk to system – We know of no incidents in which users lost data due to the use of egress firewalls
- No false positives
- Increased awareness – If they choose, users will have a better understanding of the many network connections their system makes on a regular basis
Egress firewall shortcomings
- Not a preventive measure – Unlike antivirus software, which will prevent a system from being infected (provided definitions are current and inclusive or heuristic detection is accurate), an egress firewall only enhances detection ability
- Higher learning curve – Should I allow ocspd to connect to crl.omniroot.com on port 80? It takes awhile to get initial permissions in place so that normal activity occurs with minimal notification, thereby allowing easier detection of anomalies
- Vulnerable to disabling – Like antivirus software, an egress firewall could be disabled by malicious code
Why don’t we mention incoming traffic detection? The current version of OS X comes with two ingress firewalls—the Application Firewall and ipfw—already installed. Most users utilize the Application Firewall since it is easily configured in System Preferences, but ipfw can still be utilized via command line.
Did we miss any benefits or shortcomings? Do you have any experience with other Mac firewalls that proved worthwhile (or otherwise)? Let us know.
Tags: anti-virus, antivirus, Apple, Apple security, AV, egress firewall, Inqtana, Leap, Leopard, Mac, Mac AV, Mac security, OS X, personal firewall, risk, RSPlug, Safari, security, Threat, Tiger, Vulnerability
You state that OS X has two “ingress” firewalls… However, ipfw is not in/egress specific it can do both and log on both.
A good initial ruleset for OS X platforms was collaborated by myself and a few other people and is hosted over at Securosis (http://securosis.com/2007/12/11/ipfw-rules-v20071212/).
However this does give me an interesting idea. For more advanced users Little Snitch is slightly simplistic but it would be easy enough to write an app that funnels and filters ipfw logs to Growl for an egress notification.
Otherwise good article!
Posted by: windexh8er on February 3rd, 2009 at 5:55 pmAlso, ipfw can be graphically managed by the awesome freeware application WaterRoof: http://www.hanynet.com/waterroof/
–windexh8er
Posted by: windexh8er on February 3rd, 2009 at 5:56 pmRecommendations for both the Application firewall and ipfw would be good.
Posted by: Fred on February 3rd, 2009 at 5:59 pmThe application firewall can be configured quickly via System Preferences. Simply choose “Set access for specific services and applications,” then click the “Advanced” button and check both boxes (”Enable Firewall Logging” and “Enable Stealth Mode”).
Following that, OS X will ask permission when an application attempts to accept incoming traffic, and it’s up to the user to only allow legitimate applications to make those connections.
As windexh8er’s linked post above suggests, there’s a lot more to ipfw configuration than I can detail here. Thankfully, it’s been well-documented by our Unix friends for years.
Posted by: Kevin Long on February 4th, 2009 at 3:50 amHow are the recommendations in this article any different than running an av product on a unix operating system. It isn’t based on the statements except that a majority of Mac users do not have a in-depth knowledge of Unix or how to use an application firewall or ipfw, maybe making recommendations on easy to use anti-virus products for Mac would be more useful.
my. 05
a converted PC user
Posted by: Mark Teicher on February 13th, 2009 at 11:59 amHi, Mark. If there’s a recommendation in this article, it’s to consider running an egress firewall on your Mac. That doesn’t mean it’s a good choice for every user, but its impact on risk is worth a thought by infosec professionals.
I wouldn’t recommend ipfw for most users (without one of the GUI interfaces, at least) since the Application Firewall is relatively straightforward and part of the OS.
I’ll refrain from recommending one antivirus product over another as I think the risk introduced by running any AV product on your Mac outweighs the importance of how easy it is to introduce that risk.
Posted by: Kevin Long on February 27th, 2009 at 6:42 pm