Since I do most of my development work on my laptop and so much of it entails running various types of servers locally, I set out to find something that actually kept snoopers out. A quick search led me to Intego Software and their NetBarrier product (Symantec’s Norton products don’t run native on the Intel CPU). There are people out there who don’t like Intego and their offerings, especially with the ‘hidden’ annual subscription fees associated with the software (now this isn’t unusual in the Windows world, but it’s something the folks at Intego should mention right upfront.) But I haven’t had any bad experiences with them. Besides, choices were few and I found a deal for under $60.

To be clear, most people at home connect to the Internet through a router that offers them NAT services which effectively blocks incoming connections. For those situations, a software firewall is overkill. But if like me, you spend a lot of time at public WiFi hotspots like coffee shops or away from known, trusted routers, then you’ll want to run a firewall to keep the legions of port-scanners out there at-bay. If you think you’re unlikely to be a victim of port-scanning, think again. Last time I set up a web-server with a static IP directly connected to the net, it took less than 15 minutes from the time the ISP turned on the tap to when the first port-scans came in. By the time I turned the server off a month later, the web-server log-file was chock-a-block full of known exploits and bizarre attempts at trying to break through — most of them through overseas IP sources and zombies.

But I digress.

At the 2008 Macworld Conference in San Francisco last week, Intego had a booth and they were talking about their latest X5 version upgrade. It looked interesting, but NetBarrier was full of features I didn’t personally care about (Cookie management while doing web-service development. No thanks!) When I got home, I ran across this Macworld magazine article that claimed the Leopard 10.5.1 upgrade had fixed a lot of the problems with the built-in firewall. So I set out to do some tests of my own. My primary test was for the situation you are most likely to encounter when you’re away from the comfort of your home router — to see if any TCP port on my machine was accessible from the outside.

First of all, to get around the NAT router firewall issue, I tried two types of tests: the first was a live test at a neighborhood coffee-shop running a standard Linksys router with no wireless security enabled. The other was with my Intel MacBook Pro running Leopard 10.5.1 and directly connected to the net via Sprint’s EVDO network. To do the actual port-scanning, I needed an external service and Steve Gibson’s excellent Shields UP! service fit the bill nicely. This service opens each port sequentially and prints out a color-coded chart indicating whether the port is open (red), it’s responding but closed (blue), or it’s in stealth mode (green) — meaning that it won’t even acknowledge that there is someone at the other end. Ideally, you want to have the output of Shields UP! be a field of green (all stealth). Blue squares are OK too, but certain port-scanners deduce from a reply that there’s a live machine at the other end and will keep scanning. Red boxes are really bad news, unless you’re running externally accessible services and have intentionally kept those ports open.

In my case, I didn’t want ANYTHING open, so I was looking for all greens. As a baseline, I turned off all firewalls and ran Shields UP! against my unprotected machine. Here’s what I got:

Yikes! Most ports were responding as ‘closed’ which meant that my my system was waving a red flag, saying I dare you to hit me with your best shot. Here’s the same scan, this time with Intego’s NetBarrier X4 firewall enabled, using the preset Client, Local Server setting. (I should also point out that NetBarrier correctly warned me about each and every port scan attempt until I told it to put the GRC server’s IP address on the trusted list):

Looks good. Everything stealthy. Now let’s disable NetBarrier and try it with Leopard 10.5.1′s built-in firewall. You access the firewall settings from System Preferences -> Security and then by clicking on the Firewall tab. The default is set to Allow all incoming connections (which gives us the mostly blue diagram above). I can understand why Apple chose to take this route. Security is often a balance between convenience and safety. Most users would be using their Macs at home behind a router or at work or school behind a firewall. These people would be protected against port scans by their NAT service (which effectively hides them from the outside world). A relatively smaller percentage visit open WiFi hotspots and of those who do, a very small number will find themselves sitting next to someone directly scanning their machine (the NAT service on the coffee shop’s wireless router will keep third-party scanners out). The only other population that would be truly at-risk would be those who run open servers with static IP addresses, and hopefully they know enough to go and manually enable their firewall.
So setting the default to Allow all incoming connections allows the significant majority of Mac users to hop onto the network and do their thing without having to muck with firewalls — which is as it should be. But if you’ve read this far, you (and I) are in the small majority of people paranoid enough to need better security.
Anyway, this is the default…

So let’s try the Allow only essential services option and run the port-scan:

Hmm. Not much different than the Allow all incoming connections version.
Now let’s try the Set access for specific services and applications option. The problem with this option is that by clicking the ‘+’ button, you are presented with the contents of your Applications folder. WTF! What about background services already running or items registered to launch under the launchd daemon? Obviously, if you want that level of control over your system, the simplified System Preference UI isn’t for you and should graduate to manually tweaking the ipfw configuration settings.

Moving along, we see an Advanced… button on the bottom right:

Which brings up a dialog box to Enable Firewall Logging as well as Stealth Mode. Aha! Let’s give that one a try.

And give it a go:

Eureka! It’s all stealthy goodness. That’s what we want.
In conclusion: if you are doing network development work under Leopard or spend a lot of time at public WiFi hotspots and have enabled sharing options on your laptop, you’d better be running some sort of software firewall. You can go with a commercial one (like NetBarrier) or use Apple’s built-in firewall, but only if you tweak it so it’s set to Stealth mode and it disables all incoming connections. If you do decide to go with the Apple firewall, I strongly recommend you also augment it with an outbound scanner like Little Snitch (NetBarrier also provides this functionality) to make sure you know which applications on your machine are ‘phoning home.’
Now a few caveats:

• We’re only looking at TCP ports here. I’m going to try to find an external UDP scanner and I’ll post the results. The UDP model behaves a little differently than TCP in that a closed UDP port is supposed to return an ICMP port unreachable reply. So by staying quiet, scanners may assume that the port is open (!) and redouble their efforts. Let me repeat that. Staying quiet means your port is active. But then, if you have a firewall and it’s blocking UDP requests, wouldn’t it be mistaken for the service being available? The answer is… Yes. It’s a little strange and most UDP scanners sheepishly admit to that effect. But for the sake of completeness, it’s important to look for both kinds of scan, especially for well-known services.
• The GRC test only runs up to port number 1055 which covers the most commonly registered services (other than UPnP which usually runs at 5000). TCP ports technically go all the way up to 65535 but at those higher numbers there’s no guarantee any service is going to run on a given port number. I also ran all the above tests using GRC’s Common Ports setting (which included UPnP) and got similar results.
• Intego’s firewall also scans the incoming content for what they call spyware, trojans, and cookies. There’s a little bit of poetic license being taken here. The most common methods for installing spyware and trojans on a machine is 1) through email or IM attachments, 2) if someone takes advantage of a flaw in your networked client (i.e. browser buffer overflow), or 3) if you download and run an infected application. I can’t tell from Intego’s material if they are, in fact, scanning for these vectors. If they are, good for them. But my guess is that what they’re doing is blocking spyware and trojans from going out, once they’re installed on your machine. If that’s the case, you get the same effect by installing Little Snitch and monitoring outbound communications. I’ll keep digging on this.
• Again, I’m most concerned with access to my machine while I’m out in the open and away from the comfort of my home firewall. If your use falls under that category you can choose to go with NetBarrier or Leopard firewall in stealth mode.

Regardless of the firewall you run, if you spend a lot of time at public WiFi hotspots, you’ll also want to make sure you’re running some sort of VPN to keep the fellow with the mysterious smile, nursing a cold coffee, sitting across the room from you and sniffing your packets with KisMac or NetStumbler. Try running these programs yourself some time. You’ll be amazed how much critical stuff goes across the wire in the open. If you don’t have access to a VPN server at work or school, I suggest paying for a publicly accessible one like PublicVPN or HotSpotVPN.

And I’ll leave it at that.