Home > System >
Protecting Your System (Firewall Security)

Overview

Being connected to a the Internet or over a network without running some type of firewall software is similar to leaving the frong door on your house wide open where anybody can come in. Malicious users and software rely on uprotected systems like this to exploit and attack. A firewall acts as a security guard blocking all the network communication ports on your system and only lets traffic you authorize inside. Both Mac OS X and Windows XP come with their own built-in firewall software.

Note: Both operating system's firewalls only can block incoming traffic. Neither firewall has the ability to block outgoing traffic such as from adware or spyware that may have been installed without your knowledge.

Mac OS X:

The firewall in OS X is disabled by default. Some readers point out that this isn't a big deal since all network communication ports in OS X are also disabled by default. Here's what Apple's Mac OS X's security web page has to say about this...

Apple's conservative approach to security protects your Mac from attacks over private or public networks, such as the Internet, right out of the box. All the communication ports are closed and all native services - personal file sharing, Windows file sharing, personal web sharing, remote login, FTP access, remote Apple events and printer sharing - are turned off by default.

Despite OS X's secure default configuration, choosing to NOT have their firewall turned on out of the box is just not acceptable with the high risk of computers being compromised and attacked today by simply being connected to the Internet.

To turn on OS X's firewall:

  1. Launch System Preferences
  2. Click on Sharing
  3. Choose the 'Firewall' tab
  4. Click start

firewall_osx.jpg
OS X's firewall blocks all network communication ports on your system

You can create exceptions to the ports OS X's firewall blocks by checking the boxes next to the services you wish to allow. If you wish to allow traffic over a specific port(s), click 'New'. This will display a dialog and allow you to enter in the details for the port(s) you wish to unblock.

firewall_blocking_osx.gif

Click the 'Advanced' button to configure additional security settings for OS X's firewall. You can setup the logging of firewall activity, block User Datagram Protocol (UDP) traffic, and turn on a feature Apple calls stealth mode.

security_firewall_advanced_osx.gif

Stealth mode is supposed to protect your system by ensuring blocked traffic receives no response, inherently hiding the existence of your computer to others. Further investigation proves this to only be partially true. It appears as though stealth mode in OS X's firewall only ignores ping requests. Other requests such as port scanning are let through and responded to which defeats the purpose.

Windows XP:

XP now includes the new Windows Firewall with Service Pack 2 which is turned ON by defaut. It has three levels of protection:

  • On (recommended) - All outside connections are blocked and only allows those you specify as exceptions.
  • Don't Allow Exceptions - Same as above except all exceptions are ignored.
  • Off (not recommended) - All outside connections are allowed.

security_firewall_xp.gif

Just like OS X, all network communication ports are blocked by default. You can specify exceptions to the ports XP blocks by clicking on the 'Exceptions' tab. You can add exceptions for ports and even programs you trust.

security_firewall_exceptions_xp.gif

Under the 'Advanced' tab, you can configure additional options and settings for the Windows firewall.

security_firewall_advanced1_xp.gif

Network Connection Settings:
The connections you have setup under My Network Places appear here. Check the box next to each connection that you want protected by Windows Firewall. For additional firewall security settings, select a connection and click 'Settings'. This will display a box to enable/disable available network services and Internet Control Message Protocal (ICMP) options.

security_firewall_advanced2_xp.gif
Uncheck the boxes next to the network services you want disabled

ICMP is used by computers on a network to share status and error details with each other. Disabling all the options under ICMP is similar to OS X's "stealth mode" because it protects your computer from malicious users scanning for computers with open connections to exploit. Unlike OS X though, you can block more than just ping requests. The more options under ICMP you disable, the more invisible your computer becomes.

security_firewall_advanced3_xp.gif
Uncheck the boxes next to the ICMP services you want disabled

Security Logging:
Windows Firewall can log all successful connection and blocked packets to a text file for you to view. You can configure the log file's maximum file size, what type of details you want to appear in the log, and the file's location on your computer.

ICMP:
Clicking 'Settings' basically repeats the same ICMP options configurable under Network Connection Settings.

There are some issues I discovered in the Windows Firewall. According to Microsoft's TechNet issue of the Cable Guy "Manually Configuring Windows Firewall in Windows XP Service Pack 2" (February 2004).

Applications can use Windows Firewall application programming interface (API) function calls to automatically add exceptions. When applications create exceptions using the Windows Firewall APIs, the user is not notified. If the application using the Windows Firewall APIs does not specify an exception name, the exception is not displayed in the exceptions list on the Exceptions tab of the Windows Firewall item in Control Panel. You can view exceptions with no names from the display of the netsh firewall show state command.

There are three important issues brought to the user's attention from this paragraph:

  1. Any application (even a potential malicious one such as spyware or adware) that conforms to the Windows Firewall API can automatically create an exception for itself without having to notify the user. Frankly, this is a poor decision in system security. It should always be the user's decision to create an exception NOT the application. Yes, Windows Firewall can be configured to notify you when Internet traffic is trying to connect to an application on your computer. This feature becomes useless if the application can get around this safe guard by creating an exception.
  2. When an application is creating a firewall exception for itself, it doesn't have to specify a name for the exception which causes it to not appear under the Exceptions tab in the Windows Firewall dialog. Yes, it is possible to view these hidden exceptions from the command line, but the average user may not be aware of this ability nor know how to do it.

  3. Unlike OS X, there's no way to lock the Windows Firewall to prevent the editing of settings by another application without first asking for an administrator's password. Simply having a way to lock down the firewall (even to administrators) would make the above issues not as harmful.

I've been told that the above issues with applications automatically creating exceptions for themselves without notifying the user isn't an issue as long as the user isn't running as administrator. The problem is that the majority of XP users run as administrator anyway.

There is hope though. It has been pointed out that if you download and install Microsoft's Windows Defender (currently in beta) on your machine, it will display a warning whenever something tries to edit your firewall settings. Windows Defender is a free download from Microsoft's website.

Thanks LordDaMan

Conclusion:

It's pretty clear that XP's built-in firewall offers much more options and fine-grain control over what traffic entering your computer you want to allow/block compared to OS X. The only advantage OS X has over the Windows firewall is that you can lock down OS X's fireall and prevent editing of settings unless an admin's password is entered.

OS X:

  • All network communication services (file sharing, FTP, etc.) and ports are disabled by default.
  • Can lock the firewall down by requiring an administrator password to be provided before editing any settings
  • Firewall is disabled by default
  • Stealth mode only ignores ping requests. Other ICMP commands receive responses.

XP:

  • Windows Firewall is turned on by default
  • Can customize the firewall to have different settings for each of your network connections
  • Windows Firewall can be configured so that all ICMP commands are ignored providing a much better "stealth mode"
  • XP ships with File Sharing and related services turned on
  • Applications can automatically create firewall exceptions without notifying the user as long as they follow the Windows Firewall API
  • Applications can create exceptions that can be hidden from the average user and can only be displayed via the command line.
  • There is no way to manually lock down the Windows Firewall and prevent the editing of settings without first asking for an administrator's password.
  • Windows Networking runs all file sharing and related services over the same ports (limited to the local subnet). "All the traditional Windows networking services ... file and print client, file and print server, messenger, login, and so on... all these services predate Windows use of TCP/IP. They used a LAN protocol that involved what are called "named pipes" to connect between services. Under TCP/IP, all these services run encapsulated (almost in a kind of emulation mode) under that old LAN environment. That encapsulation runs over a few common ports, so an IP-based firewall that allows a connection to the ports required for ANY of these protocols allows connections for ALL of these protocols." Thanks resuna

Mac OS X: 7
Windows XP: 8 (9)