Router Firewall and Little Snitch

In article ,
Madwen wrote:

> In article ,
> RPSinha wrote:
>
> > I used to use Little Snitch for whatever security it provided. Recently
> > I switched to a Router Modem that comes with a built in firewall. Is
> > Little Snitch still relevant? Thanks.
>
> Probably since LS notifies you when your Mac is trying to "call" out
> sans permission.

Yeah, I'd keep Little Snitch.

I suggest also keeping the firewall enabled on your Mac if you are
running any sensitive services on it. You never know when you might
accidentally turn off the firewall on the router...

--
Jerry Kindall, Seattle, WA <http://www.jerrykindall.com/>

Send only plain text messages under 32K to the Reply-To address.
This mailbox is filtered aggressively to thwart spam and viruses.
 >> Stay informed about: Router Firewall and Little Snitch 

In article ,
RPSinha wrote:

> I used to use Little Snitch for whatever security it provided. Recently
> I switched to a Router Modem that comes with a built in firewall. Is
> Little Snitch still relevant? Thanks.

Yes.

Little Snitch monitors *outgoing* traffic, and lets you know when an
application tries to "phone home" and gives you an opportunity to stop
it.

The firewall in your router does just the opposite ... it blocks
*incoming* traffic from people/servers on the internet whom your
computer has not initiated a conversation with. (The software firewall
built into the Mac OS, accessible in the Network preference pane, serves
much the same purpose.)

You need both. (Well, IMO, anyway.) I've heard it said that future
versions of the Mac OS -- perhaps the upcoming one, perhaps not -- will
include an application-specific outgoing firewall, similar to Little
Snitch, by default ... but I don't know if it's true.

The incoming firewall is arguably more important, since while you have a
certain degree of control over what you install on your machine, there
WILL be malicious people on the Internet looking to get in. However, I
have seen more and more applications that have absolutely no business
making outgoing network connections 'phone home' for no particularly
good reason (at least, no good reason to me; presumably there's a good
reason for someone else, but that doesn't mean I should care), and this
is why I'm a big believer in Little Snitch. It's just part of being
aware of what your computer is doing.

-Kadin.

PS: Not crossposting this to comp.hardware because it seems off-topic
for that group...going out to csms and csmc only.
 >> Stay informed about: Router Firewall and Little Snitch 

["Followup-To:" header set to comp.sys.mac.comm.]
On 2007-10-25, Kadin2048 wrote:
> Little Snitch monitors *outgoing* traffic, and lets you know when an
> application tries to "phone home" and gives you an opportunity to stop
> it.
>
> The firewall in your router does just the opposite ... it blocks
> *incoming* traffic

For at least some of these little NAT-routers, the firewall is more
general than that. In any case, the NAT'ing and port-forwarding of
these devices is at least as significant a security feature as the
firewalling per se.


> The software firewall built into the Mac OS, accessible in the
> Network preference pane, serves much the same purpose.)

The kernel firewall in osx can do _far_ more than simply blocking
incoming traffic. One of the many things it can do is block and log
all outgoing connection requests except to specific ports. The
Network Preference gui is simple, the firewall itself is not.


> You need both. (Well, IMO, anyway.)

Given the current lack of malware for osx on the one hand, and the
flexibility of the kernel firewall on the other (if you take the time
to learn how to use it), I don't see much point to Little Snitch.
There's nothing wrong this utility and certainly it won't do your
system any harm. If it gives you the warm-fuzzies to use it, by all
means do so. But from the security perspective no one really needs
it.
 >> Stay informed about: Router Firewall and Little Snitch 

On 2007-10-25, D P Schreber wrote:
>> The software firewall built into the Mac OS, accessible in the
>> Network preference pane, serves much the same purpose.)
>
> The kernel firewall in osx can do _far_ more than simply blocking
> incoming traffic. One of the many things it can do is block and
> log all outgoing connection requests except to specific ports.
> The Network Preference gui is simple, the firewall itself is not.

I think the distinction between ipfw and Little Snitch that the
parent poster didn't manage to clearly make is that Little Snitch
integrates into OS X such that it can block or permit outgoing
traffic on a process or application-specific basis, which ipfw
cannot do.

>> You need both. (Well, IMO, anyway.)
>
> Given the current lack of malware for osx on the one hand, and the
> flexibility of the kernel firewall on the other (if you take the
> time to learn how to use it), I don't see much point to Little
> Snitch. There's nothing wrong this utility and certainly it won't
> do your system any harm. If it gives you the warm-fuzzies to use
> it, by all means do so. But from the security perspective no one
> really needs it.

Little Snitch can be sort of a pain to use, especially for a Unix
guy. For instance, I shelled into my iMac from campus one day to
start a long HTTP download so that it would hopefully be complete by
the time I got home; however, for some reason wget couldn't contact
the Web server. I was confused about this until I got back to my
apartment and saw the Little Snitch dialog box asking me whether
wget had my permission to make said network connection.

Also, interpreted languages provide a problem for Little Snitch (as
well as the various Windows firewalls which do the same thing).
Little Snitch cannot distinguish between Python App A and App B; for
either program, it simply asks whether you give "python" (as in the
Python interpreter) permission to make a network connection. So if
I tell Little Snitch to give BitTorrent (a Python application)
permanent network access, then it won't do anything to block any
potential Python-based malware that I might become infected with.

That's not the only problem with Little Snitch's approach, either.
If a spyware author wanted to be really crafty, he could hijack a
Web browser on the system (already whitelisted by Little Snitch!) to
send your private information to a Web server as part of a GET or
POST request. Or he could even encapsulate such information within
a series of DNS queries (see iodine et al.), in which case it would
pass straight through lookupd without any intervention from Little
Snitch whatsoever. And there are any number of other ways of
smuggling data out of the system, which together become impossible
to entirely guard against on current OS architectures, apart from
denying malware access to your computer in the first place.

All that said, Little Snitch does provide some level of protection
against naïvely-written malware; and sure, there isn't much (any?)
malware targeted at OS X just yet, but if we were to all be
surprised by some Macintosh spyware attack one day, wouldn't it be
nice to have such a line of defense already in place? So, all these
flaws aside, I do use Little Snitch anyway, on top of my Macs' ipfw
firewalls and pf on my OpenBSD gateway -- and, most importantly,
good old-fashioned conscientious use of administrative privileges.
Another brick in the firewall never hurts (if it isn't too
inconvenient for you personally), as long as you don't allow it to
lull you into a false sense of security.

As I understand it, Leopard will incorporate some kind of Little
Snitch-like firewall functionality of its own. This will be an
interesting thing to try when I get around to making the upgrade...

--
Mark Shroyer
http://markshroyer.com/
 >> Stay informed about: Router Firewall and Little Snitch 

Kadin2048 wrote:

> However, I
> have seen more and more applications that have absolutely no business
> making outgoing network connections 'phone home' for no particularly
> good reason (at least, no good reason to me; presumably there's a good
> reason for someone else, but that doesn't mean I should care)

Of course, a lot of programs phone home to see if there is an update,
but it's usually easy to turn that off.
--
http://www.decohen.com
Send e-mail to the Reply-To address;
mail to the From address is never read
 >> Stay informed about: Router Firewall and Little Snitch 

In , Daniel Cohen wrote:

> Of course, a lot of programs phone home to see if there is an update,
> but it's usually easy to turn that off.

Is there a way without Little Snitch to watch a particular application for
any phoning home? I'm thinking of something that maybe uses lsof.

Cheers,

-j

--
Jeffrey Goldberg http://www.goldmark.org/jeff/
I rarely read top-posted, over-quoting or HTML postings.
http://improve-usenet.org/
 >> Stay informed about: Router Firewall and Little Snitch 

Mark Shroyer writes:

> Also, interpreted languages provide a problem for Little Snitch (as
> well as the various Windows firewalls which do the same thing).
> Little Snitch cannot distinguish between Python App A and App B; for
> either program, it simply asks whether you give "python" (as in the
> Python interpreter) permission to make a network connection. So if
> I tell Little Snitch to give BitTorrent (a Python application)
> permanent network access, then it won't do anything to block any
> potential Python-based malware that I might become infected with.

You add a bit of unnecessary confusion by refererring to "Python App X",
you simply run a script with the language interpreter of your choice (be
it Perl, Python, Ruby or whatever); it's completely logical (not
necessarily intuitive) that there could be no distinction between
different scripts.

I haven't looked into it, but if you are able to produce native code
from your script and link it with a runtime library to generate a
distinct binary (OCaML does support this method), you could obviate the
above behaviour.


Cheers,

Sebastian
 >> Stay informed about: Router Firewall and Little Snitch