As unlikely a choice as this might seem to most system administrators, there are firewall products designed for the Macintosh operating system. And although some system administrators might scoff at the idea, there are
impressive examples of secure Mac-based Internet systems—including the United States Army, which has been hosting its Web site on a WebSTAR server running the Macintosh OS since the early part of 1999, and that server hasn’t been successfully hacked since.
However, the Macintosh operating system is undergoing a radical change, which will culminate in 2001 with the release of the consumer version of OS X (10). OS X is based on the NeXTStep operating system, which itself is based on the Mach kernel and BSD (Berkeley Software Distribution of UNIX). Even though Apple has released the source code of OS X, it has made significant changes to the kernel to adapt it to the Macintosh platform. It has yet to be seen how these changes (along with Apple-specific implementations of DNS and HTTP) will affect the security as whole.
Macintosh Strengths So what distinguishes the Macintosh as an operating system from other notable server OSs? There is a widespread belief that running a firewall on a Mac will be inherently more secure simply because most hackers are unfamiliar with Mac technology. And while there are some reported vulnerabilities in
applications that run on the Mac, very few reports exists about weaknesses of the operating system itself. There is also the ease of configuration. Because the Macintosh is GUI-only and offers few network services (beyond basic file and print), complexity (the bane of any security system) is greatly reduced.
Finally, a firewall running on the new OS X will see benefits of performance (from a cutting-edge UNIX-based operating system), configuration (each specific service can be turned on or off at will), and support tools (most UNIX-based security support utilities will run on OS X).
Macintosh Weaknesses There are some significant weaknesses that are actually the flip side of the Macintosh’s strengths. Because the system is not well known, the possibility exists that many vulnerabilities are waiting to be discovered by any hacker who might make a serious attempt to penetrate it.
Also, because a Macintosh server has only a limited number of configuration and application choices,
administrators may feel that they miss extras—like the ability to highly customize the components on their server. And although there are firewall products for the Macintosh, most of these are designed to be personal firewalls, not to function as servers to protect an entire network. This, coupled with the lack of many supportive tools for firewalls (such as Macintosh-based analysis and response tools), significantly limits the flexibility of a Macintosh- based firewall.
There is also the issue of performance. Although in recent years Apple hardware has seen very impressive performance, the operating system has not followed suit. As a result, a very busy Macintosh server acting as a firewall and router can potentially become overwhelmed.
Furthermore, OS X will introduce some new weaknesses. Because of its UNIX heritage, the greatest initial security risks on OS X come from the daemons (services) that are installed by default—something that we’ll cover more in depth in talking about UNIX (below).
UNIX
UNIX has been around far longer than other operating systems, including Microsoft Windows NT (and NT-based operating systems like Windows 2000), and the first firewalls were designed on Unix systems. This means that the idiosyncrasies of the platform are well understood and documented, and the firewall products that run on it are stable. Although most versions of Unix are sold commercially (such as Sun’s Solaris, HP’s HP-UX, and IBM’s AIX), it is still considered a fairly open system because so much is known about its fundamental structure and services. When security weaknesses are discovered with Unix, they tend not to be with the core operating system, but with services and applications running on top of it.
UNIX Strengths Specific strengths of UNIX are many. It is highly configurable, well understood by many in the security industry, and is the most prominent operating system in existence. Many resources are dedicated to understanding and fixing any security issues that might arise.
UNIX is also considered to be a very stable high-performing operating system. In addition because of its ability to run on multiple hardware platforms (such as the DEC Alpha and the IBM RS/6000), and on multiple-processor versions of these platforms, it can support high data rates required of any firewall supporting a large network. It is also relatively immune from the need to reboot the machine after configuration changes, something that has afflicted Windows NT-based systems.
There are more security and security support products for UNIX than for any other platform (although Windows NT is a close second). This, coupled with its 30-year history, has made UNIX the preferred choice for many large organizations.
UNIX Weaknesses So what are the negatives? Problems arise when inexperienced Unix administrators place firewalls on “out of the box” installations and don’t disable the many vulnerable (but potentially valuable on a non-firewall system) programs and services (daemons) that are enabled by default. And because many of these daemons are configured to run in the security context of the root (the all-powerful superuser account) they provide an attacker with complete access to the system once they have exploited vulnerable system components.
Deactivating daemons is relatively simple. Administrators simply remove or rename the scripts that activate the respective daemon at boot time, or comment out the line in the inetd.conf configuration file, if the daemon is called by inetd. (See the following view of an inetd.conf configuration file.)
# These are standard services. #
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd gopher stream tcp nowait root /usr/sbin/tcpd gn #smtp stream tcp nowait root /usr/bin/smtpd smtpd #nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd #
# Shell, login, exec and talk are BSD protocols. #
shell stream tcp nowait root /usr/sbin/tcpd in.rshd login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd talk dgram udp wait root /usr/sbin/tcpd in.talkd ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd #dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd #
# Pop and imap mail services et al #
pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d imap stream tcp nowait root /usr/sbin/tcpd imapd #
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers." Do not uncomment # this unless you *need* it.
#
#tftp dgram udp wait root /usr/sbin/tcpd in.tftpd #bootps dgram udp wait root /usr/sbin/tcpd bootpd
#
# Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security.
#
# cfinger is for GNU finger, which is currently not in use in RHS Linux #
finger stream tcp nowait root /usr/sbin/tcpd in.fingerd #cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd #systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx #netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet
#
# Time service is used for clock synchronization. #
time stream tcp nowait nobody /usr/sbin/tcpd in.timed time dgram udp wait nobody /usr/sbin/tcpd in.timed #
# Authentication #
auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o
#
# End of inetd.conf
More weaknesses are exploited in Unix on a weekly basis than on any other operating system. As an example, CERT (the Computer Emergency Response Team at Carnegie Mellon) reported on September 15, 2000 that hackers were using two common vulnerabilities to conduct widespread attacks. The first vulnerability is with the rpc.statd daemon that is used to support NFS (Network File System). The second is with wu-ftpd, an ftp server package provided by Washington University. Because these services are installed and activated on most UNIX (and Linux) systems by default, administrators who install firewalls on default installations are leaving their entire network vulnerable.
Unix is considered to be a more difficult system to learn and administer, and the cost of a Unix system has traditionally been more expensive than other operating systems. And because there are so many documented weaknesses with Unix, an administrator has to invest more time in securing the system; otherwise an attacker with access to the same information on Unix vulnerabilities can take advantage of “so many holes.”
OpenBSD: An exception to the UNIX rule One UNIX variation that minimizes the risk of pre-installed vulnerable daemons is OpenBSD. OpenBSD installs with no accessibility; the administrator is forced to manually choose which services and components will run.
Created and maintained by volunteers and distributed for free, OpenBSD is sometimes confused with Linux. In fact, it is a very tightly controlled collaborative UNIX project with specific goals. While weaknesses can still be found, the response time to correct those weaknesses is considered the best in the industry. That, coupled with a proactive attitude toward locating and correcting software errors, makes OpenBSD a compelling choice for many firewall administrators.
Linux
What about Linux, the most significant challenger in the operating system wars in recent memory? Linux shares many of the strengths and weaknesses of UNIX.
many eyes as possible in the search for errors and vulnerabilities. And the communal nature of the Linux community means a ready and willing support group for security specialists with concerns and questions. Linux Weaknesses The factors that weigh against Linux are that it’s difficult to learn and has many known vulnerabilities.