Mac OS X Security Basics

With all of the discussion around the Leopard release and the whole firewall debacle, now is a good time to learn more about the basics of Mac Security.

Use the Software Firewall

This can be found in a couple of different locations depending on your version of Mac OS X. Under OS X 10.4 ‘Tiger’ you can find the Firewall in System Preferences then under ‘Sharing’. Under OS X 10.5 ‘Leopard,’ you will find the Firewall in System Preferences then under ‘Security’. There is also another major difference, other than where to find the firewall, between the Tiger firewall and the Leopard firewall. The Tiger firewall is based on the unix base of IPFW, while the Leopard firewall is a completely separate application built by Apple. The Tiger firewall is able to do port-based filtering, whether it is allowing or denying a specific port. This allows for better control for a geek. Under Leopard, the firewall is application based, meaning that it allows for individual programs to be given access. This method can be troublesome in certain situations; however this should not be a problem for most. The application-based method also removes the power-user’s ability to customize the firewall to their liking, but allows easier administration from a non-geek perspective. It is the ever so fine line between security and convenience.

Use a Hardware Firewall

This is the basics for ANY computer, whether it be Unix, Linux, Mac OS X, or Windows. Even with only a single computer connected to the Internet, it is best to use a hardware firewall. With a hardware firewall you can protect yourself against several vectors of attack, including, but not limited to, the Internet junk that continually flows through the tubes due to the existence of already compromised computers that have not yet been disinfected. This point is essential for those Mac users running the Boot Camp software from Apple. This will only further protect your system from malware. Although there have not been any exploits that have been able to transfer from the PC to the Mac via Parallels/VMWare, it may happen at some point, so take precautions now.

Run Software Update

This seems like it might be a no-brainer, but many Mac users do not run Software Update. In addition to Apple’s software update, check for third-party software updates. Software companies do not release updates just because they feel like it. Many times updates will contain bug fixes and improve, as Apple loves to claim, ‘overall stability with the operating system’.

Security for Open Wi-Fi Access

Never connect to an Open Wi-Fi Access point without Software Firewall. Again, this seems like a no-brainer, but be assured that many people do this. The Software firewall will protect you from any nefarious individual that may be attempting to obtain root access to your machine. When connecting to open Wi-Fi access, make sure you use SSL whenever possible. Using SSL will allow complete encryption from your Mac to your bank, your email, your blog, or whatever website you are accessing. If these contain confidential information that you do not want the local script-kiddie to have access to, encrypt it.

Protecting your Root Password

Guard your root password like it was money under your bed. This password is the key to your entire system. If anybody else has your root password, they have the keys to the kingdom. This means they can go and mess with any system setting, format your entire drive, and do just about anything they could want to. So guard this password. With passwords, no matter what you’re doing, do not use easily guessed passwords, like your dog’s name, spouse’s name, or anything similar. Use some non-standard characters, like the *, #, ?, (), $, or even the ^. Use a pass-phrase instead of a single word password. This would make it much harder to guess, but a bit easier to remember.

Remember, no single security precaution is the cure-all, but given the hints above, you should be able to limit the potential security risks on your Mac.

Wayne.

I'm into everything technology related, particularly anything Apple related. I enjoy programming and tend to lean towards server-based technologies over client-based. You can contact me on twitter, via e-mail, or follow me on friendfeed.