Nessus

Despite the controversy about Nessus going proprietary in 2005, it remains one of the gold standards for network vulnerability scanning. Installed as a server (nessusd) and a client (typically just called nessus), the client has options to control what hosts are scanned and what specific services and vulnerabilities it scans for. Some of the things Nessus can detect are services that have vulnerabilities, common misconfigurations, and default passwords — among about a thousand other things. As a note, Nessus has been known to break a services / tip over a server now and then. It’s not something you want to point at your production server during business hours! Tenable Network Security now owns Nessus and sells a commercial version and support.

SSH / SFTP

There’s not much to say — where there once was Telnet, now there’s SSH. I have SSH (previously via iTerm — no using the Leopard Terminal) sessions up just about 24×7 on my Mac, as well as my work Dell. From remote shell access, to tunneling through firewalls, to SFTP, and on and on. Wherever possible, it’s almost always advisable to run SSH instead of Telnet. I know some things have been written about it, but the Leopard Terminal seems good so far.

VNC

Originally developed at AT&T labs, the name “vnc” is really a number of things, including a server, a client, and even a protocol. VNC (Virtual Network Computing) was designed to allow a remote graphical desktop session without much overhead. VNC (the protocol) isn’t natively encrypted, but is commonly tunnelled over SSH. On the Mac you can run a VNC server for remotely controlling your Mac (from another Mac, a Windows PC, or even a Linux box). Some of the more common Mac VNC clients are: JollysFastVNC and Chicken of the VNC. I’d previously used CotVNC, but I’m now using JollysFastVNC most of the time.

Syslog Server and KiwiLog Viewer

One of the things that has a more limited use until you need is is a syslog server. All Unix servers, all Cisco network devices, your home Wi-Fi router, and even your Mac can send system logs to a syslog server — but wait, there’s more! Mac OS X Leopard has a syslog server included, that can receive logs from all of those other devices. My Wi-Fi router (as well as other devices) all send Syslog to one of my Macs. The Kiwi Log Viewer for Mac is a free utility that makes looking through syslog files much, much more convenient by color coding them, as well as allowing for easy searching.

Mac OS Disk Utility

While the Windows and Linux platforms have TrueCrypt for creating encrypted disks and volumes, the Mac port of TrueCrypt still seems to be a way off. For most uses however, it’s possible to use the Mac OS Disk Utility to create an encrypted, mountable volume without too much trouble. In Leopard, the Disk Utility has been upgraded to allow for 256-bit AES encryption, which is a little slower, but much more secure. For securing personal data, this method works well. What TrueCrypt does that doesn’t exist on the Mac yet is that when data is encrypted, it doesn’t create an ‘encrypted file’ that can be identified, therefore a casual user looking for your ’sensitive’ files wouldn’t ever know that your ’secret’ data existed.

Over the last week or two of Leopard firewall discussions across the web, quite a bit of info has come out about how the Leopard firewall works, and what’s going on ‘under the hood’ when you change the options under System Preferences.

The firewall used by OS X is ipfw, the FreeBSD sponsored open source firewall package. Contrary to the limited configuration options presented in the System Preferences Security section, ipfw is extremely configurable and sophisticated. Whole books could be written about configuring ipfw, but the man page for it is a good place to start.

Let’s look at a few simple things to start. From a Terminal:

- sudo su
- ipfw show

This will show what rules are currently set on your system. As an example, this is what my Macbook Pro shows:

33300 0 0 deny icmp from any to me in icmptypes 8
65535 309194 202763184 allow ip from any to any

We’ll start at the end. The second line is what’s called the default rule (it always has a rule number of 65535) and it always has to match all packets. The scope of how to make the various rules, rule sets, and specific configurations are covered better in other places – but for now this will suffice. This particular system only has two Static Rules at this point.

Which brings us to WaterRoof. WaterRoof is a graphical front-end to ipfw for OS X. To be clear — if you don’t understand the basics of how ipfw works (or firewalls in general), WaterRoof isn’t going to get you very far. Once installed, if you go to “Static Rules”, you should see the same rules that you saw from the command-line. It has configuration options for Static and Dynamic rules, Logging, NAT, and even a Wizard that can lead you through the steps of configuring ipfw from scratch.

One of the best things about WaterRoof is that it allows you to easily import and export your rule sets, so if you decide that you want to experiment, you can backup you rules and keep them around to restore them without needing to know all of the command-line options.

There has been talk on some of the other blogs and forums about coming up with an ‘ideal’ set of ipfw rules for use on Leopard systems — if you familiarize yourself with WaterRoof now, putting those rules into practice shouldn’t be hard. For now the rules I’m doing testing with are for when I’m on ‘hostile’ networks. I’ll probably keep a copy of these around for when I need to know that I’m blocking everything possible. A sample output of ‘ipfw show’ would look something like this:

00001 388 17858 deny ip from any to me
00002 0 0 deny tcp from any to me
00003 0 0 deny udp from any to me
33400 0 0 deny icmp from any to me
65535 325675 210533693 allow ip from any to any

WaterRoof gets you a much more detailed set of controls than anything built into OS X. Not everyone needs it, but it’s good to know the basics at least. Just as a note – you can absolutely set settings in ipfw that will prevent your system from being able to access the internet. If you’re the experimental type, make sure you save a copy of your rules before tinkering.

• sudo su
• nc -l <port number>  (I used 1000)
• Ensure that your Leopard firewall settings are set to “Block all incoming connections” and “Enable Stealth Mode” (in the advanced settings)

From a remote machine:

•  nc <leopard ip> <port from above>

Connected!   If you don’t have netcat on a remote machine, you can simply telnet to the port as well.    I suspect that we’re probably taking the wording “Block all incoming connections” too literally.     More thoughts tomorrow.
The idea for this came from Jurgen’s comment on Securosis.

• NSA Security Configuration Guide – For 10.3
• Corsaire: Securing OSX – For 10.4
  
• Apple – Common Criteria Security Tools
  
• CIS Mac OS X Benchmark