This isn’t a requirement for many folks, but the ability to do it is going to be missed for the time being.  Regular TrueCrypt volumes are working great though.

More info about TrueCrypt Hidden volumes is available here.

Try it out here: http://www.truecrypt.org/downloads.php

Nessus

Despite the controversy about Nessus going proprietary in 2005, it remains one of the gold standards for network vulnerability scanning. Installed as a server (nessusd) and a client (typically just called nessus), the client has options to control what hosts are scanned and what specific services and vulnerabilities it scans for. Some of the things Nessus can detect are services that have vulnerabilities, common misconfigurations, and default passwords — among about a thousand other things. As a note, Nessus has been known to break a services / tip over a server now and then. It’s not something you want to point at your production server during business hours! Tenable Network Security now owns Nessus and sells a commercial version and support.

SSH / SFTP

There’s not much to say — where there once was Telnet, now there’s SSH. I have SSH (previously via iTerm — no using the Leopard Terminal) sessions up just about 24×7 on my Mac, as well as my work Dell. From remote shell access, to tunneling through firewalls, to SFTP, and on and on. Wherever possible, it’s almost always advisable to run SSH instead of Telnet. I know some things have been written about it, but the Leopard Terminal seems good so far.

VNC

Originally developed at AT&T labs, the name “vnc” is really a number of things, including a server, a client, and even a protocol. VNC (Virtual Network Computing) was designed to allow a remote graphical desktop session without much overhead. VNC (the protocol) isn’t natively encrypted, but is commonly tunnelled over SSH. On the Mac you can run a VNC server for remotely controlling your Mac (from another Mac, a Windows PC, or even a Linux box). Some of the more common Mac VNC clients are: JollysFastVNC and Chicken of the VNC. I’d previously used CotVNC, but I’m now using JollysFastVNC most of the time.

Syslog Server and KiwiLog Viewer

One of the things that has a more limited use until you need is is a syslog server. All Unix servers, all Cisco network devices, your home Wi-Fi router, and even your Mac can send system logs to a syslog server — but wait, there’s more! Mac OS X Leopard has a syslog server included, that can receive logs from all of those other devices. My Wi-Fi router (as well as other devices) all send Syslog to one of my Macs. The Kiwi Log Viewer for Mac is a free utility that makes looking through syslog files much, much more convenient by color coding them, as well as allowing for easy searching.

Mac OS Disk Utility

While the Windows and Linux platforms have TrueCrypt for creating encrypted disks and volumes, the Mac port of TrueCrypt still seems to be a way off. For most uses however, it’s possible to use the Mac OS Disk Utility to create an encrypted, mountable volume without too much trouble. In Leopard, the Disk Utility has been upgraded to allow for 256-bit AES encryption, which is a little slower, but much more secure. For securing personal data, this method works well. What TrueCrypt does that doesn’t exist on the Mac yet is that when data is encrypted, it doesn’t create an ‘encrypted file’ that can be identified, therefore a casual user looking for your ’sensitive’ files wouldn’t ever know that your ’secret’ data existed.

The List:

WireShark

Wireshark is the the new (circa 2006) name for Ethereal, probably the single most popular graphical network protocol analyzer ever.  Open-source, Wireshark is available on multiple platforms and is available in binary and source forms in most cases.  Commonly called a ‘network sniffer’, Wireshark is protocol aware, so it can intelligently follow streams of different traffic to be analyzed.   The functionality of Wireshark is similar to the command-line utility ‘tcpdump’ (Which is included with OS X) but in most cases people find working with Wireshark easier.  Wireshark uses an extensible (and extensive) plug-in format for decoding new protocols — these decoders have been subject to vulnerabilities over the years, so keeping Wireshark up to date is important.

Mac GPG

Mac GPG is the Mac port of GPG, the Gnu Privacy Guard, which in turn is a free (and open source) implementation of OpenPGP.   This project is available in source code or binary forms, and the MacGPG site has directions for compiling it yourself.   As a start it’s useful to download or build the main GPG package, the GPG Keychain Access, and the GPG File Tool.

Nmap

Volumes have been written about nmap, the platforms it runs on, and the ways it can be used.   The Mac port of nmap can be installed using DarwinPorts or FinkInstaller, the most current stable version is 4.20.   Nmap’s usefulness for exploring networks and systems is immeasureable.

Netcat

Often called the “Swiss-Army knife of networking” – netcat is another GNU free (and open source) tool for doing all kinds of network and host-based testing.   In my day job I use netcat regularly for testing TCP and UDP connections through firewalls.   Ever needed to test UDP connectivity but wished you had a way to do a ‘udp telnet’ ?  Netcat can be run as a client or a server piece, and can be used for a multitude of things, including ’shoveling’ shell access through firewalls, as well as port scanning and a number of settings to make netcat use harder to detect.  Note: Netcat is considered a ‘hacking tool’ in some places.  This is mostly a concern with Windows A/V programs.

End of Part 1.

Over the last week or two of Leopard firewall discussions across the web, quite a bit of info has come out about how the Leopard firewall works, and what’s going on ‘under the hood’ when you change the options under System Preferences.

The firewall used by OS X is ipfw, the FreeBSD sponsored open source firewall package. Contrary to the limited configuration options presented in the System Preferences Security section, ipfw is extremely configurable and sophisticated. Whole books could be written about configuring ipfw, but the man page for it is a good place to start.

Let’s look at a few simple things to start. From a Terminal:

- sudo su
- ipfw show

This will show what rules are currently set on your system. As an example, this is what my Macbook Pro shows:

33300 0 0 deny icmp from any to me in icmptypes 8
65535 309194 202763184 allow ip from any to any

We’ll start at the end. The second line is what’s called the default rule (it always has a rule number of 65535) and it always has to match all packets. The scope of how to make the various rules, rule sets, and specific configurations are covered better in other places – but for now this will suffice. This particular system only has two Static Rules at this point.

Which brings us to WaterRoof. WaterRoof is a graphical front-end to ipfw for OS X. To be clear — if you don’t understand the basics of how ipfw works (or firewalls in general), WaterRoof isn’t going to get you very far. Once installed, if you go to “Static Rules”, you should see the same rules that you saw from the command-line. It has configuration options for Static and Dynamic rules, Logging, NAT, and even a Wizard that can lead you through the steps of configuring ipfw from scratch.

One of the best things about WaterRoof is that it allows you to easily import and export your rule sets, so if you decide that you want to experiment, you can backup you rules and keep them around to restore them without needing to know all of the command-line options.

There has been talk on some of the other blogs and forums about coming up with an ‘ideal’ set of ipfw rules for use on Leopard systems — if you familiarize yourself with WaterRoof now, putting those rules into practice shouldn’t be hard. For now the rules I’m doing testing with are for when I’m on ‘hostile’ networks. I’ll probably keep a copy of these around for when I need to know that I’m blocking everything possible. A sample output of ‘ipfw show’ would look something like this:

00001 388 17858 deny ip from any to me
00002 0 0 deny tcp from any to me
00003 0 0 deny udp from any to me
33400 0 0 deny icmp from any to me
65535 325675 210533693 allow ip from any to any

WaterRoof gets you a much more detailed set of controls than anything built into OS X. Not everyone needs it, but it’s good to know the basics at least. Just as a note – you can absolutely set settings in ipfw that will prevent your system from being able to access the internet. If you’re the experimental type, make sure you save a copy of your rules before tinkering.