Outbound firewall tattles on Macs
I was preparing my new Apple MacBook Pro for travel to the notorious hacker conference, DEFCON, when I came across Little Snitch, a host-based firewall application from Objective Development Software. Little Snitch was designed to monitor a Mac's outbound network communication. By default, the Mac OS X firewall focuses only on inbound connections. Outbound firewalls generally serve two main purposes: They can detect Trojan malware programs, which surreptitiously initiate outbound connections to evil parent servers, and, more commonly, they help you keep tabs on the communications of your legitimate applications. If you have a Mac, it's worth installing an outbound-focused host-based firewall such as Little Snitch. After using it for just a few days you'll be surprised how much data it reveals that leaks from your Mac.
In the Windows world, similar programs include Check Point Software’s ZoneAlarm and Symantec's Norton Internet Security. But the Mac didn’t have a wide selection of choices, ostensibly because host firewall vendors were more attracted to the overwhelming market share and attack target Windows offered. However as the Mac continues to rise in popularity, I expect to see new products for the Mac as well as improvements in existing products, and Little Snitch is no exception.
Little Snitch warns you when an application tries to initiate an outbound connection to another network resource, then prompts you whether to allow the communication. You can instruct Little Snitch to deny traffic per your preferences--for example, one time only or forever. The newest version also offers a real-time dashboard of network communication that shows the types of communications your applications are making.
Although relatively few instances of malware exist in the wild for Mac OS X, as software becomes more and more complicated, it’s a good idea to understand how your computer talks to other systems. For example, you might expect that your web browser will initiate TCP 80 and TCP 443 connections for HTTP and HTTPS web requests. But what happens if the browser communicates with another server different from the web site you wanted to visit? It could be simply checking for software updates, or it could be sending registration or update information to the software maker, or, as is often the case, it could be loading ad graphics from a third-party ad service. Or it could be doing something more nefarious.
Little Snitch will alert you of these connection attempts. After you install it, Little Snitch will alert with such frequently that you’ll think it’s nagging; however, it’s eye opening to see just how many programs these days use network connections. As you accept your programs’ communication requests, Little Snitch whitelists them in a set of ACLs which you can later review or remove. After a network connection is whitelisted, Little Snitch won't alert on it, so over time the program becomes less noisy.
To obtain Little Snitch, download a trial version or purchase it from the Objective Development website. In trial mode, Little Snitch will run for three hours before it shuts down, but you can restart it. The full version costs $29 for a single-seat license. Download the disk image file, then run the Little Snitch Installer program.
Installation is quick and requires very little of your interaction. Restart your computer to complete the installation. After restart, Little Snitch will begin asking you about attempted outbound network connections. Some of the alerts might be surprising or simply unknown to you. For example, when I rebooted, I was prompted with the following: mDNSResponder wanted to open a connection on TCP 5354 to Apple. What was that connection used for? After a bit of research, I discovered that it was probably because I had the feature Back to My Mac enabled (though I've never used it). In another example, I discovered that one of my applications wanted to connect over port 42024 to the vendor’s website to a URL named "tracker." I wonder what that URL does! In the first example, I disabled Back to My Mac, and in the second case, I denied the connection.
Of course, over time, denying and disabling applications might cause some otherwise desirable functionality to stop working. In that case, Little Snitch makes it very easy to temporarily disable or delete a rule you’ve created earlier. Figure 1 shows the Rules screen, which is one of the main places where you interact with Little Snitch. The rules dialog box shows the application attempting the communication, whether the rule is custom or built, and details about the connection. Double-click a rule to see more details such as the destination (either a host or network), port, and protocol type. In this screen you can also disable or delete rules or create new custom rules before Little Snitch prompts you. In the same Rules dialog box, click the Preferences button to configure the general behavior of the program. In the Preferences options, you can disable Little Snitch, configure how it should handle its alerts, enable or hide the network activity bar, and configure who can edit the rules or preferences.
Another great feature of Little Snitch is the network activity monitor, which Figure 2 shows. This feature adds a small icon in the menu bar, which graphically shows the inbound and outbound network traffic from your Mac by green and red visual meters, respectively. The meters don’t show the network traffic bit rate, but when new connections are initiated, a pop-up with a larger network activity monitor appears. This pop-up shows more details, including the name of the application generating the traffic, an application-specific traffic meter, and a history of recent connections made by that application.
The history feature is great for researching and reviewing past connections, for example to look for anomalies. Plus, when you right-click a past connection, you can automatically create a rule to deny connections to that destination, which Figure 3 shows. The UI is attractive, and Little Snitch's dynamic presentation of the new connections makes it, shall I say, almost fun to watch the network activity of your Mac