Implementing firewalls at the perimeter of your network is a powerful security tool for thwarting unauthorized access to your internal resources. Some best-practice considerations when deploying the firewall service on Mac OS X or Mac OS X Server are:
- On Mac OS X, enable sharing services only as required. Turning on all services just to have them running makes securing your system more difficult. When enabling sharing services, the firewall will automatically open the required ports, providing additional attack points for potential hackers.
- Turning off sharing services and enabling the firewall’s Stealth Mode when traveling outside an organization-controlled network will allow the firewall to provide the additional blocking required when accessing insecure public networks.
- When planning server installations, refer to the planning documents provided by Apple (http://images.apple.com/server/macosx/docs/Worksheet_v10.6.pdf).
- Open firewall ports only for services provided to resources and individuals outside your local network.
- Utilize address groups to limit allowed access to specified IP addresses or address ranges whenever possible.
- Review your firewall logs on a regular basis, note penetration (denied) attempts from the same or similar IP address ranges, and consider blocking the entire range.
- Be extremely wary of providing SMB access through your firewall. Crackers attempting to penetrate corporate networks commonly scan and exploit SMB ports. They are also a common vehicle for virus programmers.
- Be specific when creating advanced rules. Open only required ports, not ranges of ports, to simplify your initial setup.
- Third-party tools are available for threat analysis and detection, such as the open source Snort project and the Nagios monitoring suite.
- When configuring a firewall, a good rule of thumb is: Less is more. The less access you provide to the outside world, the more secure you make your internal network.