Firewalls, protection for older devices?

For software compatibility reasons (i.e.expensive page layout software), I am stuck with High Sierra for my OS for the time being. I am considering getting a newer machine/OS for just online use, but that presents a workflow headache that I’m still trying to wrap my mind around (multiple machines, keyboards, monitors, etc.)

Alternatively, I’m wondering if there’s a firewall system out there that will make up for the shortcomings of older email clients/browsers?

2 Likes

Little Snitch is excellent.

While there’s nothing wrong with adding firewall protection, my impression from reading security notes is that you’re unlikely to have to worry about attacks coming in over the network unless you’re also running public servers, so a firewall won’t make much difference.

I think I’d focus more on anti-malware software like Malwarebytes or VirusBarrier to protect against stuff that would make its way onto your machine in email, Messages, or through clicking a link. Perhaps @alvarnell has recommendations too.

2 Likes

Definitely use the macOS built-in firewall. Allow what you’re using and block everything else.

Port scanning is a real thing. Criminals routinely scan address blocks looking for vulnerabilities.

That having been said, you’re right that the risk is low if you’re not running an Internet-facing server, primarily because of the way consumer routers work.

If you’re a residential customer, you are only going to get one IPv4 address from your ISP (and it might even be one private to the ISP). All the computers on your LAN are able to share that address because consumer routers implement Network Address Translation (NAT).

With NAT, your router rewrites the source address of all your outbound traffic so it all comes from your single external address. And it tracks outbound connections so when the reply packets arrive, they are forwarded to the computer that originated the connection.

As a side effect of this, unsolicited packets arriving from the Internet are discarded. Not because of any explicit security protocol but because your router has no way of knowing where they should be delivered.

If you run an Internet-reachable server on your LAN, then you must configure port forwarding in order to tell your router where to send unsolicited packets intended for the server. But this can open your LAN to attack, because something that compromises the server can jump from there to everything else.

Which is why I strongly recommend against anybody configuring a DMZ node. This is a router configuration that sends all unsolicited traffic to a specific node on your LAN. Which means that any vulnerability on that computer can be used as a way to attack the rest of the LAN.

Now, if you run IPv6, you generally don’t have NAT. Your ISP typically gives you a large (typically 48- or 64-bit) address block and your computers use SLAAC to auto-generate local addresses within the block.

In theory, anyone on the Internet can port-scan your IPv6 address, find vulnerabilities and attack via what is discovered. For this reason, it’s a good idea to run a basic firewall on every device (most modern operating systems have one built-in).

The main reason why this isn’t a complete disaster is that the address space is so huge. A 48-bit address space is about 280 trillion addresses. The odds of an attacker randomly finding the dozen or so your LAN might be using is really low. And the SLAAC protocol typically causes your addresses to change frequently.

Of course, someone snooping your outbound IPv6 packets could learn your address, but you would have to be connecting to the attacker’s server in order for that kind of attack to work. But it’s not impossible, since an attacker may have compromised a major server or router on the Internet. I’d like to think that such compromises would be quickly detected and blocked, but I don’t believe in depending solely on wishful thinking. And even if the compromised server is isolated, it can still cause quite a bit of damage before that happens. (Think for instance how disastrous it would be if a sever run by Akamai would be compromised.)

3 Likes

Even though systems may not be Internet facing, all it takes is one inattentive user to browse to somewhere that exploits a vulnerability in that old operating system. Or for a user on that system to access a compromised file through a file share that got deposited on another system in the network.

The ideal situation for those old systems is to air-gap them, but that may not be practical for the application. That’s why mitigations to the lack of security patching such as firewalls (that only enable inbound and outbound ports that are essential for the applcation and denying everything else), limiting or disabling web browsers, and active anti-virus scanning (by the time you run an on-demand scan, your system may already be compromised) are important.

2 Likes

The ClamXAV anti-virus app has a sentry mode that automatically scans nominated folders such as email downloads.

See the News items on that webpage for recent alerts/advice.

Another tip with older systems is the Firefox add-on, User-Agent Switcher and Manager. You can set it to present as Firefox on Windows 10, for example. For best compatibility if using the current Firefox 115 ESR, you can customize the user-agent string to something like:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

What this primarily does is prevents downloading and running applications (in most cases) via browser and a few other areas. It works best if the Firefox profile with the User-Agent add-on is the default browser and currently running.

To be clear, this User-Agent trick is NOT a total solution to network security in any way. It just provides another defensive barrier to the direct-downloading of some malware.

I have used this in the past on older systems for users that are not tech savvy and prone to clicking all sorts of pop-ups, or just do not realize when a web page is crafted in a way to hide a download action. I would look in Downloads every so often and find scores of Flash installers and other things that were often malware downloaded from in-browser pop-ups or “error messages”.

Interestingly, a few years ago I found the User-Agent was also affecting the standalone Zoom client updates. Doing a manual check for updates from Zoom, then clicking Install would result with an error. Checking the download folder revealed Zoom updater files ending in “.exe”. I believe this may have been on OS X 10.9 or so, and I am not certain if this is still the case with the current Zoom version, but it demonstrated some fascinating inter-dependencies.

Potential Issues with using a User-Agent editor:

This User-Agent tactic can cause problems when you intentionally download installers from web sites that attempt to auto-detect your system. You can get around this by manually selecting the correct macOS variant, or temporarily disabling the User-Agent add-on, re-loading the download page and acquiring your software. Just remember to re-enable the User-Agent tool afterward.

If you have VirtualPC or Parallels installed, this may automatically open “.exe” downloads in the virtual environment and execute within your Windows image.

There are rare cases where specific web sites may provide code that does not work perfectly with your system, but usually this is due to the site being designed for Chrome or Safari only or simply a newer version of web browsers.

(Note: There are other User-Agent modifiers out there including for other browsers like Chrome, but I can only speak to the one I linked above in this post.)

1 Like

The recommendations already posted are more than adequate, although some many exceed the OPs level of understanding.

Thanks to everyone for your responses. I already have ClamXAV in place, so I I’ll keep that running. I’m not sure if it would be helpful to add Maleware Bytes or if that would just duplicate the effort. I also enabled the built-in OS firewall. Between those measure and Adam’s reply, I feel more comfortable about my situation. I suspect I will eventually be pushed to a different system once my now static version of Chrome starts being rejected – however it does seem that Firefox is continuing to update despite my older system – maybe time to switch to that?

I am sorry to be alarmist, but stop using Chrome on macOS 10.13 High Sierra or 10.14 Mojave. [EDIT: This includes outdated versions of Brave, Microsoft Edge, Opera, Vivaldi and pretty much any Chromium-based browser. (ARC only supports macOS 12 Monterey or higher).]

Even if you have the final version of Google Chrome for macOS 10.13 or 10.14 ( 116.0.5845.187 ), it only fixes the WebP issue, but does not fix the critical WebM vulnerability. I posted about this in another discussion. Moving forward, there are already a growing number of High severity issues (that we know of) and will be more as time goes on. It is unwise to continue using non-current browsers on the open internet. This includes Safari.

Export your Chrome bookmarks and write down any important login info so you can use them in another browser. After that, trash the Chrome app (from Applications) and just leave it in your Trash for a while in case you need to restore it and get some missing information.

For now you can use Firefox 115 ESR and get security updates “until September 2024”.

After install, make sure Firefox (ESR) is your default browser (System Prefs > General > Default web browser). Additionally, I would manually block Safari in the firewall (Sys Prefs > Security > Firewall > Firewall Options… > [+] > Safari app) and uncheck the two “Automatically allow…” options in that same panel.

One other important thing is to check your Apple malware utilities are up to date. It is surprising the number of Macs that are not completing these “automatic” background checks with Apple in recent years. Howard Oakley’s SilentKnight is an excellent tool for this. It simply checks your versions against the current list, and if needed, lets you manually start the update/install from Apple’s servers. Be sure to re-check after any SilentKnight installation to make sure it succeeded. Ignore the firmware alert under your Mac model as that can only be updated with newer macOS versions.

These are the minimum actions I would suggest, but combined with a cautious approach to what you click on it should keep you going for a while.

[EDIT: Changed 1st paragraph to clarify macOS versions and Chromium variants.]

1 Like

Thank you – I appreciate that advice. Time to make the switch.

If I was facing a similar situation and wanted to minimize spending, I would pick up either a Chromebook or an iPad for everyday online use and keep the High Sierra machine off the Internet as much as possible.

Why? My main reasons are:

  • I like using compartmentalization as a privacy and security practice.
  • Apple has long stopped supporting and updating High Sierra.
  • Apple changed its built-in macOS protections, beginning with Catalina (see MRT and XProtect Remediator: an update – The Eclectic Light Company if you want details)
  • There are a lot of ways for attackers to breach outdated OS’s, both through the OS itself and through software.
1 Like

I’d have to agree that is the best plan and one I’m contemplating. The biggest issue is how to create a workflow/setup that will facilitate two machines. Right now I’m back and forth between my older legacy software, email and web all day long – frequently downloading files I need for the older software. I have a two-screen setup that I use for both. I’ve yet to see any kind of combination of A/B switches that would allow me to easily hop between the two systems. And I’d need at least a third screen for the Internet … I may have to built onto my office just to get the space…

You could use the builtin screen sharing to control the least used machine or set it up so you can control the other computer from either computer.
System Preferences, Sharing, Turn on Screen Sharing, I think it is best to select only 1 user to use for screen sharing access, use whatever account has a good password or setup another user with a good password to use for only screen sharing.
Once, Screen Sharing is turned on on the computer you want to control you can browse the network from the other computer to start the screen share or search for the Screen Sharing App with spotlight to start the Screen Sharing Session.
With screen sharing you can transfer files between the 2 computers or you could setup file sharing to facilitate the moving of files back and forth.

2 Likes

Wow, this is great. I had no idea it existed, but I think it’s going to solve my problem. Thank you very much!

1 Like

FWIW, I do exactly that: Screen-share my 2013 High Sierra iMac, where my CS6 Photoshop resides, onto my primary machine, a 2020 iMac. Screen sizes are similar enough that I don’t have to re-size the 2013’s screen (if your old and new machines differ in screen size, you may need to fuss with this). File transfer is a snap: drag-and-drop from NewMac finder window to OldMac desktop (or vice-versa), AirDrop between the two machines, or whatever you’re used to.

This thread got very complicated! The router provided by your ISP should already have a firewall for your network. But that won’t help against malware or attacks that come via websites you go to, or emails you open. I was running a High Sierra machine for years without any problems. Just being careful is a realistic defense.

If you get a new computer for normal use, and just want to keep the old one for specific software, there are plenty of KVM switches out there that will allow you to run both on the same keyboard, mouse and monitor(s). Take a look here: Desktop KVMs for Home, Office & Small Business

Or try the built-in screen sharing as others have suggested.

@ MacGuyver: You say “Stop using Chrome on macOS 10.13-10.14.”
Arc is a version of Chrome; it is frequently identified as Chrome. Does this mean that we should also stop using Arc?

Several browsers, Microsoft Edge, Arc, Brave, etc., are based on the open-source Chromium, which shares ancestry with Chrome. Chrome is from Google and Chrome runs processes and performs activities that can be problemmatic.

For example, a few years ago the Google auto-update process run at 100% CPU on my Mac. I guess it has been improved, but I removed it after that experience. (They don’t make it easy to remove, either!)

There are also privacy concerns, in that Google gathers your personal browsing history for advertising. This is a concern for gmail, too.
I’m not sure how much you can avoid this with any web activity nowadays, but Google is a known vector.

You might find this useful in deciding whether to stop using Arc or not:
https://www.macintouch.com/post/35760/google-chrome-118-0-5993-70-critical-security-patch/#more-35760