Network and Application Firewall

ced89 · Apr 9, 2021

Hello,

what do you think of this AllInOne Network and Application Firewall solution?

Scudo 3

Scudo is a hybrid firewall for macOS with a very simple interface aimed at all Mac users.

murusfirewall.com

MacInWin · Apr 9, 2021

For what? MacOS has a firewall built in. No need for a third party product.

chscag · Apr 9, 2021

As Jake states, it's not needed. Besides that, it won't work with Big Sur. Developer says it's not compatible, so forget it.

If you think you really need a more sophisticated firewall than macOS provides or your router, then we suggest installing "Little Snitch".

Little Snitch

Protects your privacy and prevents your private data from being sent out to the Internet without your knowledge.

www.obdev.at

IWT · Apr 10, 2021

Little Snitch, as advised by our Admin chscag, is indeed a sophisticated product, but be forewarned, the sophistication requires a considerable input from you if you are to get the best out of it - and your money!

Setting up requires time and effort, otherwise why bother with it. It also bombards you with warnings, notifications and requests for input. Some years ago, I ran this app and, probably because of my naïvety, I got thoroughly fed up with all the warnings and requests - did I allow/disallow this or that? I dumped it. BTW, it never actually found any intrusions or risks that were of any significance.

I'm not mocking the product; just advising you that much owner input is required to get the best out of it

Ian

ced89 · Apr 10, 2021

I was searching for a monitoring tool that had also capabilities to block connections that don't correspond to a rule, that is on top of a basic firewall task, the Mac firewall can bethe best firewall, but without this functionality, I don't feel safe.
I don't mind to get bombarded with notifications, this will happen until I don't setup a rule, so only the onboaridng of my new Mac will be a bit painful.

With the Mac I'll run only personal things, that is, basics like banking etc, that's why in the last thread I was concerned about the budget, because I'd literally use that machine for few tasks, maybe less than 1h a day...

I don't expect to be annoyed by notifications or request for approvals, let's say that the notifications will disappear after a rule has been set (or I'll remove them), same for the request for approval.

MacInWin · Apr 10, 2021

ced89 said:
With the Mac I'll run only personal things, that is, basics like banking etc, that's why in the last thread I was concerned about the budget, because I'd literally use that machine for few tasks, maybe less than 1h a day...

I'll say it again. Don't get a Mac. For <1 hr/day, the expense of it is not worth it. That would be like getting a Ferrari to go to the grocery store once a week. Get an elcheapo PC, use a good AV package and a VPN for your banking and be happier.

Cr00zng · Apr 10, 2021

MacInWin said:
I'll say it again. Don't get a Mac. For <1 hr/day, the expense of it is not worth it. That would be like getting a Ferrari to go to the grocery store once a week. Get an elcheapo PC, use a good AV package and a VPN for your banking and be happier.

That depends... If you take the Ferrari once a week, preferably weekday to the grocery store, that would be a OK...

Unless the VPN is directly to the financial institution, the VPN doesn't really provide you an extra layer of security. Theoretically, the VPN gateway could terminate your SSL/TLS tunnel to the bank and intercept your connection to the bank. Back in my corporate days, we had Blue Coat proxy servers, that did that routinely for monitoring the SSL/TLS traffic. We had to make an exception for financial institutions for preventing the sessions to banks from being recorded in the logs in plain text.

That's how we monitored SSL/TLS connections to forums, social networks, etc., and quite of few people got "dinged" for abusive behavior on the web. While we did warned the employees that it is coming, they didn't take it seriously until couple of them got dinged...

ced89 · Apr 14, 2021

Cr00zng said:
That depends... If you take the Ferrari once a week, preferably weekday to the grocery store, that would be a OK...

Unless the VPN is directly to the financial institution, the VPN doesn't really provide you an extra layer of security. Theoretically, the VPN gateway could terminate your SSL/TLS tunnel to the bank and intercept your connection to the bank. Back in my corporate days, we had Blue Coat proxy servers, that did that routinely for monitoring the SSL/TLS traffic. We had to make an exception for financial institutions for preventing the sessions to banks from being recorded in the logs in plain text.

That's how we monitored SSL/TLS connections to forums, social networks, etc., and quite of few people got "dinged" for abusive behavior on the web. While we did warned the employees that it is coming, they didn't take it seriously until couple of them got dinged...

Interesting story

I think that this proxy was visible to the users (redirected to the proxy page)), right? Or it was running silently in backgroung like a system proxy?

You could log these info with a proxy, but not by VPN, unless they trick you with a good cert verification.
I wouldn't use the VPN to protect myself anyway, I'm fine with decent DNS, separate WLAN and other basics.
Unless in public places, which I never do unless in emergency, at that point I have a VPN ready plus firewall to block connections outside.

Cr00zng · Apr 15, 2021

The authentication to the proxy server was seamless, the group assignment defined the access level to web.

As for VPN... Any corporation that allows in/outbound VPN connection from the end-users sub-nets, they deserve what they get. All end-user systems had received the proxy servers SSL cert, generated locally on the proxy server, for seamlessly terminate the destination's SSL tunnel at the internal proxy interface and re-established on the outside interface with the destination's SSL cert. It's slick and certainly nothing stopping a VPN tunnel to do the same, after the VPN tunnel is terminated.

Most of these companies run their own DNS server, and/or DNS caching server as well for further monitoring internet traffic.

Back in my consulting days, I used to carry an older wireless router with me; connected the WAN interface to the hotel's wired network and used my own wireless network. Fringe benefit, more than one person could access the internet simultaneously with a single daily charge for the web access. You know, back in the days when hotels used to charge for internet access. I haven't been traveling much for years, so I don't know what hotels do nowadays.

MacInWin · Apr 15, 2021

Most hotels have a flat rate for the WiFi in the room, any number of devices.

ced89 · Apr 16, 2021

Cr00zng said:
The authentication to the proxy server was seamless, the group assignment defined the access level to web.

As for VPN... Any corporation that allows in/outbound VPN connection from the end-users sub-nets, they deserve what they get. All end-user systems had received the proxy servers SSL cert, generated locally on the proxy server, for seamlessly terminate the destination's SSL tunnel at the internal proxy interface and re-established on the outside interface with the destination's SSL cert. It's slick and certainly nothing stopping a VPN tunnel to do the same, after the VPN tunnel is terminated.

Most of these companies run their own DNS server, and/or DNS caching server as well for further monitoring internet traffic.

Back in my consulting days, I used to carry an older wireless router with me; connected the WAN interface to the hotel's wired network and used my own wireless network. Fringe benefit, more than one person could access the internet simultaneously with a single daily charge for the web access. You know, back in the days when hotels used to charge for internet access. I haven't been traveling much for years, so I don't know what hotels do nowadays.

Monitoring internet access is quite easy, but are you telling me that certain companies were faking the SSL handshake??? It's risky, illegal and not so easy to do with recent protocols.
The browser fingerprint could be difficult to replicate too...

Cr00zng · Apr 17, 2021

ced89 said:
Monitoring internet access is quite easy, but are you telling me that certain companies were faking the SSL handshake??? It's risky, illegal and not so easy to do with recent protocols.
The browser fingerprint could be difficult to replicate too...

Let's call a spade a spade...

Proxy servers basically utilize an MITM attack, most, if not all of them can do this. Bluecoat ProxySG servers are just one of the most popular brand for this purpose. These servers used inside companies (and inside government organizations) to inspect their own incoming and outgoing SSL/TLS traffic for malware, data leakage, unauthorized usage, etc. To my recollection, there had been no issues with browser fingerprint replication, but it's been a while I've worked with proxy servers.

This is not illegal and easy to do within an organization with the right technology in place. May I gently remind you that the organization provides all IT hardware, software. It certainly has the right to monitor activities within their IT envelop, including in and outbound network traffic to this envelop. In some cases, regulations may require the organization to log access as well.

PS: I apologise for hijacking the subject of this thread...

ced89 · Apr 18, 2021

Cr00zng said:
Let's call a spade a spade...

Proxy servers basically utilize an MITM attack, most, if not all of them can do this. Bluecoat ProxySG servers are just one of the most popular brand for this purpose. These servers used inside companies (and inside government organizations) to inspect their own incoming and outgoing SSL/TLS traffic for malware, data leakage, unauthorized usage, etc. To my recollection, there had been no issues with browser fingerprint replication, but it's been a while I've worked with proxy servers.

This is not illegal and easy to do within an organization with the right technology in place. May I gently remind you that the organization provides all IT hardware, software. It certainly has the right to monitor activities within their IT envelop, including in and outbound network traffic to this envelop. In some cases, regulations may require the organization to log access as well.

PS: I apologise for hijacking the subject of this thread...

I think I understand you, but this is an old way to run the business. Nowadays, every corporate laptop is used to access personal data from employees, like banks, facebook, health insurance etc...
This is not legal at all nowadays

.

In all that, there are also companies that encourage you to use FB and other social networks to promote their service/brand, monitoring such accounts would be extremely illegal after it was suggested by the company.

In any case, would you be able to spoof a VPN connection? I mean, me connecting to a commercial VPN service? With username and password it may be easier, but not with a certificate and your device registered in your account, if the VPN provides such level of security.

Cr00zng · Apr 20, 2021

ced89 said:
I think I understand you, but this is an old way to run the business. Nowadays, every corporate laptop is used to access personal data from employees, like banks, facebook, health insurance etc...
This is not legal at all nowadays .

In all that, there are also companies that encourage you to use FB and other social networks to promote their service/brand, monitoring such accounts would be extremely illegal after it was suggested by the company.

In any case, would you be able to spoof a VPN connection? I mean, me connecting to a commercial VPN service? With username and password it may be easier, but not with a certificate and your device registered in your account, if the VPN provides such level of security.

You keep forgetting that, that it is a corporate laptop and the said entity has full control of it, including any data stored/transmitted,/received.. If the employee risks exposing personal data to the corporation, that's on the employee and not on the corporation. The employee's personal data on corporate owned devices can be the reason for disciplinary action and depending on its content, including termination.

Keep in mind, that with proxy client installed on the laptop, it works just like the laptop is connected to the company network, even if the laptop is not in the office. The proxy client initiates the VPN connection to the office in the background when accessing the internet and as such, all access is still the same.

In any case, why would a corporation allow employees to connect to a third-party VPN server? There's no benefits for the corporation and it is a high risk for exfiltrating company data.

Again, employees using company devices, in another words the company owns the devices and has full control of it. You don't like it, either behave on company devices, or use your own device.

What do you think why I had two smartphone on my belt for in my corporate years? :wink

Network and Application Firewall

ced89

Scudo 3

MacInWin

chscag

Well-known member

Little Snitch

IWT

ced89

MacInWin

Cr00zng

ced89

Cr00zng

MacInWin

ced89

Cr00zng

ced89

Cr00zng

Shop Amazon