Mac Gems: Little Snitch snitches on misbehaving apps

Our Macs can be chatty even when we wish they weren't. Apps, and even the OS itself, regularly reach out to the rest of your local network and to the Internet to probe, query, and blab. Little Snitch 3 intercepts these requests and presents them to you for inspection and approval. The latest update to the software adds inbound-connection management, too. Little Snitch has graduated from being a sort of outbound-only firewall with notifications to being a full-fledged firewall product with a friendly interface that informs you about any network-related activities.

OS X's built-in firewall, when enabled, functions based on services and applications, allowing only inbound connections aimed at particular pieces of software--for example, a connection to iPhoto's shared-library service. But the OS X firewall can't be configured to allow a connection from a particular Internet protocol (IP) address. Little Snitch offers this type of functionality, but it reveals this power in stages, allowing a simple approach for those who want security without fuss, while using configurable rules to provide levels of deeper and deeper access for those who want more-precise control.

As in previous versions, Little Snitch's most obvious use is in alerting you to the network activity of applications and low-level software. For instance, launch Google Chrome, and Little Snitch warns you that the browser is attempting to connect to (to check for updates, ostensibly). Should Little Snitch let it proceed, and, if so, for how long and with what limits? The utility even differentiates between IP addresses and ports. (An IP address is a destination, like an apartment building; a port is like a specific apartment within the building.)

Little Snitch comes configured to allow common activities--for example, Safari requesting data from port 80 (standard Web pages) and port 443 (https-secured pages)--to pass through without notice. Many OS X system daemons, autonomous bits of low-level software, also get preapproved. But even these passes are explicitly allowed via rules that you can view, with descriptions, in the Little Snitch Configuration app.

For previously unknown connections, Little Snitch presents a dialog box that shows you the requesting app's icon, its name, and what it's attempting to do. Using the previous example, you might see an alert that Google Chrome is trying to connect, using port 80, to Click Details to get even-more-detailed information. Clicking Allow or Deny adds a rule to Little Snitch's configuration, bypassing this dialog in the future for varying degrees of specificity and periods of time.

For any particular connection, the program lets you choose how specific your Allow or Deny rule should be: Any Connection for all outbound traffic, a port number for all outbound traffic over that port, a domain name (or IP address) for any traffic to that domain, or, the most specific, a domain name (or IP address) paired with a port.

You also control how long your rule remains in effect. Obviously, the Forever button makes it a permanent rule (which can be deleted or modified using the configuration program). But the duration pop-up menu to the right, which has expanded its range of choices since Little Snitch 2, lets you set the rule to expire after the affected program quits, after you log out, when the Mac is restarted, or for a specific length of time.

Assuming the affected app is one you use frequently and you want to allow to do its thing, you'll likely choose Allow and Forever--most programs engage in benign activity to specific domains. But when you see an alert that doesn't pass the smell test, that's when you'll want to limit the connection (for a period of time or Until Quit are usually good choices) or deny it altogether.

For example, some programs make it their business to send back information about your usage, and you just don't want them to do so. Others sniff or broadcast over the local network to determine if multiple copies of an app are running or for more-nefarious information-gathering purposes. I say, "Deny!" In some environments--government, military, or legal, medical, or financial businesses--there may be other security concerns that dictate whether or not you should allow such connections.

As you approve and deny connections, thus creating the appropriate rules, you train the software over time, receiving warnings about communications you want to keep an eye on--or for software that has no business calling outbound. If you use many apps every day, the initial setup period can feel laborious as you teach Little Snitch how to handle each app. Things soon settle down.

For keeping track of what apps are currently being monitored by Little Snitch and what they're doing, Little Snitch's already useful Network Monitor window has become more sophisticated in version 3. The window shows every recently active program, a gauge of recent bandwidth consumption, and all the host/domain combinations to which each program has connected. Click any app to view a historical bandwidth-usage graph; you can adjust the time period shown. Right-click (or Control-click) an app's main entry or any server, and you can create a new rule based on that selection. Double-click a graph, and Little Snitch offers exceedingly detailed connection information, including total traffic and the most-recent time data was sent.

Previous releases of Little Snitch could block only outbound traffic, warning you only when programs and low-level software attempted to make a connection outside your computer. Little Snitch 3 allows control of incoming connections, too. Internet criminals and vandals are constantly probing for open connections to servers and individual computers, such as attempting to create a terminal session via SSH (Secure Shell) using common account names and passwords. Blocking access reduces your window of exposure, and offers more peace of mind, too.

(While it's true that the focus of most security software has largely shifted to detecting malicious programs loaded onto Web pages, blocking inbound traffic remains a way to keep your computer protected from potential new threats before they're known and patched. Most home users are behind routers that use Network Address Translation, which effectively blocks direct connections from the Internet. Businesses, and even coffeeshops, however, are more likely to have Internet-routable addresses, and the IPv6 network-addressing rollout finally underway can expose computers to new threats by making them directly reachable, too. Little Snitch helps in all these scenarios, as it doesn't differentiate from where traffic is coming and going. It just identifies and alerts you to new connections--or lets those connections pass if they meet existing rules.)

Little Snitch is the only security software that I recommend wholeheartedly to an entire range of users, from beginner to super sophisticated. It provides network--and privacy--protection while being easy to use and train, and it's powerful enough for demanding users.

Want to stay up to date with the latest Gems? You can follow Mac Gems on Twitter.

Join the CSO newsletter!

Error: Please check your email address.

Tags appsiphotoUtilitiessecuritysoftware

More about GoogleMacsSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts