Mac OS X Security Epilog

Last week we took up our final subject in this series on Mac OS X security, online resources and tutorials. Today let's reflect on where we've come from and draw some conclusions.

First of all, thanks to you who stayed through this series from the beginning. Thanks for listening, as one of my professors used to say!

As I researched the various subjects here, I discovered that a very surprising number of people have no computer security effort in place at all. Yet viruses, worms, DoS attacks, malicious hackers, and all the rest are as an unseen enemy. If you've never met this enemy face-to-face, then you may well be less than convinced at a deep level that it really exists. Under the circumstances, I find it amazing that so many people apparently have not been hit by some computer disaster or other. Mac OS users have been in a privileged place from this point-of-view, simply because for the most part they haven't had the numbers to make it worthwhile (whatever that means) for malcontents to make the effort of hacking Macs one way or another. OS X, while inherently more secure by light years, is on its way to becoming mainstream. Soon enough it will register on those malcontents' radar screens. Meanwhile we have a little window of opportunity to prepare.

We came a long way, and still didn't cover everything. We didn't even begin to cover things like iDisk and POP mail security. We didn't discuss IMAP mail as a possibly more secure option. Nor did we look at the security of popular mail servers like Hotmail and AOL. You see, I'm afraid that the lack of security around email is just about completely out of your control. Standard mail sends clear passwords across the internet, and every time you check your mail you place your password onto the internet for all to see (if they're lookin', and lots are). You can encrypt the message itself, but you'll probably have to shop around for a new ISP if you want password encryption during mail checks - and pay for it too.

We also talked a lot about firewalls. In fact, I'd almost wager the word firewall appears in every article of this series. I can't overstate its importance. I do need to clarify one point, though, as one reader pointed out to me. In the article entitled simply Firewalls, I said that in a certain situation you need three simultaneous firewalls. Let me clarify here that your Mac OS X firewall has the last word on what comes in and goes out. But in those specific situations where you run Classic or VirtualPC or the like, you may not have all of your bases covered with it alone, and you may need additional firewalls specific to those alternative environments. This is particularly true if you run VirtualPC and some flavor of Windows. No firewall knows Windows like ZoneAlarm knows Windows. I covered this issue in more depth in the later article of this series entitled Classic Mode & VirtualPC.

One detail I discovered this past week is that BrickHouse requires IP addresses, not text names, in the Other field when editing a firewall rule, where I had indicated a more general solution in Configuring BrickHouse & ZoneAlarm. If you use an IP name it will get interpreted as All, and probably give you the opposite result than the one you wanted. This will make things difficult for ICQ and AIM users because they will probably require static IP addresses for instant messaging to work. Check out DNS2Go for a possible solution here. In my own case I wanted to secure-shell into my work iMac once in a while. But because I have a dynamic address at home I have to leave the ssh port fully open. I don't want to do that. My workaround is to ssh into our Linux server, then hop to my iMac from there. I'm allowed in from that point because I have given that server, whose address is static, explicit permission to connect into my iMac. Slightly clumsy, but it works perfectly. So watch for that when playing with BrickHouse rules.

Just as I began this article, the OS X upgrade came out. Overall, it's been a great experience with just a couple of glitches that affected my Xfree86 setup. A reader queried me about my NetInfo procedure in Mac OS X hosts File, to which I alluded last time. After making certain changes you needed to restart the NetInfo domain, using NetInfo Manager. Well, this step fails under the OS X upgrade. However, my ad hoc tests show that changes made in NetInfo Manager take effect immediately now. This would eliminate the restart step from that procedure altogether. Solved!

So, let's ask the sixty-five dollar question. What constitutes the perfect networked computer system for home? Of course there is no one answer to that one, but Christmas wishes get fulfilled in many ways. Let me propose one or two ways, based on things we've talked about in this series.

Your home network - yes, it's a network - consists of at least one computer plus a connection to the internet. That connection is why it's a network, and why it behooves you to take network precautions. If, like myself, your OS X iMac or iBook was not your first computer, then you probably have an ethernet hub or switch to connect it and the old Pentium machine in the basement together. In any case you'll have a modem of some sort, whether dial-up, ISDN, cable, or DSL, through which your stuff connects to the internet. The best things in life are free, as are the first things you can do to secure your piece of the internet. These days even the hardware has a reasonable price tag. So you can have a very secure home system at a decent cost.

If I've indeed just described your exact situation, then you'll be needing to network that old PC. Don't worry about your Macs. They all come with networking built-in. Assuming you run Windows 95 or later on the PC, just purchase a network card that will work with your machine. It's mainly a question of available card slots and what type they are: ISA or PCI. Odds are you have an available PCI slot and a 3Com 3C905 or similar will pop in there just fine. Use Windows Setup to add networking, and take all of the defaults. You may have to add TCP/IP under Protocols in the Network control panel later. If you are trying to network Windows 3.1 on a 486, then drop me a line. I'll either give you some tips or attempt to talk you out of it.

Back to the network. Of course you need an interface into the internet somewhere. Invariably this will be a modem of some sort. In your office you'll have a hard connection. No matter. For our purposes it's all the same. Everything starts at that network connection on the back of your modem or at the wall. If you dial into an ISP, then you likely have an internal modem in a computer. This is a little trickier in some ways, and is less than a wishlist setup. So let's place that situation aside for a moment.

You want to place a thick firewall between your equipment and the internet. The best solution for home use is one of the economical combo gateways, such as the D-Link DI-704 or the Linksys BEFSR41. Both of these are four-port ethernet switches as well as NAT gateways. If you have more than four ethernet gadgets, then get the eight-port version. If you have more than that, get a life!

Now you can plug your Macs and whatever else into the switch. If you use a "dumb" ethernet hub to split out your internet connection, replace it with one of the combo units above. You can still extend the latter by plugging your hub into one of the switched ports or by purchasing an unmanaged switch such as the D-Link DSS-8+, as now you're inside your own private network. The NAT gateway will service any devices plugged into the hub or switch handily.

I for one would love the freedom of AirPort. If you would too and you spring for an AirPort, plug it into one of the switched ports just like any other ethernet device. AirPort itself is effectively a NAT gateway, as it assigns local addresses for all your wireless iBooks and such that it serves. If I had a large house, I'd locate my external modem, combo gateway, AirPort hub, and laser printer in a corner of my study. Then I'd have my AirPort-equipped iMac on my desk, my AirPort-equipped G4 in the basement recording studio, and my iBook to go. Not counting the cost of the computers, this arrangement is surprisingly affordable.

Whichever configuration you choose, check that each machine has appropriate software firewalling. Just follow the steps we've already covered.

If you do dial up with your Mac under OS X, then you can share your connection with other computers by using your Mac as the gateway. While this is less than ideal, the risk is ameliorated by the raw fact that you're online intermittently. So the hardware setup in this case may be as simple as a network crossover cable between your Mac and the second machine, or a standard network cable between your Mac and a hub, switch, combo gateway, or AirPort, with everything else connected to the latter.

It would be imperative to run a firewall on your Mac in this instance, as it sees the internet directly. Software setup on the OS X side involves the IP Sharing page in the BrickHouse configuration screen. Once enabled, OS X will parcel out IP addresses to your attached computers dynamically.

What's the difference between a NAT gateway and a DHCP server anyway? Not to put too fine a point on it, the DHCP server usually serves up IP addresses upon request in an address series called a subnet, which as the name implies is a subset of the corporate network. All addresses remain unique across the internet. The NAT gateway serves up IP addresses upon request in a reserved private address range. These addresses may get used again and again, because they only have meaning within their local contexts. To the rest of the internet, a host with a private address appears to have the address of the NAT gateway itself. Both DHCP and NAT should be hands-free, once they're initially set up.

A DHCP server can be anywhere on the local network, and is often integrated with a server already there. A NAT gateway is inherently the entrypoint of your private network. The fact that it assigns addresses isn't its most important function, although that's Critical too. It's how a NAT gateway automatically translates addresses to and from the internet that is its essence. Remember, on the inside your computer has a private address. From the outside it appears to have the IP address of the gateway. This sleight-of-hand is the magic of a NAT gateway. When you see the price of one, it's really quite a bargain. It's also why NAT gateways are inherently secure. The outside world can't see the hosts on the inside. If they can't see 'em, it isn't likely they can hack into 'em either.

When I wrote the chapter called Email Encryption, there was no graphical interface available for GPG, the unix implementation of Pretty Good Privacy, though one was in the works. This week I received a note from the author of GPGmail, a graphical interface to add encryption capabilities into Apple Mail for OS X. Having seen the alpha version of this software, I'd say that you'll like GPGmail a lot. In typical GNU tradition, the software is free. You'll have an easier time of installing and learning GPGmail than you will convincing your friends to install a compatible encryption tool on their machines too, even though it's all free software. Yet once you get the hang of it, it's basically a couple of mouse clicks to use. Unfortunately with the OS X upgrade, Apple Mail gets changed under the hood sufficiently to require a GPGmail patch, which at press time is under development.

The software firewall business is even easier. You already have the details for downloading and setting one up for each of your OS X and Windows machines. The licenses for the two packages I looked at are as breezy as you could ask for. One is to pay US$25 if you feel like it, and the other is free for personal use and still very reasonable to license for your office. There is just no reason not to do a firewall. After you've had some experience with this, you can play with advanced settings for even better coverage.

Your gateway, should you have one, likely comes with the ultimate firewall, a power switch. Just flick it off when you're not surfing. That might be a little more difficult in a big house with several computers and people, but the option is there. Recall the inherent security of a dial-up connection was the simple fact that you were only online intermittently, and for relatively short periods of time. Cable and DSL have changed all that.

Best practices for email could be the subject of a book. The latest crop of computer viruses has even registered on the radar screens in Washington. Yet look at the mechanism of transmission. They're carried as email attachments. So long as you don't open them, they stay dormant. Simple! By now just about anyone can identify a bogus email message. So why are these viruses making news? Because people just have to take one look, I suppose. Again and again and again. Best practice: Just say no to attachments.

Email encryption is a more difficult concept to wrap one's mind around. The best methods today involve the exchange and comparison of software entities called public and private keys. Play with these a bit, and you'll find encryption to be a must-have. GPGmail will work perfectly well with someone who has PGP installed on another operating system. As you set this up, keeping in mind my comments above, it might be useful to have someone you know install it as well, so that you can practise sending and receiving encrypted messages.

Continuing on the privacy front, you probably want your email address left off the Big List that forever gets resold on the internet for $99. Suffice it to say that you'd use an alias when participating in a news group discussion. It's our friends I worry about in this regard. Hardly a day goes by that I don't receive at least one piece of list email. Quite a number of people are adept at using Bcc, but quite a few aren't. If they forward a pithy piece to their favorite listserv discussion group and your email address is on it, you're done for. Expect a lot more email very soon now. All you can do is ask, then plead, that they use Bcc in all bulk email. Feel free to send my article on the subject to people if you think it might help. I explain in it how to use Bcc in Outlook Express for Windows, which for some reason is almost invariably on the scene.

Commercial networks require some serious hardware to maintain security, yet big security breaches continue to make news. What chance does the little guy have? Being low profile helps a lot. Yet today's port scanning software and all the rest raise the probability of personal systems being broken into also. The current crop of combo gateways offer a great security value for their modest cost. If you can find a few bucks for one of these, you'll find it money well-spent.

A recent Comdex article entitled Major VPN Advance Ahead underscored the increasing corporate concern over network security and the lack of one standard way to accomplish it. We ourselves discussed NAT gateways and the like in the context of a home or small office network. Yet the same security issues are present in both; it's the stakes that differ. Though the experts continue to work out standards, we have to work with the tools at hand. That is why affordable components like the D-Link NAT gateway and software tools such as BrickHouse and ssh figure largely into our efforts.

Internet standards are reflected in Requests For Comments, or RFCs. There are now over three thousand RFCs listed, discussing or specifying various details of tcp/ip's workings. Some of these supercede earlier ones on similar topics. While these are written for and by peers in that milieu, it's good to be able to browse an RFC for further enlightenment once in a while.

This series has focussed on computer security issues in the context of Mac OS X. Many of these issues and their solutions are transportable to other operating systems also. Some issues arise in non-Apple environments, yet affect OS X users. Solving those often has a diplomatic component. Right out of the box Mac OS X is fairly secure. There are simple things you can do immediately to improve on that. Apple in all probability has tweaked a few security details in the latest X.1 upgrade, which just came out (September 29th). There are great - and for the most part free - software resources out there for OS X to help you bolt down your system nicely. Add a bit of hardware and a dollop of common sense, and you'll have a very tight system indeed.


Table of Contents

Introduction to Mac OS X Security
Part 1: Cable & DSL
Part 2: Firewalls
Part 3: Virus Scanners
Part 4: Email Setups For Security
Part 5: Email Encryption
Part 6: Desktop Security
Part 7: Classic Mode & VirtualPC
Part 8: Setting Up A Gateway
Part 9: Configuring BrickHouse & ZoneAlarm
Part X: Online Resources & Tutorials
Epilog


Th-th-that's all, folks! Ciao!