Mac OS X Security Part Eight: Setting Up A Gateway

Last week we looked at Classic Mode & VirtualPC in the Mac OS X environment. Today we look at the ethernet gateway as a practical solution to the security issues introduced by them.

The moment you connect to the internet, you are part of it. I know; that sounds like a tautology. But I'm referring to people's perceptions. They feel immune to internet risk because they are at home. No matter what the means, whether dial-up or something more exotic, you are part of the internet from the moment your connection completes. So let's take that as a given, and go from there.

The internet uses a network system called ethernet. Ethernet has been around for a while, and of course has evolved over the years. Ethernet refers to the network hardware used, and the way it all connects together. It doesn't go to the extent of defining any particular network language or protocol, though in practice tcp/ip, the language of the internet, has become the lingua franca of our computing world today. Other network languages that run on ethernet hardware are Novell Netware, AppleTalk, Microsoft NetBEUI, and Digital LAT, to name a few that come to mind immediately.

Ethernet is to networks what wall sockets are to appliances. It is a bus network, meaning that everyone shares the available resources together. An obvious corollary is, what one person does quite possibly can affect the others. Just as your toaster and kettle plugged into the same circuit at the same time will certainly dim the lights, and may well trip a breaker, heavy network users will bog down the network for everybody. In the last few years there have been some developments that alleviate that problem. Let's look at some ethernet components and see.

The simplest ethernet network is two computers connected together via network cards and a network crossover cable. The next-simplest is the two connected through an ethernet hub and standard network cables. The hub is the ethernet analogy of your wall outlets described above. One port on that hub is dedicated for connecting out, typically to the internet. The remaining ports share that outbound connection among your local computers or hosts. The recent development I alluded to is the ethernet switch, which from the outside looks exactly like a hub. It differs in having onboard brains that can figure out who wants to connect where and at what speed, and does it all transparently. So long as the brains can think faster than data can flow across the wires (almost always the case), a switch effectively gives each and every computer plugged into it full access to the outside connection, because the unnecessary network chit-chat has been eliminated. As a bonus, you get inherent security between the ports, as no host sees any other unless it's supposed to. From now on, I'll only talk about switches, because they have made hubs obsolete today.

With a switch and a couple of computers, you're an ethernet network. Connect that dedicated outbound switch port to the internet somewhere, and your network becomes part of the internet, for better or worse. What if you wanted to place a security guard at the door of your little piece of the internet? Good idea. Enter the gateway. A gateway is a brainy piece of ethernet hardware that separates your little network from the somewhat larger internet. All network traffic between the two passes through and is arbitrated by the gateway. The gateway's primary purpose is to route network traffic properly between you and the internet. The genius of the gateway's workings places your network somewhat at arm's length from the rest of the internet.

That's all fine and dandy, but what's important now is less the gateway itself than one of its now-standard features, a built-in firewall. If you've been following this series, you know that a firewall is a program that acts as a security gatekeeper. It decides what goes in and out, based on a rules set. You know that BrickHouse for OS X and ZoneAlarm for Windows are free if you so choose, and that these run on your desktop machines. Now we're taking the firewall concept and applying it to your entire network. You can see what I'm leading up to. If you have two or more computers at home, I want you to consider adding a firewalled gateway between you and the internet.

The D-Link DI-704 combo gateway-switch is an excellent product and the best value of its kind I've seen around. It has a built-in NAT firewall and also has four switched ethernet ports. (If you're a geek that collects computers and network printers, they also make one with eight ports.) Linksys makes a competing product, and you might like to read a review of it I found from last year. The 3Com OfficeConnect Firewall is a separate firewall box, meant to be used with other OfficeConnect products. But by the time you match this firewall with an OfficeConnect ADSL gateway and switch, you'll be priced out of your home for sure, although to be fair we aren't quite comparing apples to apples here. On the other hand, the 3Com gateway looks like a better deal than the 3Com HomeConnect 740 ADSL modem that came as part of my ADSL kit because it is a NAT gateway, whereas the 740 is merely a modem, albeit a smart one. You may find competitive products at your local retailer. I found The IBM Store, of all places, to be well-stocked as well as competitively priced, and its people knowledgeable and very helpful.

What's a NAT firewall? Network Address Translation is a technique of routing internet data to their correct recipients inside the firewall. In the process, it blocks network traffic that wasn't requested. Part of the workings of NAT is using private network addresses for the machines inside. Where all internet addresses are of the form of four groups of numbers separated by three periods, typically the private addresses are in the series 192.168.0.nn and are not used on the internet as such. From the outside, all of your machines on the inside appear as one, and have the address of the NAT box itself. NAT is more like a proxy server than a firewall. But because it effectively protects the machines on the inside by disguising them and itself taking the hits from the outside, it can be considered a firewall to that extent. The DI-704 also has fairly comprehensive port filtering together with NAT, making for a pretty good firewall. Adding four switched ports makes it a slam-dunk deal.

Setup for these little boxes is done with a built-in web server that only runs on the inside, unless you explicitly tell it otherwise. Very smart! That means you can set the thing up with any internet-enabled computer and a browser. But firmware upgrades for the D-Link - and likely other brands - require a Windows machine. Pity. Apart from that, management via your browser is simple. But there isn't much management, because the unit takes as its defaults most of the settings you'd probably want anyway.

One tricky bit in setting up a gateway is configuring it with your Internet Service Provider. When you first come online in a cable or DSL internet situation, you get authenticated based on the hardware serial number of your network card. This serial number is also variously known as your MAC address, your ethernet address, and hardware address. My ISP allows two MACs on my plan. If I used a switch to tee my two machines into my network connection, I'd register each machine separately, and use up my available addresses. Instead, I chose to go with a NAT gateway and let it run my private network. This way I only have to register the gateway's MAC address, as it's the only one directly connected to my ISP. Everything else is serviced by the gateway. So I could easily add a third or fourth computer or perhaps a postscript printer or whatever to my private network. My ISP still sees only one machine from me.

The easy part is following your ISP's instructions when you first register. The hard part is adapting them for your gateway, as a gateway isn't a computer in the desktop sense. My solution was to register one of my desktop machines first, by connecting it directly to the internet (thus bypassing the gateway), because the ISP must see the first computer directly in order to detect and verify its MAC address. After that, I went to my ISP's customer service web site and manually typed in my gateway's MAC address, handily printed on the case, as my second computer. Voila! It worked like a jet. Now I can bring my gateway online and plug my computers into it instead of directly to the internet. From then on, I leave my first computer registered with my ISP, but I don't actually use that connection again; I just leave it there in event of an emergency.

In case all of this sounds daunting, it isn't if you take it one step at a time. So long as you are comfortable with a standard browser, you'll do fine. I recommend that you be using a fairly up-to-date version of your browser for security reasons. All of this configuration stuff is done over secure connections, which, I might add, are totally automatic.

There is one component we haven't considered in this gateway game, and that's an AirPort hub. I for one think AirPort is a fabulous concept. From the network's point-of-view, an AirPort is just another network gadget. Since there will be some network devices such as that old Windows machine or a laser printer for which you can't get an AirPort card, an AirPort network will still require an ethernet switch somewhere nearby. A "combo" gateway gets you precisely this. In short, if you'd like to do a gateway and AirPort, feel free to do it! Your AirPort will be part of your private network inside the NAT firewalled gateway. The AirPort also has a built-in modem in addition to its ethernet port, and is capable of dialing up your ISP automatically. The thrust of this series has assumed permanent internet connections such as cable and DSL. If you dial up using AirPort, then you'll want a somewhat different setup, which requires separate treatment.

A last word on how a NAT gateway works. Once installed, a NAT gateway becomes the heart of your private network. All of your computers on the inside have private network addresses, typically in the series 192.168.0.nn, which is reserved for this purpose. Your NAT gateway has a built-in Dynamic Host Configuration Protocol server that assigns an address in this series to each computer when the latter is booted. It's hands-free! The gateway handles all of the details of routing information between each one and the internet. You don't have to worry about a thing. Data never gets sent to the wrong computer. While this article may be the first you've read about hardware gateways, Windows 98 Second Edition users will be familiar with an add-on product called ICS. This is a software gateway for Win98 that effectively turns that Win98 machine into a gateway for the rest of your network. Mac OS X has this functionality built in also. Of course I prefer the hardware solution, for the primary reason that I remove my computer from the internet's direct line-of-fire by placing something other than my Mac (the gateway, of course) in-between the two.

A dedicated gateway with built-in firewalling not only places a barrier between your valuable machines and the internet, it also gives you expandability if you choose one of the "combo" models that include a four- or eight-port ethernet switch. Finally, you get a bonus of the ultimate firewall: an on-off switch that lets you sleep at night. At about $200, it's a hard bargain to pass up.

Next time, we'll spend some time configuring the BrickHouse for OS X and ZoneAlarm for Windows firewalls. Ciao.