Help get Critical Mass going again with weekly articles. E-mail Damien and voice your wishes to have Critical Mass return. If he gets enough people wanting the return of Critical Mass, then he just might start writing again. So go ahead and e-mail Damien and voice your wishes to see more Critical Mass articles.
Mac OS X Security Part Seven: Classic Mode & VirtualPC
Last week we looked at desktop security in the OS X environment, and came up with a common-sense list of things to check. Today we examine OS X security issues on Macs that run Classic mode, VirtualPC, and DAVE.
Classic Mac, a catch-all name for the venerable Mac OS as we knew it before OS X came onto the scene, is a personal operating system. It had networking built into it from 'way back, and long before the internet became trendy. Its networking was intended to be a convenient way of connecting a roomful (read: classroom) of Macs together in a simple way. Security was not particularly robust, nor did it need to be. The current version of OS X provides limited support for AppleTalk, making security issues concerning Classic rather moot. The forthcoming update of OS X, however, promises full support for AppleTalk. So let's assume that's where we are now.
AppleTalk, like Microsoft's NetBEUI, is a non-routable protocol, or network language. By itself it cannot cross a network router, those canny devices that are to a network what switchyards are to a railway. Thus, any security vulnerabilities in AppleTalk would appear to be confined to one's office local area network. One little feature introduced with Mac OS 9 is called AppleTalk over TCP/IP. It's a checkbox in the File Sharing control panel. Unless you have a strong reason to share Mac disks across the internet, don't do it! Simple. AppleTalk within your own LAN is inherently secure for one reason. It isn't the internet, and thus malicious hackers don't find it very interesting to poke around in. As long as you can assume a reasonable level of trust within your group at work, as I can, AppleTalk is just fine. Once you leave the boundaries of your LAN, though, you're fair game to any hacker.
One general measure you can take is to run a firewall within your Classic environment. Norton Personal Firewall, while a tad pricey, is your ticket here. It installs well, and is compatible with its OS X cousin. Done! And if you buy the latter, you get both. What a deal! That's about all I have to say for now on Classic.
VirtualPC and DAVE are another story. VirtualPC very cleverly runs a Windows session in a Mac window. DAVE makes your Mac appear to be a Windows machine to other Windows machines. From a security point-of-view, it's the same effect. Your Mac now has the security concerns of a Windows computer. I'd opt for the simple solution first, namely, if you don't need these two facilities, don't use them. But of course it might not be that simple.
Whether you run one or the other or neither, you need a software firewall. Download and install ZoneAlarm for Windows to use within your VirtualPC Windows session. Install BrickHouse for OS X in any case. If you run DAVE in Classic mode (I can't tell you if this even works or not) you really ought to run a good firewall there as well. Unfortunately it's the very things that make Windows networking work that also open port vulnerabilities, notably the NetBIOS port. It isn't so much whether Windows is or is not secure; it's that Windows is so ubiquitous that the odds of hitting paydirt on a Windows hack are pretty good, so it's worth the effort, shall we say.
There are several reasons why people might want to run Windows on a Mac. There is only one reason why they'd want to run DAVE, and that's to share files between their Macs and remote Windows computers. If file sharing isn't a priority for your VirtualPC Windows session, then leave it disabled. You can still use a Windows printer on the network without exposing your machine's presence unnecessarily. ZoneAlarm will take care of you nicely. If you do have to make a folder on your Mac available as a Windows share, then do it as judiciously as possible, e.g. only during certain hours or as needed. If you connect to a shared Windows disk, disconnect it after you are done with it. Haste is your ally.
All of these pointers apply to DAVE as well. It's just a little less convenient to disable DAVE when it's not needed, because it integrates with your Mac OS for seamless sharing of system resources. Thus the two-edged sword of "seamless". However, in OS X you can open System Preferences, DAVE Sharing, and stop DAVE there.
We run VirtualPC on a G3 in my office. We use it to run Windows applications that just aren't functionally duplicated in the Mac world. One of its chief uses is Windows printing to our QMS color laser printer. Since we only have Macs and unix machines there, the QMS would otherwise be a doorstop. If you're shopping for a color laser, you'll find there is a lot to like in the QMS, but opt for the Crown network card that has onboard brains for standard internet printing. Unfortunately the card nearly doubles the price of the printer. That's why we didn't do it at the time. Next time, we buy postscript, period.
Anyway, I received a call from our site security administrator one morning. He had been running routine port scans on site machines, and our G3 appeared on his radar screen. When I told him he had been scanning a Mac he was incredulous. Then I noticed a VirtualPC session parked in the background. I closed it and asked him to redo his scans. Bingo! We're invisible again! We've run ZoneAlarm on it ever since. No problem. Note, though, that we do not have any outbound Windows shares on this machine. We can still share other Windows printers and disks that are already on the network.
DAVE for OS X is a free download at the moment. That solves two problems at once for me. It allows me to test it first-hand for this article, and it also lets me get my feet wet with it generally. Thank you, Thursby Software! Installing it was straightforward. Getting it to see my Windows NT machine was another story. Both machines connect through an ethernet switch, and both run firewalls locked down as tightly as I dare go. As a first-order test, I found I had to disable BrickHouse on my Mac entirely, and lower the sliders on ZoneAlarm Pro for Windows all the way, which might as well be a complete disable, before I could connect the two. That's unacceptable. I performed these tests with my internet connection unplugged of course. It isn't DAVE; it's the way Windows networking works. Once I had firewalls disabled, DAVE and Windows chatted happily. In fact, it's quite neat to see how well this works.
But would I be willing to accept this level of security compromise? I don't think so. If I absolutely had to connect my Mac to a Windows machine, then I could do DAVE together with an external gateway and firewall, so that I virtually grant a trust relationship between all of the computers on the inside of my "private" network. This scenario is very doable at home with a small combo gateway such as the D-Link DI-704. While it's a little riskier at work, in a small office you could do this with a similar product or else a dedicated Linux or Darwin PC with two network cards acting as your firewalled gateway. You'd add a standard ethernet switch on your side to get all of your hosts connected.
If you weren't presently committed to using DAVE, I think a more reasonable, albeit trickier to set up, alternative might be to add AppleTalk to your Windows machine instead. If you like this approach and you have a Linux machine or two in your office fleet, you'll be happy to know that Linux already supports shared AppleTalk drives. Windows NT supports AppleTalk to a limited extent. You're better off with NT Server, but who runs that at home? NT Workstation supports sharing printers via AppleTalk. I imagine that Windows 2000 Professional has a similar deal. For a peek at this kind of solution, check out MacWindows.com's tutorial.
Finally, though, the product you would be looking for is TSSTalk, also from Thursby. TSSTalk runs on your Windows machines, and adds client-side AppleTalk support to them so that they can share any resources served up by your Macs, including postscript printers. I'd opt for this solution on several grounds. Of most importance to me, you don't leave your Mac in a compromised state. Secondly, you are adding client-side support here, which adds functionality without additional exposure. And, since you have to tweak your Windows security already, what's another network protocol between friends? TSSTalk has a demo download, which I hope I can test for you before I go to print. But even if I can't, you can test it yourself.
Thursby is just full of tricks. They also have a product called MacNFS, which provides the client-side functionality on your Mac needed to connect up to standard unix shared drives. I can't tell you about the security of this option, but it's worth pursuing if unix is what your office does. But I digress.
There is question of running multiple firewalls, one for each "environment" you happen to be running on your Mac. Here, it's conceivable that you be running native OS X, Classic-mode Mac OS, Windows 98 in a VirtualPC session, and DAVE networking - simultaneously. That's three firewalls. Why doesn't one firewall cover all of your bases? It should, but it might not for a couple of reasons. First is that the various modes operate at different levels in the computer, leaving open a possibility of skirting around your existing firewall. That's definitely arguable both ways, though. Beyond that, ZoneAlarm for Windows covers known Windows hazards in specific ways, so that you deal with them locally, shall we say. As for Classic, your Classic firewall probably is redundant under OS X, but you'll certainly need it if you boot back to native OS 9. It won't hurt to have it there in Classic mode either. Again, you're providing a local solution to a local issue.
Let's regroup. From the way I see it, your options for implementing Windows networking on your Mac are two. Either you open up your security and share to your heart's content, or you close it down and email your files to yourself. Tough call. Honestly, your best option here is to ante up for a firewalled gateway such as the DI-704, and build yourself a private network. It's a good idea anyway, even if you don't do Windows shares. For an introduction to gateways, see my earlier article on the subject. We will also deal with the details of home gateways later in this series.
Network sharing involves exposing yourself to more risks than simple computing does. Organizations have the resources to support risk management on company servers. We at home run on a shoestring budget. One or two computers do everything. Secure home networking requires at least a software firewall, and a firewalled gateway is even better. While nothing is impregnable, this solution affords you the possibility of relaxing security a little on the inside of the firewall. For the modest cost of a home or SOHO gateway that includes a NAT firewall, it's the best bang for your buck. And it simplifies everything else.
Next time, we'll spend some time setting up a gateway. Ciao.