Become a Network Guru in 10 Easy Steps
Part 4—Dealing With Your Network’s Insecurities
Live Life to the Fullest, Not the Foolest
Bungee jumpers. Mountain climbers. Parachuters. Road lugers. Modern thrill seekers, they all share a taste for high-adrenaline activities. One place where few people want to live on the edge, however, is network security. For many, computers have become repositories of almost all their essential information, from financial to recreational. The thought of an unscrupulous snooper peeking in on that info gives one an adrenaline rush of the wrong kind. Networks, by their very nature, give visitors a certain amount of access to the information on one or more computers. This article addresses how to keep the boundaries between shared and unshared information secure and thus preserve your peace of mind.
Some Notes About Macintosh File Sharing
Just as your Mac comes with the built-in ability to share files, applications, and printers, it also comes with a number of safeguards that allow you to control exactly who has access to what. Make sure to use those safeguards to make your network nigh-impervious to unwanted access; at the very least, you’ll keep Grandma’s secret pecan pie recipe safe for another generation to enjoy.
The first safeguard lies in your Mac’s File Sharing control panel (Sharing Setup in system versions earlier than Mac OS 8). Here, you’ll find the two most important network controls: the Owner Name and Password and the File Sharing button. One important thing to note is that you don’t need to start File Sharing unless you want to share files from your Mac. You can access files on other Macs whether or not File Sharing is active on your own Mac. That’s safeguard numero uno, since a Mac without active File Sharing is a Mac no one can access.
If you plan to share files from your Mac, the owner name and password become particularly significant. By default, anyone logging in to your Mac with the owner name and password gains complete read-and-write access to your Mac, regardless of what files are actually shared. Therefore, it’s extremely important that you keep the name and password secure and hard to guess.
When it comes to creating shared folders for others to use, it’s important to make sure the settings in the Users & Groups control panel are correct. Frequently, people will share a large folder of items (or even an entire drive) and give the Guest account access to all of them. It takes extra setup time, but for safety’s sake I recommend creating a folder of specific items for a specific user (“Bob’s Files”) or group of users (“Marketing’s Files”). Use the Users & Groups control panel to create users and groups of users and set access privileges accordingly. You can also create different permissions for different users (for example, Bob in Accounting can only see the financial databases, but his manager, Melissa, can also see the payroll files). For added security, disable Guest access entirely and prohibit your users from changing their passwords remotely. That way, passwords can only be changed through you (the owner), so you can ensure they are hard to guess. All of these steps will build stronger network fences, theoretically making better network neighbors.
Special Note on Mac OS 9
With the release of Mac OS 9, Apple changed the basis of AppleTalk, the basis of their file and print sharing, to TCP/IP, which is how the Internet handles information. With a switch to TCP/IP-based AppleTalk, some people are concerned that network security will suffer, since we hear stories about TCP/IP-based Internet sites getting broken into with some frequency. The good news is that a change to TCP/IP should mean no reduction in AppleTalk security. The primary reason Internet sites are at risk is not their TCP/IP basis, but vulnerabilities in the hosting platform (typically Windows or UNIX) or the server program itself.
Is Your Internet Connection Secure?
A common concern of Internet users (especially those who are simultaneously connected to a network) is not knowing whether or not the files on their Mac can be viewed by others on the Internet. The short story is that the average Internet-connected Mac is in no danger of accidentally making its files available to anonymous snoopers. When you send data over the Internet, it goes directly through the modem. When you send data to your network, it passes through the Ethernet or LocalTalk port. Since the modem port and network port are separate, you won’t end up passing network data out to the Internet or vice versa. One area where you can leave yourself open to danger is if you run a Web, telnet, or FTP server from the Internet-connected Mac. If you choose to run one of these servers from your Internet connection, keep them secure by disabling write and upload access by visitors.
High-speed Internet Connections and Security
“But what,” you ask, “about using a fast Internet connection? Doesn’t that also go through my Ethernet (i.e. network) port?” Good question. If you have a fast Internet connection using a DSL or cable modem, the information comes and goes through your Mac’s Ethernet port. Many people want to share their fast Internet connection, to avoid paying an extra connection charge for a second or third computer to get the same high-speed data. If you use a single Ethernet port for both internal network and external Internet access (requiring the addition of an Ethernet hub or switch), however, you make it possible for other people using the same high-speed service to see shared files from your network, since all the network traffic, both Internet and “internal,” travels through the same Ethernet port.
Some Words About Sharing Your Internet Connection
This article talks about shared Internet connections, but not in a step-one-you-do-this kind of way. This article addresses network security for those who already have a shared Internet connection. I’ll address the setup process for sharing an Internet connection in a future article. If you want to know more about it right now, you can find information on sharing your Internet connection on the “How to: Share cable/DSL/modem” page of my Web site.
Back to the Problem at Hand
Since a shared fast Internet connection uses the same hub as the rest of your computers, it receives the same network data (along with the Internet data). Even though other people may be able to see this data, this doesn’t necessarily mean they can do anything with it. If you take the aforementioned steps to keep your network secure (disabling Guest access, for example), the other high-speed users may be able to tell that you’re sharing something, but they won’t be able to access it.
If you plan to share your high-speed Internet connection, the best way to maintain complete security is to add a second Ethernet port to your Mac and use it as the primary “gateway” for the Internet connection, then run your internal network off the other Ethernet port. This way, the internal network data stay completely separate from the Internet data, which can only come and go through the direct connection. Even the Mac directly connected remains secure, because it only sends network data to the Ethernet port you designate.
So What’s all this I Hear about Network “Firewalls”?
When you deal with networks, especially those connected to the Internet, it’s common to hear people also talk about “firewalls” as a method of beefing up the network’s security. In basic terms, a firewall is like the border patrol. When data wants to enter your network, the firewall checks to make sure the data comes from an approved source before letting it in or out. Simply put, firewalls keep your network data in and outside data (except the stuff you want) out. These days, a “firewall” is usually a product feature, rather than the product itself. If you’re using a software or hardware router (a device or program that transfers data between different networks) to share an Internet connection, for example, the router will also act as a firewall to help keep the network data separate.
That’s a lot of Info to Swallow. Can You Summarize?
Yup, can do. Here are ten steps to making your network more secure.
- Only enable File Sharing if you are going to share files.
- Protect the Mac’s owner name and password.
- Create an account for everyone who will use your Mac’s shared files.
- Don’t let users change their account passwords.
- Disable Guest access to your shared files.
- Tailor your shared files to the individual user.
- Don’t use a Web, Telnet, or FTP server on your Internet connected Mac.
- If you use one of these servers, disable upload access.
- If you share a high-speed Internet connection, do it through a second Ethernet port to keep internal and external network data separate.
- Make sure your router includes firewall protection.
Also in This Series
- Mac to Windows: Troubleshooting the “No Logon Servers Available” File Sharing Error · October 2004
- Using WEP Security on an AirPort Network · July 2004
- Whatever happened to…Threemacs.com? · September 2003
- Clandestine Wireless Networking and MacStumbler · July 2003
- Learning to Share With Others: Sharing Preferences Overview · April 2003
- Serving Files Using FTP in Mac OS X · December 2002
- Switching Between Networks in Mac OS X · November 2002
- The Audio/Video Quadras (660av, 840av) · September 2002
- Thoughts on Apple’s Xserve · July 2002
- Complete Archive