Network Security

Apart from the risks associated with electronic transactions on the Web and spam produced by unscrupulous users of e-mail, the Internet poses a serious threat to the safety and integrity of the data on your own computer. By being connected to a network such as the Internet, either directly or via a local network, you leave yourself at the mercy of crackers, also wrongly known as hackers.

Generally speaking, there’s little risk when using a dial-up connection via a standard modem, since the connection is usually too brief for you to be discovered. In addition, a different numerical IP address is used each time a connection is made, making your machine very difficult to track.

Things get a bit trickier when using a wireless link, such as Wi-Fi, the technology employed in Apple’s AirPort hardware. First of all, networks in public places, such as Surf and Sip, T-Mobile and Wayport, don’t normally use encryption, even though it’s supported by Wi-Fi. Secondly, when encryption is available, user names and passwords are sent as plain text, making the system very insecure. Fortunately, the connection time is again usually short, reducing the risk of interception.

However, a permanent connection, either via a local network, broadband ADSL or IDSN is far more dangerous, requiring you to take steps to protect yourself. The following methods are available:-

Network Address Translation (NAT)

In a local network, each computer is identified by a specific numerical IP address. Network address translation effectively changes this number so that the recipient can’t determine the sender and subsequently damage their machine. This technique is ideal for any organisation that uses servers within its own network but doesn’t use them on the Internet itself. Any data originating from the local network is intercepted and given a specific number, making it appear to come from a gateway on the network. Similarly, all incoming data can be directed to a specific machine on the local network.

NAT often operates in conjunction with Dynamic Host Configuration Protocol (DHCP) or can be provided by means of a hardware gateway.

Firewalls

A firewall is better then NAT, in that it blocks any unnecessary port, as used for a particular kind of data, and only permits the use of assigned IP addresses. All computers on a network must employ specific ports for a given network protocol. For example, all e-mail servers normally operate over port 25, so any mail application on a computer must also receive its data via this port.

The following table lists some of the port numbers:-

PortServerNotes
20ftp-dataFile Transfer Protocol, initiated by server (active mode)
21ftpFile Transfer Protocol, initiated by client (normal mode)
22ssh, pcAnywhereSecure Shell (can replace FTP server)
25SMTPSimple Mail Transfer Protocol (E-mail)
42nameserve, WINSWindows Internet Name Services
53DNSDomain Name System
70gopher-
79finger-
80httpHypertext Transfer Protocol (Web)
143IMAPInternet Message Access Protocol (E-mail)
161SNMPSimple Network Management Protocol
220IMAP 3Internet Message Access Protocol 3 (E-mail)
389LDAPLightweight Directory Access Protocol for e-mail
445smbServer Message Block (Samba)
548afpApple File Protocol (Apple File Sharing)
626Apple ASIA-
631IPPInternet Printing Protocol (CUPS)
2628dictDictionary Server Protocol
3031Apple AgentVUApple Program Linking
3306mySQLmySQL
8770-iPhoto Sharing

Most firewalls, which can be in the form of software or hardware, block all the ports by default, requiring you to enable those ports that are required. This ensures that any mistakes in setting up the firewall may leave some ports closed, which is by far the safest option.

Mac OS X 10.2 has its own firewall, although alternative software can also be used. However, a hardware firewall is often preferable, since this often gives support for both NAT and DCHP.

In-Transit Encryption

Unlike other methods, the use of encryption actually modifies the data so that it can’t be understood by others. The three most common systems are:-

Secure Sockets Layer (SSL)

This technology is frequently encountered on the Web, although it can also be used for non-Web data, such as e-mail, where it’s known as SSL/TLS (Transport Level Security). It involves the initial use of a public key exchange, allowing the two parties to agree on a ‘use once’ private encryption key or session key, which is then employed for encryption during a transaction.

Secure Shell (SSH)

This is better than SSL in that it encrypts the material provided by a particular kind of service at the time of leaving the server computer. However, when using a firewall you may have to enable port 22, as this is often used for incoming SSH connections. As a bonus, SSH is built into Mac OS X.

Virtual Private Network (VPN)

Providing the ultimate in security, in which everything is encrypted via a tunnel, this option can be expensive. The most common VPN protocol is IPsec, which has some support in Mac OS X 10.2, although Microsoft’s Point-to-Point Tunnelling Protocol (PPTP) is also accommodated.

Wireless Security

Unlike wired networks, where access is restricted by the physical nature of cables, any radio-based system is intrinsically insecure. In fact, anyone can ‘listen-in’ to a normal Wi-Fi communication. For this reason you should must use encryption or other mechanisms to protect your data.

Base Station Encryption

Older models of Apple’s Base Station and systems prior to Mac OS X 10.3 are limited to Wired Equivalent Privacy (WEP) encryption. Although WEP requires a password, it isn’t very secure. The 40-bit system is particularly poor, and even the 64-bit and 128-bit variations, supported by AirPort 2.0 software, can be ‘cracked’ by a specialised program in minutes.

The AirPort 2.0 software also provides extra security via Remote Authentication Dial-In User Service (RADIUS) and Cisco’s Lightweight Extensible Authentication Protocol (LEAP). However, the real problem with WEP can only be solved by the proposed 802.11c standard. In the meantime, if you have Mac OS X 10.3 or higher and a suitable Base Station, you can use Wi-Fi Protected Access (WPA), as developed by the Wi-Fi Alliance, which is supported by AirPort 3.2 software. Unfortunately, if any machine on a network continues to use WEP, the whole network, despite WPA, becomes less secure.

Keys and Passphrases

Apple’s standard AirPort software converts your password into a WEP encryption key, which is written in hexadecimal. This can be 40 or 128 bits long, employing 10 or 26 digits respectively, although older Base Stations only support the 40-bit system. This key, also known as a hex key and frequently preceded by a $ (dollar) sign to indicate the use of hex code, can be found in the Classic Mac OS by running Apple’s AirPort Administration Utility and choosing Base Station ➡ Equivalent Network Password. This code can then be transferred into a non-Apple application.

Recent versions of Mac OS X let you enter a WEP passphrase, which it converts into an encryption key, although this is less secure than a password and doesn’t work with some Wi-Fi devices.

Reference

MacWorld magazine (UK), IDG Communications, 2002-3

©Ray White 2004.