One alternative is to add products to an AppleShare environment to help maintain security. For example, The AG Group's Nok Nok A/S ($175) adds extensive logging capabilities to any AppleShare server. Nok Nok A/S can also restrict the amount of time that idle, active, and guest users can be connected to the server. It extends the capabilities of AppleShare to identify guest users by their machine names, and it can notify you when someone logs on to AppleShare--if you are near the server and can hear the sound alert or see a dialog box.
Although Nok Nok A/S helps in environments where network managers are constantly monitoring a small number of AppleShare servers, it's far from a comprehensive network-security tool. For much more specific server protection, consider changing file-sharing systems to an AppleTalk Filing Protocol (AFP) system with stronger security, if you can afford the time and money involved.
<
To compare costs, call the vendors for price quotes based on the number of
servers and clients on your network. Then factor in the cost of adding any
required hardware platforms and any systems-integration services you might
need. If an alternative to AppleShare is already running on your corporate
network, adding Macintosh clients to it might be easier than starting from
scratch. Some non-Apple file systems, such as Pathworks, provide security
features like break-in detection, break-in avoidance, access logging, and
disk quotas. If you're serious enough about Macintosh network file-sharing
security to need these kinds of controls and are willing to pay the price,
replace AppleShare with one of these products.
Dial-in Security
The second major line of defense involves the nearly ubiquitous remote
users. Anyone with a phone, anywhere in the world, can connect to a network
with a modem on it. Consequently, dial-in access to corporate networks
calls for serious precautions, whether the modems are attached to mainframe
computers or ARA servers.
The first thing to do is make sure that all dial-in access is password
protected, and disable guest access to all file servers. That may sound
obvious, but organizations have lost millions of dollars by neglecting to
put passwords on maintenance ports for routers, switches, and other network
equipment--especially voice equipment. If you have any computer equipment
connected to the telephone network, there's a risk.
For maintenance ports that are seldom accessed or systems with only a few
users, you don't have to invest in an entire security system. IC
Engineering has a simple and inexpensive box called the Modem Security
Enforcer (MSE, $300, 410/363-8748). The MSE goes between a modem and
another piece of equipment, such as a terminal server or control port on a
phone system. Anyone who dials in to the modem gets connected, but users
must enter a password before they can actually get through to the device.
The MSE is good for small networks because it offers enough security to
deter all but the most determined attackers, and it's inexpensive for this
kind of product.
The Modem Security Enforcer also offers dialback (also called callback)
security. With dialback, a user dials in to a modem, gets connected, and
gives a user identification and a password. Then the security device hangs
up the connection and immediately calls the user back, generally at a
predetermined number. Dialback is popular, but it's really a poor choice
for dial-in security. For one thing, it only really works when a user
always dials in from the same location. Also, hackers have developed a
technique, called glaring, that fools some kinds of callback systems into
thinking they've made a callback when they really haven't.
One-Time Passwords
If you're looking for a new system, ignore dialback completely and use a
two-factor system with one-time passwords. In a two-factor authentication
system, users must provide two different things--for example, a PIN
(personal identification number) and a one-time password--to gain access.
One-time passwords are just that: good for one time, one user name. True
one-time passwords work only once; time-based passwords usually expire in
60 seconds or less.
With security based on a one-time password, typically you dial in and
identify yourself. When the system asks for a password, you give the
current one-time password. The password is generated by a calculator-like
device called a token, by software on the remote user's Mac, or by
specialized hardware attached between the remote user's modem and the phone
line. While software tokens are easier to use, they can be less secure
because they reduce the number of pieces needed to make a secure call. In
the first quarter of 1995, CryptoCard (708/459-6500) expects to ship a
hardware product, the MB-1 ($249), which will fit in the floppy drive of a
Macintosh like a disk, to calculate passwords, lock the Mac until a
password is entered, and encrypt data.
In some systems, the token or software calculates the password based on a
challenge that the authentication system issues. This type of system
doesn't just ask for the password; it provides a number (challenge) for the
user to enter into the token, which then computes the correct answer
(response).
I looked at four approaches to one-time passwords for remote access. Each
has benefits and drawbacks. One thing is certain, though: two-factor
security is expensive. For 50 to 100 users, expect to pay at least $100 per
user. If you want some of the more sophisticated combinations of hardware
and software, the price can quickly shoot up to ten times that.
<
TraqNet users can use an InfoCard, a token the size of a credit-card
calculator, or an InfoKey, a small box that installs between the user's
computer and modem. After calling a TraqNet-protected system, an InfoCard
user punches two sets of numbers into a touch-tone phone: a PIN and the
number the token displays. The InfoKey saves the user the trouble of
punching in the number--the InfoKey generates the one-time password and
sends it over the line as soon as the TraqNet system answers. TraqNet is
easy to install and configure, and the system works great for situations
where you want to cut off intruders before they even get a modem carrier
signal. Because TraqNet sits between the phone line and the modem, it is
protocol-, modem-, and application-independent.
<
This challenge-response authentication system uses a calculator-style
token, called a WatchWord. The GSS displays a number that the user punches
into the WatchWord (along with a PIN); the user replies with the number
displayed on the GSS. Users must punch in both the challenge and the
response, which can be annoying and works poorly with Apple Remote Access
because you can't easily integrate it into a normal ARA log-in sequence.
However, Racal Guardata does offer a Mac-resident software token to ease
the pain of pressing all those buttons.
The GSS also offers network-level encryption using special hardware at the
client end. Users are issued smart cards, which look like credit cards,
that have the users' DES encryption keys encoded.
Racal Guardata has built some nice hardware with good engineering. The GSS
chassis is solid and secure (it requires two different high-security
hardware keys to open it), and the WatchWord token is easy to work with.
The software is well designed for businesses with lots of users. For
example, the GSS manager can print PINs on special sealed forms (like the
ones credit card companies use) automatically for distribution to users.
Configuring GSS is easy, although it requires a PC-style keyboard and
monitor (since the system is based on an Intel motherboard).
<
Digital Pathways offers automatic authentication for ARA users, which
eliminates the need for a hardware token entirely. Inserting the Digital
Pathways Defender 5000 chassis ($5750 for four ports) between ARA servers
and programming it for a test user isn't for the faint of heart--it took me
several hours. Once I finished, I found using the server with ARA to be
incredibly simple--something every Mac user will appreciate.
If you like the Defender but want a more elegant token for your dial-in
users who aren't using ARA, CryptoCard provides a completely compatible
package called a CryptoCard (prices start at $100 per user).
<
The downside of this style of authentication is that the cards have to be
time synchronized. They have a limited battery life (usually two or three
years), and then you have to discard them, buy new ones, or reenter the
card information into the security database. This costs big bucks, both in
capital and personnel time.
While Security Dynamics offers hardware interceptors, it is also working
aggressively with other hardware vendors to link hardware products to
ACE/Server. Remote-access servers from companies such as Shiva Corporation,
3Com, Cayman Systems, and Apple can support SecurID client software.
To test its ARA capabilities, I added the Security Dynamics ACE/Server to
an existing network of Shiva LanRover/E ARA servers. The ARA users got a
floppy of additional software and a SecurID card. Dialing in was lengthened
by one step, as remote users now had to enter the number currently
displayed on their SecurID card. Once I got over the pain of installing a
key server on Unix, the Security Dynamics products combined with Shiva's
LanRover made a great team--and I didn't have to mess with hardware.
Four Top Security Books
For further reading, start with Protect Your Macintosh, by Bruce Schneier
($23.95; Peachpit Press, 510/548-4393). The best general guide to Macintosh
security, this book contains an excellent and up-to-date chapter on network
security.
Schneier is also the author of the best book on security protocols and
algorithms, Applied Cryptography: Protocols, Algorithms, and Source Code in
C ($44.95; John Wiley & Sons, 908/469-4400).
Another excellent discussion of network security, mostly from a theoretical
point of view, is in Computer Communications Security, by Warwick Ford
($58; Prentice Hall, 515/284-6751).
If charged with the task of writing a network-security policy for your
company, consider investing in Information Security Policies Made Easy, by
Charles Cresson Wood (Baseline Software, 415/332-7763). At $495, it's not a
casual buy, but its 600 sample policies will give you a big head-start,
especially since the company also sends the manual on disk (which is handy
if you want to cut and paste the policies).
The Last Word
Vendors want to sell you lots of expensive dedicated security hardware, but
I advise holding off unless you need to deploy a large number of ARA users
right now. If you want something that intercepts callers before they hit a
modem bank, TraqNet is a great idea. However, all the other interceptors
are doing in hardware what server vendors should do in software. Over time,
the need for hardware authentication interceptors will go away as server
vendors work with security-software vendors to integrate security directly
into servers (as companies like Shiva, 3Com, Cayman, and Apple have
done).
Before running out and buying piles of hardware, make sure you take basic
steps with the software you already own. Use the built-in security features
of AOCE to reduce the number of passwords you have to type each day. Tools
like Network Security Guard will help you identify network problems that
you can solve without spending a dime.
Concentrate on dial-in users, where networks are the most vulnerable. If
your server vendor doesn't already support a token-based access system such
as Security Dynamics' or Digital Pathways', turn on the heat to make them
see the error of their ways. Avoid the headaches of a Unix-based key server
if you can--even if it means waiting for the market to catch up.
Most important, teach people about the need for security and what your
organization considers to be valuable enough to protect. By creating an
awareness of the potential problems, you'll have the entire organization
working with you to keep the network secure.
Software to Protect Your Mac at the Desktop
Kent Marsh has split up its products--FolderBolt Pro, NightWatch II,
CryptoMactic--into easy-to-understand chunks, each of which has an
easy-to-use interface.
FolderBolt Pro ($129) locks folders on a single-user Mac's hard disk so
that a single password is required for access. With FolderBolt Pro,
password-protected folders can be set for write only (commonly called drop
folders) and read only (for protection against modification), as well as
for no access at all.
Once activated, NightWatch II ($159) requires a password for any further
access to the Mac. NightWatch can be kicked on by different events, such as
a shutdown or a PowerBook sleep.
CryptoMactic ($99) encrypts data files using ANSI's (American National
Standards Institute) DES (data encryption standard) algorithm. When you
double-click on a protected file, CryptoMactic asks for a password to
decrypt the file.
Magna and usrEZ have taken a kitchen-sink approach to the question of
Macintosh security, throwing all of the features that Kent Marsh offers in
its three products--and more--into their Empower Remote ($396) and
ultraSecure ($239) products, respectively. Of these two vendors, usrEZ is
the king of feature creep. usrEZ software reportedly offers 105
features--some of which are useful--making the package only slightly less
confusing than Microsoft Word's tool bar. I liked the feature set but found
the user interface confusing and nonintuitive. If you need only one or two
of the functions, a simpler package from Kent Marsh is a better choice.
All three vendors offer a "fast encryption," which takes less time than DES
yet provides a good measure of protection against prying eyes. This is a
good feature; it shows a good balance between paranoia and wasted time.
Kent Marsh and usrEZ bend over backwards to offer double-DES and triple-DES
protection (encrypting the same data with two or three passes and two or
three keys), even though this is probably overkill for most users.
A warning: All folder- and application-locking systems that do not use
encryption will protect data only against amateur attacks. If you have
valuable corporate data on a Mac that gets stolen, and the hard drive is
merely "locked" with one of these packages, you have no protection
whatsoever against a determined thief. Unlocking a locked disk is no
challenge to someone who really wants the data on it. Encryption, on the
other hand, gives you real security against stolen hardware.
If you need to control Mac security over a network, check out Empower
Remote or FolderBolt Pro, which offer remote management. usrEZ expects to
ship ultraSecure with ultraCommand ($374), which it says will include
remote management, by mid-December.
_______________________________________________________
Joel Snyder ([email protected]) is a senior partner at Opus One, a consulting
firm in Tucson, Arizona, specializing in networks. His book Macworld
Networking Bible, Second Edition (IDG Books Worldwide, 1994), coauthored
with Dave Kosiur, includes a section on securing AppleTalk networks.
Related File(s):
February 1995, page: 122-127
_______________________________________________________
Sidebar
No matter how secure the network itself is, if anyone can walk up to a
Macintosh or steal a PowerBook and see all the valuable corporate data
inside, you've got a potential problem. I looked at software from three
vendors--Kent Marsh Software, Magna, and usrEZ Software--who offer a
plethora of similar security features designed to protect Mac systems from
an unfriendly world.
Two-Factor Authentication Features Compared
File size: 4 K
Network Authentication Example
File size: 6 K
Desktop Security Software Compared
File size: 5 K
Copyright © 1995 Macworld Communications, Inc.
