We’ve built enough pieces for our ISP-In-A-Box now to start thinking about network security because we’re just about ready to put our web site on the Internet for all the world to see. We still don’t have a web site, but we’ll get to that. If you want to see the data-driven web site we’re going to build, click here. You’ll be able to add all of your own personalized content in under an hour. Unlike Nerd Vittles, the sample data-driven web site is actually running in our basement using a garden-variety Comcast cable connection to the Internet. Tomorrow, we’ll talk about what you need to do to connect your ISP-In-A-Box to a domain name, and we’ll provide a couple different ways this can be approached. That pushes back our backup solution and actually building our data-driven web site until next week, but we’re getting there.

In the meantime, we need to get our security ducks in a row to make sure that, when we do put up our web site, it remains our web site and not some cracker’s. It has been reported that the average survival time for a new machine placed on the Internet is about 16 minutes before it is compromised. Pity the poor Microsoft Windows XP souls that have a half day of security patches to download (with a broadband connection no less) before they are anywhere near secure … and those are just the security flaws that Microsoft knows about! The Mac World is a little different since Mac OS X was built on top of a secure operating system (as opposed to DOS). Even when there is a reported problem in the Mac world (like yesterday), it typically requires a creep to be sitting in front of your computer or somewhere on your local network to do much damage.

Security Options. To avoid compromising your new Mac, you have two choices to secure your machine before connecting it to the Internet: (1) turn on the Mac firewall or (2) install and configure a hardware-based firewall between your Mac and the Internet connection. DO BOTH! If you haven’t implemented either of these safeguards and you already have connected your Mac to the Internet, the safest course probably is to reinstall Mac OS X on a reformatted drive. Promising to do better and be safe henceforth without starting fresh is about as effective as a vow of celibacy after a summer of one night stands. Having said that and given Mac OS X’s almost flawless securiity record, I’m not sure I’d go to the trouble unless you’re seeing weird behavior on your machine. A third option to enhance the security of your Mac and your web site is to block all ports with your firewalls and turn your web site over to a hosting provider with experts on staff who do this for a living. Web hosting services are incredibly cheap these days with multiple site hosting plans available for well under $10 a month. With this scenario, you’d use your Mac mini as a staging server to build and test web applications before uploading them to your provider. Read our article on the subject if you want to learn more.

Mac OS X Firewall. Turning on the Mac firewall couldn’t be easier. Click on the Apple icon in the upper-left corner of your screen, and choose System Preferences. Click on the Sharing folder and then the Firewall tab. Click on the Start button to set your Firewall On. The check mark beside Personal Web Sharing should already be checked if you have activated Personal Web Sharing (your Apache Web Server) in the Services tab. If it’s not checked, activate Personal Web Sharing in the Services tab and then repeat the drill. What we have just done is invite bad people around the globe to attack your server on ports 80 and 427 using any Internet connection they can get their hands on. Think about it! And, make no mistake, bad people will attack your server … daily! But we have to leave port 80 open for HTTP traffic (to view your web site) and port 427 is used by Mac OS X to communicate with file and printer shares on IP networks. Does activating the Mac firewall with port 80 open mean your web site is secure? No. It just means that would-be crackers must use the HTTP protocol to attack your site instead of walking in through a more vulnerable back door port and seizing control of your entire machine. Once again now, does this firewall configuration protect you against attacks from really bad people? Repeat after me, "Absolutely not!" If you want to read a really horrifying account of how the Internet world works written by one of the leading technology experts in our country, read Steve Gibson’s gem, DrDOS. What else can be done? Keep reading!

Hardware-based Firewalls. So-called hardware-based firewalls are now a dime a dozen, almost literally. YOU WOULD BE CRAZY TO SURF THE WEB (MUCH LESS HAVE A PUBLIC WEB SERVER) WITHOUT FIRST DEPLOYING A HARDWARE-BASED FIREWALL. Pardon me for shouting. These devices used to be several thousand dollars or even more. Now you can get a very good one with a 10/100 megabit router and an 802.11G wireless router included for less than $30. dLink, Linksys, and Netgear have about 100 models collectively, and any of them will be better than nothing. One could write a book on choosing the best one and, before the book could be published, there would be a half dozen new models that were better than anything mentioned in the book. Without picking a favorite, let me suggest some features to look for:

  • Dynamic DNS support – if you want automatic updating of the IP address linked to your domain name
  • Stateful packet inspection (SPI) – no firewall should be without it; used to thwart denial-of-service attacks among others
  • IPsec and PPTP pass-through – if you need VPN remote access to another network
  • NAT plus WPA – for wireless security
  • Web filtering – if you have young kids surfing the net
  • WDS bridging and repeating – if you need to extend the range of your wireless network
  • If none of these buzzwords mean anything to you, here are some reference materials to get you up to speed. Tom’s Networking is a good place to begin your search and product comparison. Another article worth reading is Frank Derfler’s Networking Buyer’s Guide on the PC Magazine web site. While the focus is networking in the workplace, you’ll still pick up a lot of useful information. And, for home networks, don’t miss PC World which has perhaps the most comprehensive comparison of products with some excellent buying recommendations. Even though the article is a little over a year old, most of the equipment is either still available or has been enhanced. In fact, two of their three top-rated products are products we use in our own home networks. PC World’s top-rated wireless router/firewall is now under $30 at Amazon. The retail price of the product when it was reviewed was $110.

    Choosing a firewall/router is only half the battle, of course. And it’s the least important half. Properly configuring the firewall/router is what keeps your network and your server secure. Fortunately, most of the top-rated firewalls come with default settings that provide top notch protection. While there are fairly complete networking guides accompanying most of these products, I would add a few additional recommendations for a home network.

  • 1. Before you do any configuring of the device, load the very latest (stable) updates from the manufacturer’s web site. This is a five-minute task with most of these devices.
  • 2. Don’t configure the router using a wireless network connection. It will only cause you problems. Plug a network cable in to do router configurations.
  • 3. If you choose a wireless model, skip all of the wireless security options except the one which lets you specify the actual MAC addresses of every device which is authorized to use your home network. This option is reliable and provides good wireless network security (see Comments). Every network card has a unique MAC address. No match, no access! You can’t beat that for wireless security. You’re not running a Starbucks with strangers using your network all the time. So hard-code the MAC addresses into your wireless router, and you’ll never have to worry about wireless network security.
  • 4. Open only essential ports for access to your home network from the Internet. If the only thing you plan to do is run a web server, open nothing but port 80. Once you think you’ve got your firewalls configured properly, run Steve Gibson’s free ShieldsUp! port test from inside your LAN to make sure you are secure.
  • 5. Most of these devices come preconfigured to hand out dynamic IP addresses using a DHCP server built into the router. While this is fine for most home networks, it can cause problems if you’re running a web server. The reason is because you must tell the router the IP address to which it should route incoming port 80 (HTTP) traffic, and you want that address to be your web server. Don’t turn off DHCP as the solution to this problem. Instead, let your computer establish a connection to the router and obtain a dynamic IP address. Once it has done this, go back into the router setup with a web browser and enter the MAC address of your Mac mini and its dynamically assigned IP address in the Reserved IP table (usually found under the LAN or Wireless menus with most routers). This tells the router’s DHCP server to always assign this IP address to this machine.
  • 6. Now that your server is going to be on the Internet, we also need to delete the phpinfo() file we built last week to verify that PHP was working. This application displays all sorts of information about your computer including your MySQL password. We don’t have a password to worry about in our configuration, but in the future you might, and then you’d run the risk of exposing it for all the world to see. Using Finder, click on your local hard disk and move to the /Library/WebServer/Documents folder. Then Ctrl-Click on the test4u.php file and move the file to the trash or at least out of your web site directory.
  • 7. Once you complete step 5, it is safe to poke a hole in your firewall (no, not literally!) and map the HTTP service or Port 80 to the internal IP address of your web server (usually done under the Services or Rules menus on most routers). You’ll want to specify that all port 80 traffic be allowed through the firewall all of the time.
  • These tips should get you started. Check back here in a day or two to see if we’ve added anything else. Also take a look at the comments just in case I’ve overlooked something. As you are now beginning to appreciate, this is getting pretty close to Rocket Science, and the more input you get on security, the safer your system will be.

    Print Friendly, PDF & Email

    Be Sociable, Share!

    This article has 3 comments

    1. The comment about the router wireless security is really weak!!! MAC addresses can be spoofed easily, and having no encryption scheme on top of it means that once the list of MAC addresses has been setup, that’s a free access to the connection! Real wireless security means MAC tie-down, WPA, and preferably a VPN between wireless clients & the router…

      That was just a quick comment though, the rest is awesome!!!

      As soon as my Mac Mini comes in, I think I have a new project 🙂 Thanks

      [WM: You’re certainly correct on all counts. Your wireless system is much safer with multiple layers of security. While Mac addresses are easily spoofed, the fact remains that the spoofer still needs to know an authorized MAC address to gain access to your network. After all, your router isn’t broadcasting a list of the acceptable numbers. And guessing 12 hex digits will take a good long while sitting in your driveway. Come to think of it, if the cracker really is good at picking numbers, he’d be better served playing Powerball or MegaMillions … less numbers, better results.]

    2. Although it’s a bit hard to set up, I can recommend IPNetRouterX and the related products from Sustainable Softwarks (http://www.sustworks.com). And their tech support is super!

      IPNetRouterX provides a much more comprehensive/power firewall/router solution, done all in software on the Mac. It’s -very efficient- (you can get the OS 9 versions and put it on that old 8600 you have sitting in your closet…)

      It would be A Good Thing for someone here to look at this and post an informed review (I’m a satisfied customer, but I’m not qualified to really evaluate firewall products.)

      dave

    3. MAC Address Filtering is NOT secure. Please have a read of/listen to http://www.grc.com/sn/SN-011.htm (Steve Gibson’s Security Now Episode 11).

      Just wanted to emphasise that MAC address security is not secure. You say "the spoofer still needs to know an authorized MAC address," which is true. The problem is that it is trivial to find that information from what any computer on your wireless network is already sending over the air. Any "bad person" who wants on your network will not even be inconvenienced by MAC address filtering.

      If you want to do anything more than stop your neighbours from accidently connecting to your router you must use WPA.