ISP-In-A-Box: The $500 Mac mini (Chapter VII, Network Security)

We’ve built enough pieces for our ISP-In-A-Box now to start thinking about network security because we’re just about ready to put our web site on the Internet for all the world to see. We still don’t have a web site, but we’ll get to that. If you want to see the data-driven web site we’re going to build, click here. You’ll be able to add all of your own personalized content in under an hour. Unlike Nerd Vittles, the sample data-driven web site is actually running in our basement using a garden-variety Comcast cable connection to the Internet. Tomorrow, we’ll talk about what you need to do to connect your ISP-In-A-Box to a domain name, and we’ll provide a couple different ways this can be approached. That pushes back our backup solution and actually building our data-driven web site until next week, but we’re getting there.

In the meantime, we need to get our security ducks in a row to make sure that, when we do put up our web site, it remains our web site and not some cracker’s. It has been reported that the average survival time for a new machine placed on the Internet is about 16 minutes before it is compromised. Pity the poor Microsoft Windows XP souls that have a half day of security patches to download (with a broadband connection no less) before they are anywhere near secure … and those are just the security flaws that Microsoft knows about! The Mac World is a little different since Mac OS X was built on top of a secure operating system (as opposed to DOS). Even when there is a reported problem in the Mac world (like yesterday), it typically requires a creep to be sitting in front of your computer or somewhere on your local network to do much damage.

Security Options. To avoid compromising your new Mac, you have two choices to secure your machine before connecting it to the Internet: (1) turn on the Mac firewall or (2) install and configure a hardware-based firewall between your Mac and the Internet connection. DO BOTH! If you haven’t implemented either of these safeguards and you already have connected your Mac to the Internet, the safest course probably is to reinstall Mac OS X on a reformatted drive. Promising to do better and be safe henceforth without starting fresh is about as effective as a vow of celibacy after a summer of one night stands. Having said that and given Mac OS X’s almost flawless securiity record, I’m not sure I’d go to the trouble unless you’re seeing weird behavior on your machine. A third option to enhance the security of your Mac and your web site is to block all ports with your firewalls and turn your web site over to a hosting provider with experts on staff who do this for a living. Web hosting services are incredibly cheap these days with multiple site hosting plans available for well under $10 a month. With this scenario, you’d use your Mac mini as a staging server to build and test web applications before uploading them to your provider. Read our article on the subject if you want to learn more.

Mac OS X Firewall. Turning on the Mac firewall couldn’t be easier. Click on the Apple icon in the upper-left corner of your screen, and choose System Preferences. Click on the Sharing folder and then the Firewall tab. Click on the Start button to set your Firewall On. The check mark beside Personal Web Sharing should already be checked if you have activated Personal Web Sharing (your Apache Web Server) in the Services tab. If it’s not checked, activate Personal Web Sharing in the Services tab and then repeat the drill. What we have just done is invite bad people around the globe to attack your server on ports 80 and 427 using any Internet connection they can get their hands on. Think about it! And, make no mistake, bad people will attack your server … daily! But we have to leave port 80 open for HTTP traffic (to view your web site) and port 427 is used by Mac OS X to communicate with file and printer shares on IP networks. Does activating the Mac firewall with port 80 open mean your web site is secure? No. It just means that would-be crackers must use the HTTP protocol to attack your site instead of walking in through a more vulnerable back door port and seizing control of your entire machine. Once again now, does this firewall configuration protect you against attacks from really bad people? Repeat after me, "Absolutely not!" If you want to read a really horrifying account of how the Internet world works written by one of the leading technology experts in our country, read Steve Gibson’s gem, DrDOS. What else can be done? Keep reading!

Hardware-based Firewalls. So-called hardware-based firewalls are now a dime a dozen, almost literally. YOU WOULD BE CRAZY TO SURF THE WEB (MUCH LESS HAVE A PUBLIC WEB SERVER) WITHOUT FIRST DEPLOYING A HARDWARE-BASED FIREWALL. Pardon me for shouting. These devices used to be several thousand dollars or even more. Now you can get a very good one with a 10/100 megabit router and an 802.11G wireless router included for less than $30. dLink, Linksys, and Netgear have about 100 models collectively, and any of them will be better than nothing. One could write a book on choosing the best one and, before the book could be published, there would be a half dozen new models that were better than anything mentioned in the book. Without picking a favorite, let me suggest some features to look for:

If none of these buzzwords mean anything to you, here are some reference materials to get you up to speed. Tom’s Networking is a good place to begin your search and product comparison. Another article worth reading is Frank Derfler’s Networking Buyer’s Guide on the PC Magazine web site. While the focus is networking in the workplace, you’ll still pick up a lot of useful information. And, for home networks, don’t miss PC World which has perhaps the most comprehensive comparison of products with some excellent buying recommendations. Even though the article is a little over a year old, most of the equipment is either still available or has been enhanced. In fact, two of their three top-rated products are products we use in our own home networks. PC World’s top-rated wireless router/firewall is now under $30 at Amazon. The retail price of the product when it was reviewed was $110.

Choosing a firewall/router is only half the battle, of course. And it’s the least important half. Properly configuring the firewall/router is what keeps your network and your server secure. Fortunately, most of the top-rated firewalls come with default settings that provide top notch protection. While there are fairly complete networking guides accompanying most of these products, I would add a few additional recommendations for a home network.

These tips should get you started. Check back here in a day or two to see if we’ve added anything else. Also take a look at the comments just in case I’ve overlooked something. As you are now beginning to appreciate, this is getting pretty close to Rocket Science, and the more input you get on security, the safer your system will be.