Understanding and Enhancing Mac OS Internet Security
Open Door Networks, Inc.
November, 1999

Historical note (May, 2005): Open Door Networks has been in the Macintosh security business since 1998. This paper describes the state of Macintosh Internet security at the end of the Mac OS 9 era. Things have obviously changed quite a bit with Mac OS X, but this paper is kept here both for historical reference and for Macintosh users still using Mac OS 7, 8 and 9, especially with our ShareWay IP product. Much of this paper was incorporated into the first edition of the book "Internet Security for Your Macintosh: A Guide for the Rest of Us".

Overview: As more Macs are connected to the Internet 24 hours a day, and as more Mac Internet services are added to the OS, the need to understand Macintosh Internet security options becomes much greater. This paper examines the Mac OS network security architecture and various enhancement options available through Open Door Networks products. It assumes that the reader is already familiar with the basics of Open Door's security products, such as the DoorStop firewall (http://www.opendoor.com/doorstop/) and Mac OS IP file sharing through ShareWay IP (http://www.opendoor.com/shareway/).

Overall network security architecture: Security is available at various levels throughout the Mac OS. The Mac's Internet security architecture needs to be understood in light of its overall network security architecture. There are two principal network protocols used on the Mac today: AppleTalk and TCP/IP. In general AppleTalk provides local services that are not available across the Internet: printing, sharing files with other machines on the same network, homegrown applications. TCP/IP provides more global services, including such Internet services as email and access to Web sites. With Mac OS 9, TCP/IP also provides services that have been traditionally available only over AppleTalk, including file sharing and program linking (Apple Events and AppleScript) over the Internet or an intranet.

Figure 1 below shows the Mac's overall network security architecture when Open Door products are included. The bottom layer shows the two principal protocols, AppleTalk and TCP/IP. Even though AppleTalk is a local protocol, and is not accessible through the Internet, security remains a concern in many environments. Since TCP/IP can make a machine accessible through the Internet and thus to the whole world, security is of even greater concern for that protocol.

Figure 1. Macintosh Network Security Architecture

The Users and Groups file is the major network security component built into the Mac OS. The Users and Groups file (accessed through either the Users and Groups Control Panel, or, in Mac OS 9, the File Sharing Control Panel) lets a machine's owner set up user accounts and passwords for access to the Mac's built-in network services, and specify which accounts should have access to which services. These accounts are used to limit access to these services through either AppleTalk or TCP/IP. Access to "Guests" (without passwords) can also be specified. Services that utilize Users and Groups security include Program Linking, File Sharing, Web Sharing and Remote Access (which lets users dial into a particular machine). Fine details of access are often configured through the Finder via the "Sharing" menu item.

Open Door Networks products add two levels of security to the Mac OS. These levels of security are only for TCP/IP services, not for AppleTalk. The DoorStop firewall provides added security for any service using the TCP protocol (TCP is the principal part of TCP/IP, and is used for most Internet services). ShareWay IP 3.0 provides added security specifically for Macintosh File Sharing when it is used over the Internet.

All the components of the Mac's network security architecture work together. For instance, as indicated in Figure 3 below, for someone to get access to File Sharing over the Internet, they must pass through the DoorStop, ShareWay and Users and Groups security layers. Since File Sharing can make a machine's whole hard disk available over the Internet, this high degree of protection may well be appropriate in many cases. Additionally, with multiple layers, greater degrees of flexibility in configuring security are possible. For example, access to guests can be granted over AppleTalk, but restricted over the Internet through either the ShareWay or DoorStop security levels.

In the sections below, we describe some details of the Mac OS Internet security architecture as it applies to the different Mac OS network services.

Program Linking: Program Linking is the technology that enables such Macintosh services as AppleScript and communication between applications through Apple Events. Until Mac OS 9, Program Linking only worked through AppleTalk. Nonetheless it utilized the Users and Groups file to specify which users should be able to "program link" to applications running on a particular machine, and whether guest access should be allowed. When Program Linking was extended to the Internet with Mac OS 9, Users and Groups security continued to apply to it as well.

Just as with File Sharing, however, the extension of Program Linking to the Internet introduces significant additional security risk. Anyone anywhere in the world can now, in theory, send commands to any application on a machine with Internet Program Linking enabled. Although Users and Groups support is necessary in such an environment, it may well not be sufficient. For instance passwords are often easy to guess or compromised in other ways. Open Door's DoorStop firewall provides an additional level of protection to Internet Program Linking on Mac OS 9. As indicated in Figure 2 below, access to Program Linking over TCP/IP must pass through both DoorStop's security check and the Users and Groups'. Since DoorStop security is based on the accessing machine's IP address, it is independent of the passwords required by Users and Groups.

Figure 2. Security as it applies to Program Linking

Note that access to Program Linking through AppleTalk only goes through Users and Groups security. This reduced level of protection is appropriate since there is significantly reduced risk.

File Sharing: File Sharing has been included in the Mac OS since System 7. It is one of the Mac's easiest to use and most popular features. Prior to the introduction of Open Door's ShareWay IP product in 1997, File Sharing was only available over AppleTalk. With the incorporation of ShareWay IP into Mac OS 9, it is now available through TCP/IP to every Mac OS 9 user as well as back to System 7.5.5 through ShareWay IP.

The ability to easily share files over the Internet is a very powerful feature. As with most features on the Internet, however, it also entails significant security risks. All of a sudden a machine's entire hard disk is potentially accessible throughout the world. Although Users and Groups continues to provide security over TCP/IP as well as AppleTalk, it is in many cases insufficient. In addition to the risks of password compromise, it is often the case that File Sharing users enable guest access to their files, since, prior to ShareWay IP, File Sharing was limited to their local network. Guest access in an Internet environment, however, is very risky and requires alternate security mechanisms.

Open Door Networks products provide two additional levels of security for Internet File Sharing. As with all TCP services, DoorStop provides IP address based security, enabling file sharing access to be granted only to limited sets of machines on the Internet. And ShareWay IP 3.0, available either standalone or as an upgrade for Mac OS 9's Internet File Sharing, enables an additional level of security based on user name, beyond that supplied by Users and Groups. ShareWay's security is similar to that provided by Users and Groups, however it applies to TCP/IP access only. With ShareWay IP 3.0, a machine's owner can turn off guest access through the Internet while maintaining it through AppleTalk (via Users and Groups), or provide a list of those specific users that are allowed access through the Internet (while maintaining a much broader list for AppleTalk through Users and Groups).

As indicated below in Figure 3, all three security mechanisms work together over TCP/IP to provide maximum security and flexibility. A user wishing to access File Sharing over the Internet must first pass through DoorStop security (based on their machine's IP address), then ShareWay security (based on their user name) and then Users and Groups security (again based on their user name, but applying more generally to both AppleTalk and TCP/IP).

Figure 3. Security as it applies to File Sharing

Note that access to File Sharing through AppleTalk only goes through Users and Groups security. This reduced level of protection is again appropriate since there is significantly reduced risk.

Web Sharing and other TCP/IP services: The Mac OS also includes a built-in personal Web server, administered through the Web Sharing Control Panel. Access to this server is only through TCP/IP. The server can be protected through the Users and Groups Control Panel, or, as is often the case with Web sites, access can be granted to everyone. DoorStop can once again add an additional layer of protection if desired.

A number of other TCP/IP services can be added to those included with the Mac OS. Timbuktu remote control, Retrospect remote backup and FileMaker database are all popular services that are now available over TCP/IP as well as AppleTalk. Each of these services includes its own unique forms of security, generally based on user names and passwords (although not through Users and Groups, which is only available to built-in Mac OS services). And each of these services exposes the Mac to additional security risk on the Internet. In the case of Timbuktu and Retrospect, this risk is quite significant. DoorStop adds security to any application which uses the TCP protocol, including each of those listed here.

Figure 4. Security as it applies to Web Sharing and other TCP/IP services

Logging and monitoring: An often overlooked aspect of security is the ability to log and monitor access to the services being secured. Such ability was not critical when the Mac OS was accessible principally through AppleTalk. With the addition of common Internet accessibility, however, logging and monitoring of access becomes much more important. Access logs provide an audit trail of both successful accesses and unsuccessful access attempts, and enable both reactive and proactive measures. The Users and Groups security layer does not provide any logging ability, nor do most of the Macs built-in network services. Open Door's ShareWay IP 3.0 and DoorStop products add this important capability to the Mac OS.

In addition to the availability of raw access logs, it is often important that accesses to a machine's Internet services be monitored in real time. Logs often contain too much data to be constantly monitored. It is often important that the data be analyzed in real time, so that security concerns become more prominent and can be addressed in a timely manner. Open Door's LogDoor Real-time Monitor can analyze and summarize the ShareWay IP and DoorStop logs in such a way as to make security issues much more apparent. DoorStop can also post an alert whenever it denies and/or allows a connection request.

Enhanced security for Mac-based servers: This paper describes the Mac OS network security architecture and ways that Open Door Networks products can be used to enhance OS Internet security, from an end-user perspective. The Mac OS is also a popular environment for servers, such as AppleShare IP and WebSTAR. Open Door sells a high end version of DoorStop for such environments, which includes advanced configuration options. Open Door also sells integrated security suites for these servers, which include DoorStop Server Edition, LogDoor, additional security products and advanced security documentation, examples and template files. All Open Door server products have recently been upgraded to fully support Mac OS 9.

Copyright (C) 1999 Open Door Networks, Inc. ShareWay IP, DoorStop and LogDoor are trademarks of Open Door Networks, Inc. All other products are trademarks of their respective holders.