Safeguard Your Network


Practical advice on locking out interlopers

By Joel Snyder

Security has an inherent intrigue, and in the world of computers, network security seems only to multiply the cloak-and-dagger factor. However, the mystery that often shrouds network security makes it seem more intimidating than it needs to be. Security vendors use tales of doom to try to scare companies into buying expensive, complex products. At the same time, network managers fail to take simple steps that could prevent disaster. With a world of bad guys out there waiting to steal your organization's innermost secrets, how can you protect a network and the devices attached to it from intruders?

Rest assured, there are solutions in all sizes for all kinds of problems. The trick is to protect the network without making it cumbersome for users (both local and remote) to do their work. This article provides an overview of software and hardware network-security products to help you accomplish this task.

Keep in mind that network security ranges from low-end issues, like keeping salary figures from prying eyes, to the bigger problem of keeping trade secrets from an aggressive competitor. Different solutions exist for different problems, and you might need to employ several approaches. Product categories looked at in this article include tools for monitoring AppleTalk networks, software and hardware to tighten up security for dial-in users, and software to help network managers keep individual Macs safe. To begin, identify network access points--like System 7 file sharing, Apple Remote Access (ARA) servers, and equipment-maintenance ports--and plan your strategy accordingly.

First Plug System Leaks

System 7 file sharing--a great innovation that lets any Macintosh be a file server--is a potential security risk. A user could turn on file sharing for a file transfer, enable guest access, and forget to turn it off. If there's sensitive data on that Mac's hard disk, it's open for everyone else on the corporate network to see.

File sharing's popularity makes it a natural place to start tightening network security. Some network managers go so far as to remove the Sharing Setup control panel from each Macintosh. Rather than take away a valuable tool from all users, a better solution is to educate them about the dangers of unrestricted access and teach them safer ways to use personal file-sharing. For example, help each user set up a share folder with guest access.

MR Mac Software offers Network Security Guard ($259, 619/453-2845), a unique auditing and reporting tool that sniffs at all of the Macintosh file servers in a network and determines what software each is running, which servers offer guest access, and which ones have easy-to-guess passwords. This information gives you a better picture of your network, which you can use to identify and tighten up loose servers. I highly recommend Network Security Guard for almost any network: it fills a real need that no one else does, and it doesn't cost too much.

The AG Group's Nok Nok ($50, 510/937-7900) tackles personal file-sharing by alerting you whenever someone connects to your Mac to access personal file-sharing. usrEZ's ultraSecure ($239, 714/756-5140), a more feature-laden application, offers the same function. If users on your network routinely let others connect to their Macs, consider using one of these packages to let them know who's using what when.

Fortunately, System 7.5 and System 7 Pro are more security-conscious than earlier versions of System 7; they include Apple's Open Collaboration Environment (AOCE), which includes a Key Chain that holds multiple user IDs and passwords, all encrypted until unlocked with a single password by the end user. (For more about AOCE, see "AOCE--Apple's Plan for Groupware," Macworld, November 1993.) Unfortunately, though, the individual passwords are still passed around the network in plain text by many network servers once the Key Chain has been unlocked. For anyone worried about electronic eavesdropping, that's a problem. Nevertheless, AOCE's Key Chain can minimize the risk of people writing down passwords or leaving them in accessible Preferences documents. (For more about Apple's approach to encryption, see The Iconoclast, in this issue.)

<> AppleShare can be a particular problem for network administrators because it does not provide the network manager many security options. For example, AppleShare does not attempt to actively protect itself against a break-in attempt. Neither does AppleShare allow the network manager fine control over who can connect to which resources at what times, such as evenings or weekends, or from what locations, such as through ARA.

One alternative is to add products to an AppleShare environment to help maintain security. For example, The AG Group's Nok Nok A/S ($175) adds extensive logging capabilities to any AppleShare server. Nok Nok A/S can also restrict the amount of time that idle, active, and guest users can be connected to the server. It extends the capabilities of AppleShare to identify guest users by their machine names, and it can notify you when someone logs on to AppleShare--if you are near the server and can hear the sound alert or see a dialog box.

Although Nok Nok A/S helps in environments where network managers are constantly monitoring a small number of AppleShare servers, it's far from a comprehensive network-security tool. For much more specific server protection, consider changing file-sharing systems to an AppleTalk Filing Protocol (AFP) system with stronger security, if you can afford the time and money involved.

<> High-end AFP file-server security features include sophisticated access-control lists, such as those provided in Digital Equipment Corporation's Pathworks server (603/884-6660), and time-of-day restrictions, like those in Novell's NetWare for Macintosh (801/429-7000) and Banyan's VINES Option for Macintosh (508/898-1000). Of course, your company's need for additional security should be weighed against the heavy management burden of switching from AppleShare--an easy-to-handle, relatively inexpensive network operating system that runs on a Macintosh--to something much more complex and expensive that requires a different platform.

To compare costs, call the vendors for price quotes based on the number of servers and clients on your network. Then factor in the cost of adding any required hardware platforms and any systems-integration services you might need. If an alternative to AppleShare is already running on your corporate network, adding Macintosh clients to it might be easier than starting from scratch. Some non-Apple file systems, such as Pathworks, provide security features like break-in detection, break-in avoidance, access logging, and disk quotas. If you're serious enough about Macintosh network file-sharing security to need these kinds of controls and are willing to pay the price, replace AppleShare with one of these products.

Dial-in Security

The second major line of defense involves the nearly ubiquitous remote users. Anyone with a phone, anywhere in the world, can connect to a network with a modem on it. Consequently, dial-in access to corporate networks calls for serious precautions, whether the modems are attached to mainframe computers or ARA servers.

The first thing to do is make sure that all dial-in access is password protected, and disable guest access to all file servers. That may sound obvious, but organizations have lost millions of dollars by neglecting to put passwords on maintenance ports for routers, switches, and other network equipment--especially voice equipment. If you have any computer equipment connected to the telephone network, there's a risk.

For maintenance ports that are seldom accessed or systems with only a few users, you don't have to invest in an entire security system. IC Engineering has a simple and inexpensive box called the Modem Security Enforcer (MSE, $300, 410/363-8748). The MSE goes between a modem and another piece of equipment, such as a terminal server or control port on a phone system. Anyone who dials in to the modem gets connected, but users must enter a password before they can actually get through to the device. The MSE is good for small networks because it offers enough security to deter all but the most determined attackers, and it's inexpensive for this kind of product.

The Modem Security Enforcer also offers dialback (also called callback) security. With dialback, a user dials in to a modem, gets connected, and gives a user identification and a password. Then the security device hangs up the connection and immediately calls the user back, generally at a predetermined number. Dialback is popular, but it's really a poor choice for dial-in security. For one thing, it only really works when a user always dials in from the same location. Also, hackers have developed a technique, called glaring, that fools some kinds of callback systems into thinking they've made a callback when they really haven't.

One-Time Passwords

If you're looking for a new system, ignore dialback completely and use a two-factor system with one-time passwords. In a two-factor authentication system, users must provide two different things--for example, a PIN (personal identification number) and a one-time password--to gain access. One-time passwords are just that: good for one time, one user name. True one-time passwords work only once; time-based passwords usually expire in 60 seconds or less.

With security based on a one-time password, typically you dial in and identify yourself. When the system asks for a password, you give the current one-time password. The password is generated by a calculator-like device called a token, by software on the remote user's Mac, or by specialized hardware attached between the remote user's modem and the phone line. While software tokens are easier to use, they can be less secure because they reduce the number of pieces needed to make a secure call. In the first quarter of 1995, CryptoCard (708/459-6500) expects to ship a hardware product, the MB-1 ($249), which will fit in the floppy drive of a Macintosh like a disk, to calculate passwords, lock the Mac until a password is entered, and encrypt data.

In some systems, the token or software calculates the password based on a challenge that the authentication system issues. This type of system doesn't just ask for the password; it provides a number (challenge) for the user to enter into the token, which then computes the correct answer (response).

I looked at four approaches to one-time passwords for remote access. Each has benefits and drawbacks. One thing is certain, though: two-factor security is expensive. For 50 to 100 users, expect to pay at least $100 per user. If you want some of the more sophisticated combinations of hardware and software, the price can quickly shoot up to ten times that.

<> LeeMah DataCom Security's TraqNet system combines hand-held tokens and special modem interceptors; it's the only system I tested that can protect any kind of telephone-accessible service. The system's pricing starts at $950 for a one-port box; an 8-port chassis starts at $2000. TraqNet's interceptors sit between the telephone line and the server's modem (or voice-mail system). TraqNet intercepts all calls and requires authentication before passing a call on to the modem. Optionally, TraqNet dials back an authenticated user at a preset number.

TraqNet users can use an InfoCard, a token the size of a credit-card calculator, or an InfoKey, a small box that installs between the user's computer and modem. After calling a TraqNet-protected system, an InfoCard user punches two sets of numbers into a touch-tone phone: a PIN and the number the token displays. The InfoKey saves the user the trouble of punching in the number--the InfoKey generates the one-time password and sends it over the line as soon as the TraqNet system answers. TraqNet is easy to install and configure, and the system works great for situations where you want to cut off intruders before they even get a modem carrier signal. Because TraqNet sits between the phone line and the modem, it is protocol-, modem-, and application-independent.

<> The Gateway Security System (GSS, starting from about $11,000 for eight ports) from Racal Guardata combines authentication and encryption systems to protect anything with a serial port, such as a modem; the GSS resides between the server's serial port and its modem.

This challenge-response authentication system uses a calculator-style token, called a WatchWord. The GSS displays a number that the user punches into the WatchWord (along with a PIN); the user replies with the number displayed on the GSS. Users must punch in both the challenge and the response, which can be annoying and works poorly with Apple Remote Access because you can't easily integrate it into a normal ARA log-in sequence. However, Racal Guardata does offer a Mac-resident software token to ease the pain of pressing all those buttons.

The GSS also offers network-level encryption using special hardware at the client end. Users are issued smart cards, which look like credit cards, that have the users' DES encryption keys encoded.

Racal Guardata has built some nice hardware with good engineering. The GSS chassis is solid and secure (it requires two different high-security hardware keys to open it), and the WatchWord token is easy to work with. The software is well designed for businesses with lots of users. For example, the GSS manager can print PINs on special sealed forms (like the ones credit card companies use) automatically for distribution to users. Configuring GSS is easy, although it requires a PC-style keyboard and monitor (since the system is based on an Intel motherboard).

<> Digital Pathways' Defender products are similar to Racal Guardata's (although encryption is not an option); however, the hardware and software have more rough edges. For example, configuring dial-in menus requires learning Digital Pathways' scripting language, but this language does offer much greater flexibility in programming and configuration. The company's authentication token, which uses challenge-response technology, lacks style--it has all the design grace of a 1950s transistor radio.

Digital Pathways offers automatic authentication for ARA users, which eliminates the need for a hardware token entirely. Inserting the Digital Pathways Defender 5000 chassis ($5750 for four ports) between ARA servers and programming it for a test user isn't for the faint of heart--it took me several hours. Once I finished, I found using the server with ARA to be incredibly simple--something every Mac user will appreciate.

If you like the Defender but want a more elegant token for your dial-in users who aren't using ARA, CryptoCard provides a completely compatible package called a CryptoCard (prices start at $100 per user).

<> Security Dynamics takes a different approach to authentication. It sells SecurID cards (starting at $58) that are time-synchronized to its ACE/Server security-server software (starting at $1995), which sits on a Unix server or workstation attached to the network. The Unix box should be dedicated if you're at all serious about security. Every 60 seconds (or 30, optionally), the little LCD display on the SecurID card changes to a different 6-digit number. When logging on, a user whips out a SecurID card and types in the number displayed (plus a PIN, of course). No buttons to push, no challenge at all.

The downside of this style of authentication is that the cards have to be time synchronized. They have a limited battery life (usually two or three years), and then you have to discard them, buy new ones, or reenter the card information into the security database. This costs big bucks, both in capital and personnel time.

While Security Dynamics offers hardware interceptors, it is also working aggressively with other hardware vendors to link hardware products to ACE/Server. Remote-access servers from companies such as Shiva Corporation, 3Com, Cayman Systems, and Apple can support SecurID client software.

To test its ARA capabilities, I added the Security Dynamics ACE/Server to an existing network of Shiva LanRover/E ARA servers. The ARA users got a floppy of additional software and a SecurID card. Dialing in was lengthened by one step, as remote users now had to enter the number currently displayed on their SecurID card. Once I got over the pain of installing a key server on Unix, the Security Dynamics products combined with Shiva's LanRover made a great team--and I didn't have to mess with hardware.

Four Top Security Books

For further reading, start with Protect Your Macintosh, by Bruce Schneier ($23.95; Peachpit Press, 510/548-4393). The best general guide to Macintosh security, this book contains an excellent and up-to-date chapter on network security.

Schneier is also the author of the best book on security protocols and algorithms, Applied Cryptography: Protocols, Algorithms, and Source Code in C ($44.95; John Wiley & Sons, 908/469-4400).

Another excellent discussion of network security, mostly from a theoretical point of view, is in Computer Communications Security, by Warwick Ford ($58; Prentice Hall, 515/284-6751).

If charged with the task of writing a network-security policy for your company, consider investing in Information Security Policies Made Easy, by Charles Cresson Wood (Baseline Software, 415/332-7763). At $495, it's not a casual buy, but its 600 sample policies will give you a big head-start, especially since the company also sends the manual on disk (which is handy if you want to cut and paste the policies).

The Last Word

Vendors want to sell you lots of expensive dedicated security hardware, but I advise holding off unless you need to deploy a large number of ARA users right now. If you want something that intercepts callers before they hit a modem bank, TraqNet is a great idea. However, all the other interceptors are doing in hardware what server vendors should do in software. Over time, the need for hardware authentication interceptors will go away as server vendors work with security-software vendors to integrate security directly into servers (as companies like Shiva, 3Com, Cayman, and Apple have done).

Before running out and buying piles of hardware, make sure you take basic steps with the software you already own. Use the built-in security features of AOCE to reduce the number of passwords you have to type each day. Tools like Network Security Guard will help you identify network problems that you can solve without spending a dime.

Concentrate on dial-in users, where networks are the most vulnerable. If your server vendor doesn't already support a token-based access system such as Security Dynamics' or Digital Pathways', turn on the heat to make them see the error of their ways. Avoid the headaches of a Unix-based key server if you can--even if it means waiting for the market to catch up.

Most important, teach people about the need for security and what your organization considers to be valuable enough to protect. By creating an awareness of the potential problems, you'll have the entire organization working with you to keep the network secure.


_______________________________________________________
Sidebar

Software to Protect Your Mac at the Desktop


No matter how secure the network itself is, if anyone can walk up to a Macintosh or steal a PowerBook and see all the valuable corporate data inside, you've got a potential problem. I looked at software from three vendors--Kent Marsh Software, Magna, and usrEZ Software--who offer a plethora of similar security features designed to protect Mac systems from an unfriendly world.

Kent Marsh has split up its products--FolderBolt Pro, NightWatch II, CryptoMactic--into easy-to-understand chunks, each of which has an easy-to-use interface.

FolderBolt Pro ($129) locks folders on a single-user Mac's hard disk so that a single password is required for access. With FolderBolt Pro, password-protected folders can be set for write only (commonly called drop folders) and read only (for protection against modification), as well as for no access at all.

Once activated, NightWatch II ($159) requires a password for any further access to the Mac. NightWatch can be kicked on by different events, such as a shutdown or a PowerBook sleep.

CryptoMactic ($99) encrypts data files using ANSI's (American National Standards Institute) DES (data encryption standard) algorithm. When you double-click on a protected file, CryptoMactic asks for a password to decrypt the file.

Magna and usrEZ have taken a kitchen-sink approach to the question of Macintosh security, throwing all of the features that Kent Marsh offers in its three products--and more--into their Empower Remote ($396) and ultraSecure ($239) products, respectively. Of these two vendors, usrEZ is the king of feature creep. usrEZ software reportedly offers 105 features--some of which are useful--making the package only slightly less confusing than Microsoft Word's tool bar. I liked the feature set but found the user interface confusing and nonintuitive. If you need only one or two of the functions, a simpler package from Kent Marsh is a better choice.

All three vendors offer a "fast encryption," which takes less time than DES yet provides a good measure of protection against prying eyes. This is a good feature; it shows a good balance between paranoia and wasted time. Kent Marsh and usrEZ bend over backwards to offer double-DES and triple-DES protection (encrypting the same data with two or three passes and two or three keys), even though this is probably overkill for most users.

A warning: All folder- and application-locking systems that do not use encryption will protect data only against amateur attacks. If you have valuable corporate data on a Mac that gets stolen, and the hard drive is merely "locked" with one of these packages, you have no protection whatsoever against a determined thief. Unlocking a locked disk is no challenge to someone who really wants the data on it. Encryption, on the other hand, gives you real security against stolen hardware.

If you need to control Mac security over a network, check out Empower Remote or FolderBolt Pro, which offer remote management. usrEZ expects to ship ultraSecure with ultraCommand ($374), which it says will include remote management, by mid-December.

_______________________________________________________

Joel Snyder (jms@opus1.com) is a senior partner at Opus One, a consulting firm in Tucson, Arizona, specializing in networks. His book Macworld Networking Bible, Second Edition (IDG Books Worldwide, 1994), coauthored with Dave Kosiur, includes a section on securing AppleTalk networks.

Related File(s):
Two-Factor Authentication Features Compared File size: 4 K

Network Authentication Example File size: 6 K

Desktop Security Software Compared File size: 5 K

February 1995, page: 122-127
Copyright © 1995 Macworld Communications, Inc.