Securing your Mac, pt 4

Between September 2005 and July 2011 I was a regular contributor to MacFormat in the UK.

Whereas I’m posting the published articles for my MacWarehouse writing with the MacFormat ones I’ve decided to post the text as submitted, including any comments that I included for design. I am, however, allowing myself a few small edits for clarity.

The particular one is my eighth column, written in April 2006. This is presented purely as a historical record as much, if not all, of the information contained in it may well have changed in the meantime.


Securing your Mac, pt 4

Following last month’s diversion into the world of malware it is time to take a look at the security issues facing networks of Macs and networking in general.

For almost any business one of their most valuable assets is their intellectual property (IP), whether that be the designs for a new product or a database of their customers complete with account history. In addition to taking precautions against loosing IP through equipment failures by backing up the servers that it is stored on it is critical to ensure that the company’s property stays the company’s property. It is not just James Bond that has to deal with industrial espionage and a disaffected employee taking your customer database to a competitor can have a very damaging impact on business.

The tools that Apple provides for free with OS X Server can be used to ensure that users cannot store any information at all on their workstations, they can only keep it on the server itself. You can also disable CD or DVD burners and prevent users from saving files to USB or FireWire drives. These preferences can be enforced even if a computer is taken off the network and if you do need to take data off-site then do it in the form of an encrypted disk image which will make it almost impossible for somebody to read the data without authorisation if it is lost.

If you have wireless devices on your network, including Macs with AirPort or Bluetooth cards, be aware that you cannot easily put up barriers to stop their radio waves from spreading outside of the building. I have known business where it is perfectly possible to sit in a car in the street and connect to the company network without needing any password or other form of authentication. If you have wireless devices that are not required then disable them so that a user cannot inadvertently create an insecure access point to the network. For the access points that you do require take the following steps; disable broadcasting the network name so that you cannot find it by browsing, make sure that the network name itself is unobvious, e.g. don’t call it “AirPort”, require WPA2 encryption to be able to access the network and finally lock the network so that only specified wireless cards can access it.

You can take access control further by introducing two factor authentication with solutions from companies such as RSA and CRYPTOCard. These solutions require a user to not only know their password but also to be in possession of a token of some description to be able to access the network. Neither the token nor the password on it’s own is enough.

Two factor authentication comes into it’s own when remote access solutions are considered. The internet is inherently insecure but it is possible to create secure tunnels from point to point. If you need users to be able to access company data from home or whilst on the road then consider setting up a Virtual Private Network (VPN) which will allow you to create a secure tunnel from wherever they are in the world to the office and work as if their Mac was connected directly to the network and keep out prying eyes.

It is a very simple task to download a piece of open source software such as Ethereal and sit in your local coffee shop watching unencrypted but sensitive information going back and forth across the internet. If you don’t keep an eye on your data somebody else will.

Securing your network can be an expensive and time consuming business and the more secure it is the less friendly it will be to those who you want to access the network. How far you take network security and how much time and money you spend on it will depend on how valuable your data is to your business.

Comment on this post

This site uses Akismet to reduce spam. Learn how your comment data is processed.