Maintaining Security Online

When your computer is connected to the Internet via a direct connection to a cable modem or DSL line, it can be a direct target for attack from outside.

Earlier in the chapter, you learned how to use network sharing and services. Now let's find out what security issues are related to their use. (To put it bluntly, the more network services that are running, the greater the chance that a potential intruder can discover and access your system.)

Network Sharing Services

Although it's tempting to go through your system and activate every feature in the Sharing panel, doing so isn't always a good idea. If you turn on everything in the Sharing Preferences panel, someone else could scan your system over the Internet and find the following services active and available for use:

• FTP Access (port 20 or 21) FTP is a quick and easy way to send and retrieve files from a computer. FTP Sharing starts an FTP server on your computer. Unfortunately, it provides no password encryption and is often targeted by attackers . If you don't have to use FTP, don't enable it.

• Remote Loginssh (port 22) The secure shell enables remote users to connect to your computer and control it from the command line. It's a useful tool for servers, but only presents a security risk to home users.

• Personal Web Sharing (port 80) Your personal Web server is really an enterprise-class Apache server. Apache is a very stable program and should be considered the least of your concerns, unless you've manually customized its configuration files.

• Windows File Sharing (port 139) Enables Windows users to access the shared folders on your computers.

• svrloc (port 427) The Service Locator Protocol allows remote computers to detect what services are available on your computer over the Internet.

• afpovertcp (port 548) The Apple File Protocol is used to share your disks and folders over a network. If you have Personal File Sharing turned on, be aware that potentially anyone on the Internet can connect to your computer.

• Printer Sharing (port 631) Enables other users on the network to use printers connected to your computer.

• ppc (port 3031) Program-to-program communication enables remote applications to connect to your computer and send it commands. It's unlikely that you would need this feature in day-to-day use. PPC is controlled by the Remote Apple Events setting in the Sharing Preferences panel.

To disable any of these built-in network services, follow these steps:

1. Open the System Preferences panel.

2. Click the Sharing item under the Internet & Network section.

3. In the Services tab, uncheck the boxes for the listed services to toggle them on and off, as shown in Figure 27.16.

   Figure 27.16. The Sharing Preferences panel controls the built-in network services.

   

4. Close the Sharing Preferences panel to save your settings.

Firewalls

The "ultimate" solution to network security is the use of a firewall , a piece of hardware or software that sits between your computer and the Internet. As network traffic comes into the computer, the firewall looks at each piece of information, determines whether it's acceptable, and, if necessary, keeps the data from getting to your machine. (Examples of data it would block are attempts by unauthorized users to contact the services listed earlier.)

You might be asking yourself, "If a firewall can be a piece of software that runs on my computer, how can it both look at network traffic and keep it from reaching my machine?" After all, to look at the information and determine whether it's trouble, the data obviously must have reached my computer! That's true, but firewall software operates at a very low level, intercepting network traffic before your computer has a chance to process it and make it available to components such as your Web server or FTP server.

Though both hardware and software-based firewalls are available, a software firewall is the quickest way to get unwanted traffic blocked from your machine.

Mac OS X 10.2 includes a built-in personal firewall, accessible from the Firewall tab of the System Preferences Sharing panel shown in Figure 27.17.

To activate the firewall, click the Start button. Checked boxes appear next to those services/ports that you've turned on under the Services pane of the Sharing Preferences panel.

Other than starting or stopping your personal firewall, there are no other settings to configure in the Firewall panel. Because disabling a port disables its service and unenabled ports require no securing, you must go to the Services panel to change the active/inactive status of the services in the Firewall panel.

If you need more flexibility, there are several other firewall builder packages that make it easy to point-and-click your way through setting up a firewall on your computer. You may want to consult another source, such as Maximum OS X Security, for deeper coverage of security issues.