Mac/PC Security Through Cable Modems
October 21st, 1999

Greetings, folks. This week we're going to talk about Internet security, firewalls, and what it all means to us Mac users. There's lots of juicy info in here to savor, but there are a few things to mention before we get started. If you have any questions at all, you can e-mail them to me, or now you discuss them in the new Ask Dave interactive forum!. Ok... without further ado -- onward!

One very inquisitive Gary Shaw wrote, "I was talking with a PC user that left Time Warner's RoadRunner because of his concerns with security issues with cable ISPs."

First off, I'm *not* trying to start a flame war here against any Windows user.

That being said, this is a *very* silly reason to leave one ISP for another. I don't think there are ANY ISPs (cable or dial-up) that offer firewall protection to their customers. If they did, customers would complain because the firewall would limit their ability to access different resources on the 'Net. Quicktime streaming, RealAudio, FTP, Internet Gaming, some software update services, older versions of Sherlock, and remote access software like Timbuktu don't normally work through a firewall. You (or, more specifically, the firewall administrator) have to have the firewall explicitly configured to allow each of these things, and with new software and technologies emerging every day, it's just not feasible for an ISP to do this. So NO ISPs (or, at least, none of the "regular" ISPs) perform any sort of firewalling. This leaves ALL of us open to unsolicited Internet traffic and, therefore, attacks from pranksters.

Your friend is right, however, that cable's (and DSL's) full-time, dedicated-type access does pose more of a risk than a dial-up connection. You're only exposed when you're connected, so with dial-up you're back to being safe as soon as you hang up. That, and most dial-up connections get a different IP address each time you reconnect.

Your IP address is your unique identifier on the Internet, and it's what websites (and other hosts) use to get information back to you. You go to a site and request a document (like you did for this very column). The request includes the location of the document you would like as well as where you'd like it sent back to -- this location is your IP address (note that the request also includes information like date, time, time zone, browser type and Operating System) -- all of this is typically logged to the web server. Here's an example of a simple request's log entry:

192.168.0.1 - - [21/Oct/1999:7:51:17 -0500] "GET /columns/askdave/99/october/991021.html HTTP/1.0" 200 4295 "http://www.macobserver.com/macosnews/" "Mozilla/4.08 (Macintosh; U; PPC, Nav)"

The first listing (192.168.0.1) is the IP address of the requesting computer, then comes the date, the time, and the timezone offset (-0500). Then is the actual request (/columns/askdave/...), and the protocol with which it should be sent back. Following this are the result code (200 means successful), and the size in bytes. Next is the referring page, i.e. the place where you clicked the link in the first place, then your browser, operating system and machine type.

Pretty interesting seeing all the data you send OUT every time you want something BACK! It's feasible, then, that someone could log your attempts to access a given computer, and then use that information to find you again. Because dial-up connections receive a different address each time you reconnect, the chances that someone will find you during that session aren't all that great. However, cable access only resets your IP address when you reboot (and sometimes, it even stays the same then), and DSL typically NEVER resets your IP address. This does increase the security risk, because you could have the same IP address for days, months, even years.

That being said, there are VERY simple ways of protecting a Windows machine from this. Windows will let you share files via TCP/IP. Being that the Cable modem (and the Internet at large, of course) only routes that one protocol, this can be a risk. With Windows it's very simple to change your sharing protocol to something like NetBEUI which is completely NON-routable, and that will solve the problem. But... on to the Mac side...

then Gary wrote, "His friend said that we do not have the same concerns as the PC user because if we have AppleTalk and file sharing turned off there is no way that someone could hack his way into our Macs from this service. Is this true (sounds like a pretty bold statement) or should I be concerned?"

This is true. However, it's also true to say that if you have Appletalk and file sharing TURNED ON there is no way that someone could hack his way into your Mac from this service (or anywhere on the Internet, for that matter). Appletalk, like NetBEUI, doesn't get routed through the cable modem. ONLY TCP/IP does. So, you don't have to worry... yet.

Mac OS 9 includes the ability to share files and printers via TCP/IP (this can also be accomplished on pre-Mac OS 9 machines with software like Shareway IP). This is a Good Thing. TCP/IP is faster than Appletalk, especially on 100Base-T connections, and it allows sharing of data with people NOT on your local network. However, as we discussed above, this WILL open up some security holes on your Mac (note: Mac OS 9 does let you turn TCP/IP sharing on and off independently of Appletalk-based sharing). If you do need to do this (for example, to mount your home machine's hard drive from the office and exchange files throughout the day), then you just need to make sure that you don't have "guest" access on, you have hard-to-guess passwords, and you change them often.

Gary, "And if I should be concerned, what applications should I get to protect my Mac?"

Well, depending on how you have things set up, there are a few ways to go. If you're sharing your Internet connection among multiple computers, you may already HAVE a firewall. Vicomsoft's SoftRouter Plus provides some packet filtering/firewalling features, as does Sustainable Softworks' IPNetRouter.

However, if you're just using ONE computer on the cable modem, NetBarrier from Intego available as a firewall for single, standalone computers (see a free, online "tour").

Hopefully that should head everyone down the right path as far as Internet security on the Mac is concerned. Let me know if you have any questions, be they related to this column or something completely different, and I'll do my best to answer 'em for ya right quick!

Until next time...

P.S. Have a Nice Day.

Happy Birthday, Matt and Kris!