TidBITS#468/22-Feb-99 ===================== If you think walking barefoot over hot coals is preferable to setting up a firewall for your intranet or Internet connection, keep your shoes on and read Chris Pepper's article on firewall security (and why you should care even if you're not a network administrator). Also, Adam looks at the pros and cons of Macworld Expo's relocation to New York this July, and we note Palm Computing's release of two new handhelds and Alco Blom's release of Web Confidential 1.2. Topics: MailBITS/22-Feb-99 Follow the Bouncing Expo What's a Firewall, and Why Should You Care? Copyright 1999 TidBITS Electronic Publishing. All rights reserved. Information: Comments: --------------------------------------------------------------- This issue of TidBITS sponsored in part by: * APS Technologies -- 800/443-4199 -- -- How do you back up your APS hard disks? Try APS tape, removable, magneto-optical, and CD-R drives! * Northwest Nexus -- 1 888-NWNEXUS -- Internet business solutions throughout the Pacific Northwest. * Small Dog Electronics -- Special Deal for TidBITS Readers! --- Move up to 100Base-T --- Farallon 8-port 100Base-T hub with 10Base-T Bridge: $99.00! For details: -- 802/496-7171 * Free Shipping at Outpost.com! Lowest prices, fantastic service, thousands of products, and now FREE shipping from 11-Feb-99, 6 PM EST to 01-Mar-99, 8 AM EST (limit $100 per household). No kidding - free! Check it out at ! * Eye Candy 3.0 for $30 off! Includes 21 cool special effects like <- NEW! fire, smoke, bevels, cutout, carve, glow, chrome, and more! Incredibly easy to use with resizable and zoomable previews. ONLY $99.95 from: * SAVE TIME & MONEY!! MacAcademy ---> Software TRAINING SOLUTIONS <-- NEW! at your fingertips!! CD-ROM, video, and live seminar training. A variety of programs available. Download our catalog at: or call 800/527-1914 * NEED FIBER CONNECTIVITY? Farallon's new Fast EtherTX-FX <---------- NEW! Media Converter is a flexible, low cost solution to connect your Fast Ethernet hubs and switches to 100 MB fiber cabling. * WANT A BACKUP JOB? Join the Sales & Marketing team at Dantz, the <- NEW! makers of award-winning Retrospect backup software! We offer a fun and supportive work environment with great benefits. Read the details at --------------------------------------------------------------- MailBITS/22-Feb-99 ------------------ **Job Postings in TidBITS?** We've heard numerous stories of people using knowledge they picked up reading TidBITS to help land jobs. Now TidBITS sponsor Dantz Development is going one step further and actually running job postings - see the sponsorship area above. What you think about employment postings in TidBITS? Would they be helpful for finding work? Would your company be interested in posting jobs? Let us know what you think in TidBITS Talk, and if there's sufficient interest, we'll look into having more job postings in the future. [ACE] **New Palm Handhelds Released** -- Palm Computing has unveiled two new handheld devices, the Palm IIIx and Palm V, available now. The Palm IIIx ($370) retains the Palm III's curved form factor but includes 4 MB of RAM (plus 2 MB of flash ROM), a much-improved screen with better contrast and readability, and an internal expansion slot for future memory upgrades or add-on devices like pager cards. The Palm V ($450), aimed at style-conscious users, comes in a smaller, thinner anodized aluminum case and includes the improved screen, software-based contrast control, 2 MB of RAM (plus 2 MB flash ROM), built-in rechargeable lithium ion batteries, and two stylus silos to accommodate right- and left- handed users. [JLC] **Web Confidential 1.2 Adds Contextual Menu Support** -- Alco Blom has released version 1.2 of Web Confidential, his $35 shareware utility for securely storing confidential information using 448- bit encryption (see "Web Confidential: Securing Information of All Sorts" in TidBITS-441_). Version 1.2 adds a number of preferences for saving automatically, confirming deletions, and sorting entries. It also includes a Contextual Menu Manager (CMM) plug-in that eases entry of data into Web Confidential for users of Mac OS 8.0 or higher. First install the plug-in (and Apple Data Detectors, which enable contextual menus in any application), then Control-click selected text and choose a menu item to transfer the selected text to one of the fields of a Web Confidential card. Version 1.2 is free to registered users and is a 424K download. [ACE] Follow the Bouncing Expo ------------------------ by Adam C. Engst Last week, IDG Expo Management announced that the Macworld Expo scheduled for Boston in August of 1999 will instead return to the Jacob Javits Convention Center in New York City from 21-Jul-99 through 23-Jul-99. The press release offered obligatory platitudes about why the show would return to New York, but the situation isn't as simple as the press release implies. Let's look at two sides of the issue from the viewpoint of someone who doesn't live in or near either city. **Bully for Boston** -- I'd prefer to have Macworld Expo in Boston, because as cities go, I like Boston, especially when being a pedestrian. Boston is a comparatively small city, and you can walk most anywhere, as opposed to New York, where cabs are often required. Boston drivers may be crazy, but in the last few years pedestrians have been downgraded to second-tier targets (getting in front of the car ahead seems to be preferred over scaring the foot traffic). In Boston, everyone seems to know that Macworld Expo is happening. Waiters in restaurants, hotel staff, and subway commuters all want to chat about the show. New Yorkers didn't seem to notice - even at the Paramount, which was an official show hotel, the desk staff either didn't know about the show or were playing it so cool they couldn't let on that they knew. Although no one would call Boston cheap, it beats New York. You can do New York on a budget, but New York is so much larger than Boston that it's too much for many visitors to find inexpensive places to stay and eat, or to figure out the transit system. Thanks to the high costs, especially in a bad year for the Mac industry, many Mac companies passed on Macworld New York last year, and that could happen again. Smaller companies may not be able to afford a booth, especially considering the expense of housing and feeding booth staff in New York. **No Place Like New York** -- On the flip side, there are reasons why New York is a better location for Macworld Expo. New York is a media hub. Even though the city disdains to notice Macworld Expo, it's more likely that Apple, the Macintosh, and Macworld Expo will receive significant media coverage in New York. Steve Jobs loves media attention, especially since trade show coverage is almost all good. Also, it's easier for industry executives to talk to publications like the New York Times and the Wall Street Journal, so the New York location may provide additional exposure for Mac companies. New York also has space on its side. Boston's World Trade Center can't hold Macworld Expo on its own, though more space is available at an adjacent hotel complex. In contrast, the cavernous halls of New York's Javits Convention Center boast far more space. With the Mac industry on the upswing, more exhibitors may show this year, and some reportedly want more space than last year. Finally, New York is a much more populous city, which should help attendance. Although pre-registered attendance was reportedly fairly low last year, the word is that there was a ton of walk-in traffic. Aside from the fact that walk-ins pay more, resulting in higher profits, that much walk-in traffic implies that overall attendance might be higher this year. **What Jobs Says, Goes** -- Rumor has it that the switch is primarily due to a dictate directly from Steve Jobs, but keep in mind that booking space in a place like the Javits Convention Center must generally be done a year in advance. It's possible that IDG Expo Management booked last year in an unexpected open slot, switched to Boston when they couldn't get a guaranteed slot for this year, then jumped at the chance to switch back when this slot appeared. Hosting Macworld Expo in New York may be a better business decision than having it in Boston, due to the larger audience, media access, and location near New York offices. However, trade shows also serve as combination pep rallies and reunions, and for that purpose I think the smaller, friendlier, more familiar Boston works better for the thousands who attend each year. What's a Firewall, and Why Should You Care? ------------------------------------------- by Chris Pepper One of the best things about the Internet - a legacy of its educational history - is that it lets us share information with people all over the planet. Another wonderful capability - this one a legacy of its Unix roots - is that it provides us _access_ (to Web pages, email accounts, games, corporate info, and more) from any properly connected computer. Of course, there are trade-offs. One of the biggest problems with sharing information with people you've never met is that some of them aren't nice. The Internet can put you in touch with fascinating folks, but it can also introduce you to people you'd rather avoid - spammers, antisocial hackers, and virus authors. It's great that you can go to a coffee shop, computer lab, or copy shop and check your private email. However, people you don't know could be sitting over their own coffee right now, trying to access your credit card numbers, private records, or corporate data. Obviously, people can use the Internet to work from anywhere on the planet, but what about security issues? How do you differentiate between an employee at a coffee shop and a competitor at the next table? Firewalls are one of the most effective ways to protect sensitive data and servers from hackers. Although firewalls aren't rocket science - despite what many consultants would have you believe - they aren't simple either. This article will show you how firewalls work and why they're important, and provide some guidance for your own thinking on firewalls. It assumes you're familiar with the basics of how the Internet works, although it explains some details briefly. If you have a full-time or multiple-machine Internet connection, you should consider a firewall, but they're generally unnecessary for individual users who don't use server software. **The Intranet** -- A few years ago, most networks were within buildings - local area networks, or LANs. Some companies connected their LANs with expensive dial-up links, making wide area networks, or WANs. In either case, you had to be on the premises to use company servers. Such physical security is extremely effective - there are laws against trespassing, and it's fairly easy to recognize valid employees. On the other hand, anyone who's visited an AOL chat room or IRC channel knows that identity is more complicated online. The problem for network administrators is providing access to legitimate users and blocking outsiders. The intranet concept is an attempt to regain some of the control lost in this age of widely available Internet connections. Basically, an intranet is everything on the inside of the Internet connection - what would be a LAN or WAN if the Internet link was cut. Generally, users on the intranet have more access than outsiders - after all, they've made it into the building and past any guards, locks, or coworkers. People working on the far side of the Internet connection have less access - enough that they can get work done but not enough to cause harm. The key to the intranet is our friend the _firewall_, restricting Internet users to innocuous activities, and letting intranet users go about their business. Public information available to anybody on the Internet might include public relations materials and public Web sites, software demos, and annual reports. Private information available only to people on the intranet includes things like detailed human resources policies, forms, and records; accounting and financial records; site-licensed software; and help desk systems and technical support resources. Deciding which services fall into public and private categories is key to a successful intranet. **How Does It Work?** Traffic on the Internet consists of individual packets of data, generally either TCP (Transmission Control Protocol) packets or UDP (Universal Datagram Protocol) packets. Every packet includes a header which identifies the sending computer and port, and the receiving computer and port. Both TCP and UDP use IP numbers (such as 209.177.45.3) to identify individual computers, and port numbers (which range from 0 to 65,535) to identify individual programs on each computer. As an example, if you wanted to see the Audubon home page, your Web browser might create a packet with source IP 204.57.207.50 (assigned by your network administrator or ISP), source port 54,321 (arbitrarily chosen by your application), destination IP 209.177.45.3 (the Audubon Web server), destination port 80 (identifying the Web server), and a "payload" containing a request for the Audubon home page. The higher level protocols we use to surf the Web, send email, transfer files, and more, all run on top of TCP and UDP (which in turn run on top of IP - the Internet Protocol). Most protocols answer on a specific TCP or UDP port, but some higher level protocols can use either TCP or UDP. It might help to think of IP addresses as street addresses and ports as apartment numbers. Every computer that sees a packet (including your computer, the router that connects you to the Internet, the routers between your ISP and your destination, etc.) looks at the IP address and ignores, forwards, or accepts the packet based on the IP address. Once the recipient computer sees and accepts the packet, it decides what program should handle it based on the destination port. TCP and UDP port numbers correspond to specific services, and the destination computer uses the port number to decide which program gets the packet. For example, without port numbers, an AppleShare IP server wouldn't know whether a specific packet should be handled by its FTP, SMTP, AppleShare-over-IP, or Web servers. The Internet Assigned Numbers Authority maintains a list of the major assigned ports, including those used by standard services and registered to specific applications (even games). * HTTP - TCP port 80. HyperText Transfer Protocol is how Web browsers and servers talk to each other. (HTTPS, or Secure Sockets Layer, is an encrypted variant of HTTP that uses TCP port 443.) * SMTP - TCP port 25. Most people send email using Simple Mail Transfer Protocol. * POP3 - TCP port 110. Post Office Protocol version 3 is used to receive mail. Email programs like Eudora and Netscape Communicator typically send email via SMTP and receive email via POP3. * DNS - TCP or UDP port 53. Domain Name Servers convert between human-readable names like www.audubon.org and IP numbers like 209.177.45.3. * Telnet - TCP port 23. Telnet (or remote login) is the granddaddy of all remote control schemes. * FTP - TCP port 21. FTP programs send commands to FTP servers using TCP port 21, but FTP is unusual in that it uses an additional port for the actual data transfer. * ASIP - TCP port 548. Used by AppleShare-over-TCP/IP, as used by AppleShare IP, ShareWay IP, some Unix servers, Mac OS 8's built-in AppleShare client, and Microsoft Windows 2000/NT 5. * SNMP - UDP port 161. Simple Network Management Protocol servers are built into most routers, smart hubs, servers, and some desktop operating systems (SNMP is optional in Mac OS 8.5). An SNMP console, such as Dartmouth's excellent InterMapper, can monitor these servers to map out a network and watch for trouble. There are over four billion valid IP numbers (2^32 - and we're running out). Each computer on the Internet has its own complement of 131,072 ports which can talk to any port on any other computer on the Internet. The number of possible connections is more than anyone could track or guard - 2^(32+32+16+16+1), or 2^97 - but a firewall can bring this number down to a manageable range. **Firewalls** -- Firewalls work by selectively passing traffic between secure and insecure network areas. Typically, the firewall is a part of - or adjacent to - the Internet router. The Internet connection is a logical place for a firewall, since people on an intranet are more trusted than people using the Internet, and any hackers must get past the firewall to reach the tasty data on the intranet. There are two types of firewalls: packet filters (also known as packet screening firewalls) and proxy servers. The more common packet filters are simpler, cheaper, and much faster than proxies. Since IP numbers identify computers and ports identify services, a firewall can determine whether a packet is legitimate by looking at the source and destination IPs and ports and comparing them against a simple set of rules. As IP addresses are often grouped logically, it's usually easy to determine who is or is not part of the local network. Packet filters are simple because they don't consider the content (called the payload) of the packet: the firewall makes its decisions based solely on a packet's IP and port numbers. Think of a firewall as a military checkpoint - there are a few people with passes who can get through, and anyone else is turned away. The guards don't open briefcases. Most firewalls keep people out, rather than prevent intranet users from getting out to the Internet (although there are a few common exceptions). Thus, configuring a firewall is generally a process of listing the few valid uses Internet users might have for intranet services, and then writing rules to allow _only_ those uses, thus blocking out the vast number of unneeded connections which might otherwise pose a security risk. Here is a simple set of rules for a boring company named Examples, Inc., translated into plain English: "Allow Internet computers to connect to mail.example.com on port 25. Allow mail.example.com to connect to outside computers on port 25. Block all other traffic to or from port 25 across the firewall." Port 25 is used by SMTP for sending email. Since the firewall controls only traffic crossing from one side to the other, this would prevent outsiders from using private internal mail servers and keep employees on the intranet from sending mail directly to servers outside the firewall. If mail.example.com logs all mail sent and received, you can ensure that nobody is using a private mail server to avoid being caught in corporate mail logs (or to send spam). "Allow Internet computers to connect to www.example.com on ports 80 and 443. Allow any internal computer to connect to outside computers on ports 80 and 443. Log every outbound URL request along with the (internal) requesting IP. Block all traffic to port 80 or 443 on other internal servers." Port 80 is the standard HTTP (Web browsing) port, and port 443 is used by HTTPS (Secure Sockets Layer) for encrypted Web browsing. Again, this prevents outsiders from reaching private internal services (such as Personal Web Sharing). It also logs employee Web use, so administrators can tell if employees are using the company's Internet connection to access inappropriate Web sites. Many companies have policies against non-work-related use of the Internet - in fact, the Dilbert Zone's Pointy-Haired Boss Index lists companies that block access to the Dilbert site. "Block all inbound DNS requests." If you run a public DNS server outside the firewall, and a private server inside, you can prevent outsiders from finding out about non-public hosts, like printers. "No FTP connections may come in. Outbound connections are unrestricted." In this case, ftp.example.com might be hosted by an upstream ISP outside the firewall, and employees would go out through the firewall to use it. Some organizations are concerned about information leaking out and force all employees to use FTP proxy servers that allow FTP GET but not FTP PUT. The idea is to prevent employees from giving a large chunk of sensitive data to a competitor. **Proxy Servers** -- The more complicated and expensive type of firewall is called a proxy. If a packet filtering firewall is a military checkpoint, a proxy is a finicky translator and interpreter. People on either side of a proxy can't talk directly to each other; instead, all communication passes through the proxy. If someone on the Internet tries something dodgy, the proxy refuses to pass the message. Further, machines on the outside have no direct communication with machines on the inside, which means they have no knowledge of the internal network topology, and can't attack or probe internal machines for vulnerabilities. Network Address Translation (NAT) is a relatively new specification which enables a firewall to act as a proxy server without the client software doing anything different (or even knowing about the firewall's presence). The NAT-enabled firewall rewrites every packet to use its own source IP and an available source port, and then reverses the process for replies. Because it is fairly simple, NAT is becoming more common in firewalls and routers. More sophisticated firewalls understand specific protocols and can place restrictions on individual commands or actions which are suspicious. These firewalls generally run under Unix or NT and are quite expensive. At the other end of the spectrum, relatively inexpensive caching firewalls such as Maxum's WebDoubler focus on performance improvements rather than security. WebDoubler improves browsing speed by caching Web requests, then providing the cached copy to other users requesting the same page - just like the cache built into Navigator or Explorer, except that all WebDoubler users share the larger cache. Sustainable Softworks's IPNetRouter (which has its own packet screening capabilities) is bundled free with WebDoubler. Both run on Macs. **Configuration** -- Don't forget to configure your firewall! No matter how much it costs, a firewall can't help you unless you think about what you need to permit and exclude, then codify that in the firewall configuration. Since a firewall configuration is based on your IP numbers and the ports (services) you use, a generic configuration won't help. Before buying a firewall, look at a couple of configuration files. If they make sense to you, good. If you can't figure them out, you either need to read more or hire someone to do the configuration for you, and make sure they'll be available when you need to make changes. First, make a list of all your internal services, then decide which the public and employees outside the intranet (satellite offices, travellers, people working from home, etc.) need to access. Firewall configuration often requires trade-offs - in blocking misuse of your systems, you may make some legitimate uses harder or even impossible. Will people want access to their email? Are you confident about the security of your email server and its passwords, or are you better off providing external accounts for travelling users? Can your Web server be configured to allow access to internal pages to anyone with an intranet IP address _or_ who has a password? If so, you can set up an intranet Web site without setting up another Web server. If you have a contingent of people outside the firewall who need full access to your intranet services, consider a Virtual Private Network (VPN) in conjunction with your firewall. VPN technologies encrypt all Internet traffic between your intranet and your remote users. VPNs make effective partners with firewalls, since you can allow VPN traffic through the firewall with confidence that only authorized users will have the VPN passwords and keys, and they can access all your services. This enables you to lock down much more on the firewall, since legitimate users gain access through the VPN. Be sure to turn on any packet forgery and malformed-packet filters in the firewall - such packets can cause stability and security problems. Be sure to log rejected packets - if your firewall blocks an attack but you don't know about it, the attackers can keep trying until they get through. Before setting up your firewall, think carefully about what should be outside and what should be inside. Since Web servers primarily serve the public, it might make sense to put them outside the firewall, perhaps even at your ISP. This may make your site faster for visitors and ensures that public access to your Web server doesn't become a beachhead into your internal security. ClearWay's FireSite manages such external Web servers, and provides most of the benefits of an internal Web server in terms of flexibility, logging, and customization. FTP servers raise the same question. **Buying a Firewall** -- Before you buy a firewall, find out what capabilities your routers have. If your Internet router came with packet filtering capabilities, you may not need to buy anything else. You can buy a hardware firewall from many of the same vendors who make routers, including Cisco and Compatible Systems. Several companies also make software firewalls for Unix and Windows NT. Fortunately, there are several Mac firewalls. IPNetRouter includes firewall functionality. Both Vicomsoft's Internet routers (Mac and Windows versions) include firewall functionality. Open Door Networks' DoorStop is a limited firewall - it protects only the machine on which it is running. **In the End** -- If you have servers connected to the Internet, you should consider protecting them with a firewall. Fortunately, there are a plethora of options, some of which you may already own. Hopefully, you'll never be attacked, but there are nasty people out there. You owe it to yourself to think about network protection _before_ someone else forces you to do so. Configuring a firewall is a two-stage process. First think about how you use TCP/IP, and then balance the uses against the harm someone could do through subverting those facilities. If you plan well, your servers will be protected and your users may not even notice. [Chris Pepper is webmaster and list manager for the National Audubon Society. This article was originally presented (in a highly abbreviated form) as part of a panel presentation at Macworld Expo SF '99.] $$ Non-profit, non-commercial publications may reprint articles if full credit is given. Others please contact us. We don't guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. This file is formatted as setext. For more information send email to . A file will be returned shortly. For information: how to subscribe, where to find back issues, and more, email . TidBITS ISSN 1090-7017. Send comments and editorial submissions to: Back issues available at: And: Full text searching available at: -------------------------------------------------------------------