This article originally appeared in TidBITS on 2015-03-02 at 11:25 a.m.
The permanent URL for this article is: http://tidbits.com/article/15458
Include images: Off

Take Control of Security for Mac Users, Chapter 6: Improve Your Network Security

by Joe Kissell

This article is a pre-release chapter in the upcoming “Take Control of Security for Mac Users,” by Joe Kissell, scheduled for public release later in 2015. Apart from Chapter 1: Introducing Mac Security [1], and Chapter 2: Learn Security Basics [2], these chapters are available only to TidBITS members [3]; see “Take Control of Security for Mac Users” Streaming in TidBITS [4] for details.


Chapter 6: Improve Your Network Security

Macs usually connect to the outside world using Wi-Fi or Ethernet. (“Outside world” might mean another Mac across the room or a server on the other side of the planet.) In fact, most of us have become so dependent on network access that we find it hard to get any work done if that all-important Internet connection goes down.

That dependence on interacting with other devices is both a strength and a weakness. It gives us access to massive power and instantaneous global communication—but it also gives the bad guys an attractive target. This chapter discusses the reasons for protecting your network connection and how to go about doing so.

What You’re Trying to Protect Against

Broadly speaking, the point of network security—or at least, the particular subset of network security I cover in this chapter—is to protect data as it flows to and from your Mac over both local networks and the Internet. (In Chapter 7, Fortify Your Mac’s Defenses, I talk about another aspect of network security—protecting your Mac itself from intrusions and damaged caused by network-based attacks.) But what sort of threats might your network communication face, and from whom?

In a word, you’re trying to protect your data against eavesdropping. If someone is able to see the data that enters and leaves your Mac, then anything you send or receive over a network—email, Web searches, photos, passwords, chats, files, and so on—is no longer private. But it’s not just a privacy issue; someone who intercepted just the right kind of information could use it to break into your Mac, install malware, steal your identity, or do other sorts of damage. In this case, privacy and security are two sides of the same coin.

Eavesdropping sounds passive—like someone listening in on a phone call because the line was tapped—but in skilled hands it can be used actively for more sophisticated wrongdoing. One example is something called a man-in-the-middle attack. In a simple case, imagine that someone tricked your Mac into connecting to a bogus instant messaging server. You continue to send and receive messages with your friends or colleagues as though nothing happened, but all incoming and outgoing text is actually funneled through the attacker’s rogue server. That means any message could be altered (or even deleted) on its way from sender to recipient—and neither party would know the difference!

Note: We’ll return to email security later. Encrypt Your Email in Chapter 11 explains one way to avoid this specific attack. For now, I merely wanted to illustrate a sort of active eavesdropping.

Why would someone want to eavesdrop on your network activity in particular? Unless you’re at Risk Level 4—that is, you’re being targeted individually—most likely no one cares about your data specifically. It’s not personal! Rather, there are people (and, much more often, software “robots”) who constantly probe any network connection they can find for vulnerabilities, slurp up any useful bits of information, and use it for everything from petty scams to identity theft.

Although, in principle, nearly the entire Internet is vulnerable to this sort of monitoring, the least secure link in the chain is almost always your Wi-Fi connection—especially if you’re using an open, public network. Someone sitting nearby you at a coffee shop or library—or even across the street, in a car, or in a different building—can use freely available software to “sniff” the Wi-Fi signal, and monitor all the Wi-Fi sessions nearby. It’s not hard. I’ve done it myself (for research purposes only, mind you), following directions I found on the Web, and I was shocked and appalled at what information I found floating freely through the air around me.

Other potential weak links include the Wi-Fi router itself (someone could hack into it, or attach a monitoring device between it and the Internet), your ISP (where numerous employees and contractors might be able to access data as it flows through), and any other router through which your data may pass between source and destination.

Note: I detail several additional avenues of attack in Take Control of Your Online Privacy [5].

Fortunately, there are simple steps you can take to eliminate the most common network vulnerabilities. Although these won’t protect you against every possible means of eavesdropping, they make it significantly harder for eavesdroppers—and the goal is to make it hard enough that they’ll move on to easier targets.

Use Encrypted Wi-Fi

You may have only a desktop Mac that’s connected to a router with an Ethernet cable and doesn’t use Wi-Fi at all. If so, you can skip ahead to the sidebar Is Ethernet Safe Enough? [6] ahead. But most of us use Wi-Fi at least some of the time.

Assuming that you own or control the Wi-Fi router or base station, you should take immediate action to make certain no one else can eavesdrop on your communications—see the documentation that came with your router or refer to the manufacturer’s Web site for specific instructions.

First, use WPA. Wi-Fi Protected Access (WPA) is the most secure standard for Wi-Fi encryption currently in widespread use. It comes in several flavors, so you may see options like “WPA/WPA2 Personal” and “WPA2 Enterprise” (Figure 1). I can’t get into the details here, although I’ll mention that if you use an Apple AirPort base station or Time Capsule for wireless networking, you’ll find lots of good information in Glenn Fleishman’s Take Control of Your Apple Wi-Fi Network [7].

Choose any variety of WPA, but do not use WEP (Wired Equivalency Protocol)—it’s trivially easy to crack. (I know; I’ve done it myself.) And do not skip wireless encryption. You could choose “None” as the wireless encryption type, but don’t; that’s ridiculously insecure and never the right choice if you can avoid it.

[image link]

Figure 1: Wireless security options for an Apple AirPort base station. Choose any of the options including “WPA” and you should be fine.

Note: If WEP is the only option available on your base station, it’s probably an old one. Now is a good time to think about replacing it.

In addition, be sure to use good, unguessable passwords for both your wireless network password and your router’s administration interface. I discussed both of these topics back in Wi-Fi Passwords [8], in Chapter 5.

What if you’re on someone else’s Wi-Fi network? If it happens to use WPA, that’s good, but since other people will know the password, your connection is somewhat more vulnerable to hacking than your own network would be. If the network uses no encryption or WEP—or if you want extra insurance on a public WPA network—you need to take matters into your own hands by using a VPN, as I describe next.

Note: Even without encrypted Wi-Fi, you can and should use encrypted connections to specific computers, such as email and Web servers (both covered in later chapters). But even if your connection to a certain server is encrypted, your Mac may still send and receive loads of other, unencrypted data. That’s why it’s always wise to use encrypted Wi-Fi.

Is Ethernet Safe Enough?

It’s easy to tap into wireless networks—even from a distance—completely undetected. Wired (Ethernet) networks pose a bigger challenge. Sure, someone might remotely hack into a router or server somewhere and use that connection as a way of monitoring traffic that passes through it, but doing so requires both expertise and luck.

Another approach, of course, is to insert a physical device somewhere on a network to capture and relay its traffic. That isn’t so much difficult as risky—you have to get physical access to the equipment or cabling, attach your device unseen, and make sure it’s never found later on.

In any case, the security of wired networks is not something you’d likely worry about for your home network unless you’re one of those Risk Level 4 people who might be targeted individually. (If you are, read on to learn about VPNs.)

On the other hand, I would absolutely worry about the security of a wired network when using my laptop in a hotel room, at a conference, or any other public access point. Those sorts of environments are just too easy—and too tempting—for the bad guys to penetrate, so I’d add on a VPN for extra protection.

Use VPNs and Similar Measures

A Virtual Private Network, or VPN, is a special type of network connection that encrypts all Internet traffic flowing between your device and a VPN server somewhere on the Internet. Think of a VPN as a tunnel running through your physical (Wi-Fi, cellular, or wired) Internet connection that’s impenetrable from the outside but open on both ends. Since VPNs encrypt everything, they even make it safe to use an unencrypted Wi-Fi connection.

With a VPN, your computer or other device appears to be on the same local network as the VPN server. So, for example, if that server is located in your employer’s data center, connecting to it gives your computer the same access to your corporate network that it would have if it were in the same building—access that would otherwise be blocked from the outside by a firewall. And your IP address will be assigned by the VPN, so if the VPN service is in, say, France but you’re physically in Los Angeles, your IP address will most likely appear (from the perspective of any server you connect to) to be in France.

Large corporations often run their own VPNs, and if you work for such a company, your IT people can explain how to get up and running. But ordinary Mac users can also take advantage of VPNs by signing up for any of numerous commercial services. Some (such as Hotspot Shield [9]) offer free, ad-supported VPN service, while others (such as Cloak [10], Disconnect Premium [11], VPN Unlimited [12], and WiTopia [13]) require paid subscriptions. A quick Web search will turn up numerous other options.

Macs have built-in VPN software, so in many cases, all you have to do is sign up for a service, enter a few settings (including your username and password), and click a button to activate the VPN (Figure 2). In cases where a VPN requires custom software, it’s nearly always a free (or free-with-purchase) download. In any case, the VPN service you select will provide detailed online instructions for setting up each of your devices.

[image link]

Figure 2: OS X’s Network preference pane offers built-in support for three common VPN types—L2TP over IPSec, PPTP, and Cisco IPsec.

If you’re at Risk Level 1, a VPN is probably a waste of your time and effort. At Risk Level 2, consider using one when you’re connected to a public Wi-Fi hotspot or another untrusted network, like a hotel’s Ethernet. At Risk Level 3 or 4, you should probably use a VPN all the time. Yes, even at home! (Keep reading to find out about an interesting, if expensive, always-on VPN.)

VPNs are great, and I use them all the time on public Wi-Fi networks. However, I should mention a few qualifications:

  • In general, VPNs are active only when you explicitly turn them on. If your Mac goes to sleep, switches physical networks, or loses its connection, you may have to restart the VPN manually. In fact, even when you stay on the same physical network, VPN connections have a way of flaking out—sometimes without any obvious sign that you’ve lost your secure connection—just when you need them most. Pay attention to make sure you’re connected when you need to be.
  • VPNs protect your local Internet connection all the way to the VPN server—but not the entire path to the remote site or server you’re ultimately connecting to. Someone could still, theoretically, intercept the connection between the VPN server and the computer you’re trying to reach.
  • Certain types of VPNs (typically used in enterprise and education settings) split the traffic such that only data traveling to and from the institution’s network is encrypted, whereas access to the outside Internet remains unprotected.
  • Because of the overhead required to encrypt and decrypt data, VPNs are always slower than unencrypted connections. Whether that’s noticeable will depend on your hardware, software, VPN type, and the location of the server you connect to. But it could cause problems for activities that require lots of bandwidth or low latency, such as streaming video or fast-paced games.
  • In general, a VPN connection must be made individually from each device—and you may have devices (such as set-top boxes) that can’t use VPNs. A brilliant, if somewhat pricey, solution to this problem is the CloakBox Pro VPN Router [14] from WiTopia. It’s a router that makes a permanent VPN connection to any of numerous servers around the world, and then passes that encrypted connection to any devices you connect to it via Ethernet or Wi-Fi. I used one of these myself for a few years, and can vouch for its effectiveness. But bear in mind the impact on bandwidth and latency (above), which can be substantial and will affect your whole network.

I’ll mention another, related option here: proxy servers. A proxy server, like a VPN, can disguise your physical location by routing your Internet connection through a device somewhere else in the world. Some proxy servers do additional tricks, such as filtering or caching data. But proxy servers by themselves don’t offer the encryption of VPNs, so although they might keep your identity private from the server on the other end, they are less likely to improve privacy in your immediate vicinity. Some services, like NetShade [15], offer your choice of proxy or VPN services.

DNS Security

Yet another potential network threat—albeit not a very common one—is someone messing with DNS (domain name system) settings in one way or another. For example, if your Mac connected to a compromised DNS server, it could send you to a fake, malicious Web site even when you correctly enter the domain name of the site you’re trying to connect to. I discuss this category of threats, and how to protect yourself from them, in Take Control of Your Online Privacy [16].

Read More: About [17] | Chapter 1 [18] | Chapter 2 [19] | Chapter 3 [20] | Chapter 4 [21] | Chapter 5 [22] | Chapter 6 [23] | Chapter 7 [24] | Chapter 8 [25] | Chapter 9 [26] | Chapter 10 [27] | Chapter 11 [28] | Chapter 12

[1]: http://tidbits.com/article/15376
[2]: http://tidbits.com/article/15377
[3]: http://tidbits.com/member_benefits.html
[4]: http://tidbits.com/article/15375
[5]: http://www.takecontrolbooks.com/online-privacy?pt=INTERNAL
[6]: http://tidbits.com/article/15458#IsEthernetSafeEnough
[7]: http://www.takecontrolbooks.com/apple-wifi?pt=INTERNAL
[8]: http://tidbits.com/article/15439#WiFiPasswords
[9]: http://www.hotspotshield.com/
[10]: https://www.getcloak.com/
[11]: https://disconnect.me/
[12]: https://www.vpnunlimitedapp.com/
[13]: https://www.witopia.net/
[14]: https://www.witopia.net/products/
[15]: http://www.raynersw.com/netshade.php
[16]: http://www.takecontrolbooks.com/online-privacy?pt=INTERNAL
[17]: http://tidbits.com/article/15375
[18]: http://tidbits.com/article/15376
[19]: http://tidbits.com/article/15377
[20]: http://tidbits.com/article/15407
[21]: http://tidbits.com/article/15421
[22]: http://tidbits.com/article/15439
[23]: http://tidbits.com/article/15458
[24]: http://tidbits.com/article/15471
[25]: http://tidbits.com/article/15495
[26]: http://tidbits.com/article/15512
[27]: http://tidbits.com/article/15532
[28]: http://tidbits.com/article/15557