From Newsgroup: comp.sys.mac.system

That, of course, is my second dilemma. I still need to be able to input all
my mac addresses easily. As for the encryption, do you suggest WEP or VPN?
If the latter, how would I authenticate in a mac environment? It is not a possibility to lose the wireless due to circumstances beyond my control.

Bobby

"Wesley Groleau" <wesgroleau@despammed.com> wrote in message news:JtGcndJYDL6dGpSiXTWJjw@gbronline.com...

Bobby Janow wrote:

year, is there anything else I can do to increase security from outside

our

Yes. Lose the wireless. Or else make sure
_everything_ it does is encrypted.

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

In article <wBhOa.51719$n%5.528@nwrddc02.gnilink.net>,
"Bobby Janow" <bjanow@msn.com> wrote:

I have a question about WEP. There is no wep enabled on these base stations and I'm wondering if it's really necessary. Remember, I'm dealing with a teacher and a lot of middle school students. The only traffic that would be sniffed is internet web stuff and maybe a term paper or two. Each laptop would need to enter the wep key meaning possible phone calls to me when they can't connect. Your thoughts?

My thoughts are that it's good to use whatever's available to keep
things secure, although you shouldn't put too much faith in WEP. WEP
isn't hard to break for anyone who wants to do it. And in an
environment where both teachers and students will be using it, the key
is probably not going to remain secret for very long anyway. So it may
be better in this case to skip on it. In either case, you'd want to
make sure that users understand they can be listened to while using the system.

--
Tom "Tom" Harrington
Macaroni, Automated System Maintenance for Mac OS X.
Version 1.4: Best cleanup yet, gets files other tools miss.
See http://www.atomicbird.com/
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

Bobby Janow wrote:

and I'm wondering if it's really necessary. Remember, I'm dealing with a teacher and a lot of middle school students. The only traffic that would be sniffed is internet web stuff and maybe a term paper or two. Each laptop

If I were in your position, I would not be
concerned about that being stolen. Passwords,
though, allowing one bad-attitude student to
trash another's work some night.....

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

On Mon, 07 Jul 2003 16:01:00 -0500,
Wesley Groleau (wesgroleau@despammed.com) wrote:

Bobby Janow wrote:

and I'm wondering if it's really necessary. Remember, I'm dealing with a
teacher and a lot of middle school students. The only traffic that would be >> sniffed is internet web stuff and maybe a term paper or two. Each laptop

If I were in your position, I would not be
concerned about that being stolen. Passwords,
though, allowing one bad-attitude student to
trash another's work some night.....

This is an issue that is outside of the security of WEP. A bad or broken
WEP password is not going to give one student access to another students'
HD. Especially in this case, where ALL the iBooks will have the same
WEP password. A easy to break WEP key will give an intruder access to
the network ...... but doesn't do much for someone who is already on the network.

A poorly chosen password for filesharing will give one student access to
the other's iBook irrespective of whether they say each other over a
WLAN or an ethernet LAN.

Bev
--
Bev A. Kupf
Bev's House of Pancakes
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

On Mon, 07 Jul 2003 15:58:21 -0500,
Wesley Groleau (wesgroleau@despammed.com) wrote:

I did use a Cisco VPN to connect to my employer's intranet.
It was quite easy to set up the OS X end. But I know nothing
about what they did on the other end.

There are situations where VPNs create security risks. Let me
describe a situation to you. My PC and Mac at home are behind a
NAT'ing router. I have SMB turned on both so that they can
file share with each other. The computers are on a private LAN so
computers on the internet cannot see them (non-routable addresses)

This weekend I VPNed into University's VPN concentrator. This
gives my Mac an IP address that is no longer a non-routable address,
but one that can be seen on the Internet. I left to prepare lunch,
came back 30 minutes later, and ran 'netstat -p tcp -n' in a Terminal
window -- lo and behold someone from an Italian DSL site had connected
to the SMB server on my Mac (under OS X), and was trying to login ....

So that's a situation where by being VPNed into the Univ's network,
I made my Mac *less* secure than just being behind a NATed router.

There is a better description of this at the following URL: http://www.tss.northwestern.edu/vpn/issues_vpn.html#nat-security

Bev
--
Bev A. Kupf
Bev's House of Pancakes
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

Bobby Janow <bjanow@msn.com> wrote:

I've been put in charge of entering 75 iBook mac addresses into 7 airport base stations. I have been given all the addresses on a spreadsheet (excel). Is there a way to input all those addresses in one fell swoop on each of the airports? Bear with me here people, I'm a PC guy but have a decent working knowledge of OSX and 9.X. The iBook given to me has 10.2 on it. I can
connect to the base stations with no problem.

In Excel, arrange the columns with the MAC addresses (in hexadecimal
format with five colons -- one between each hexadecimal pair) in the
first column and the names of the machines in the second column. To
create a tab-delimited text file, either copy the range of cells and
paste them into your text editor or use Excel's "Save As..." command (in
the File menu) to export the entire file as a tab-delimited text file.

Launch AirPort Admin Utility (AAU) and double-click one of the names in
the list. Click the Show All Settings button, then the Access tab, and
then the Import button. Navigate to your text file of MAC addresses.

AAU can configure multiple base stations simultaneously, but as I've
never done this, I can't tell you which, if any, of the settings in each
base station will be overwritten and which left intact. When you have
made all your settings, save the configuration as a file by using "Save
a Copy As..." in AAU's File menu. Then, in the Select Base Station
window, select all the base stations you want to configure, click the
Multiple icon in the toolbar, and navigate to the saved baseconfig file.
(You can also use AAU to edit this file, but to apply the changes, you
must "Import..." the changed file when you are in a particular station's configuration window or do the "Configure multiple..." thing again.)

One reason this task was given to me was because I would like to secure the internal network a bit. The teacher refuses to do the work (union
complaints) but I won't go down that road. Considering the size of the task and the fact that 12-14 year olds will be using the iBooks during the school year, is there anything else I can do to increase security from outside our network. We are natted to an internal 10. network with a firewall blocking most incoming ports. We use a DHCP server.

In AAU's AirPort pane, click the "WAN Privacy..." button and uncheck everything; and give the base stations a password that can't be guessed
easily.
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

Bobby Janow <bjanow@msn.com> wrote:

I have a question about WEP. There is no wep enabled on these base stations and I'm wondering if it's really necessary. Remember, I'm dealing with a teacher and a lot of middle school students.

In that environment -- a floating base of inexpert users -- WEP will be
a headache. I suggest you follow the KISS principle and keep the network
open and unencrypted. Access control (MAC) should be enough.
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:

Using Apple's "Airport Admin Utility" application, you can save base
station configurations to a file, or upload a saved configuration. You
could enter the addresses in one base station, save the result, and then upload it to the others.

Note that "Upload", in AirPort Admin Utility's jargon, means flashing
the base station's firmware. If you just want to change the
configuration, use "Import" or "Configure multiple".
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

On 7 Jul 2003, Bev A. Kupf wrote:

On Mon, 07 Jul 2003 15:58:21 -0500,
Wesley Groleau (wesgroleau@despammed.com) wrote:

I did use a Cisco VPN to connect to my employer's intranet.
It was quite easy to set up the OS X end. But I know nothing
about what they did on the other end.

There are situations where VPNs create security risks. Let me
describe a situation to you. My PC and Mac at home are behind a
NAT'ing router. I have SMB turned on both so that they can
file share with each other. The computers are on a private LAN so
computers on the internet cannot see them (non-routable addresses)

This weekend I VPNed into University's VPN concentrator. This
gives my Mac an IP address that is no longer a non-routable address,
but one that can be seen on the Internet. I left to prepare lunch,
came back 30 minutes later, and ran 'netstat -p tcp -n' in a Terminal
window -- lo and behold someone from an Italian DSL site had connected
to the SMB server on my Mac (under OS X), and was trying to login ....

So that's a situation where by being VPNed into the Univ's network,
I made my Mac *less* secure than just being behind a NATed router.

You could run natd on your mac (obviously you'd only want it handling the interface corresponding to your tunnel)

Fred

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

In article <slrnbgjpls.mai.bevakupf@ebv.mimnet.northwestern.edu>,
"Bev A. Kupf" <bevakupf@ebv.mimnet.northwestern.edu> wrote:

On Mon, 07 Jul 2003 15:58:21 -0500,
Wesley Groleau (wesgroleau@despammed.com) wrote:

I did use a Cisco VPN to connect to my employer's intranet.
It was quite easy to set up the OS X end. But I know nothing
about what they did on the other end.

There are situations where VPNs create security risks. Let me
describe a situation to you. My PC and Mac at home are behind a
NAT'ing router. I have SMB turned on both so that they can
file share with each other. The computers are on a private LAN so
computers on the internet cannot see them (non-routable addresses)

This weekend I VPNed into University's VPN concentrator. This
gives my Mac an IP address that is no longer a non-routable address,
but one that can be seen on the Internet. I left to prepare lunch,
came back 30 minutes later, and ran 'netstat -p tcp -n' in a Terminal
window -- lo and behold someone from an Italian DSL site had connected
to the SMB server on my Mac (under OS X), and was trying to login ....

Well, that's VPN all right. Connecting via VPN makes you part of the
remote network you're connecting to, and renders you as safe-- or
threatened-- as that network. Most companies would have had some kind
of firewall to prevent such access to their internal machines, and would therefore have avoided this problem. I'm not sure that VPN is even
useful on a network that's already as open as the one you describe.

--
Tom "Tom" Harrington
Macaroni, Automated System Maintenance for Mac OS X.
Version 1.4: Best cleanup yet, gets files other tools miss.
See http://www.atomicbird.com/
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

That is correct Tom. There should be a firewall at the remote end to prevent any traffic from getting out through the tunnel other than trusted. Traffic should only be allowed from the internal, trusted network to the remote user VPN. If they do have a firewall it needs to be reconfigured to at least
block incoming SMB traffic (as well as most incoming ports). If that is not possible the end user should have a personal firewall on their machine.

bJ


"Tom Harrington" <tph@pcisys.no.spam.dammit.net> wrote in message news:tph-786950.16284707072003@localhost...

In article <slrnbgjpls.mai.bevakupf@ebv.mimnet.northwestern.edu>,
"Bev A. Kupf" <bevakupf@ebv.mimnet.northwestern.edu> wrote:
Well, that's VPN all right. Connecting via VPN makes you part of the
remote network you're connecting to, and renders you as safe-- or threatened-- as that network. Most companies would have had some kind
of firewall to prevent such access to their internal machines, and would therefore have avoided this problem. I'm not sure that VPN is even
useful on a network that's already as open as the one you describe.

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

The first thing I did was click on the "enter this workstation" (something
like that) in the mac address area. When it did this it entered it as the 12 hex digits with colons between each 2. So I went through the spreadsheet and started putting in colons. After about 2 or 3 of them I said to myself,
"this is crazy", no way am I going to put in all these colons. So I saved
the file as a csv (text) file and imported, just to see what would happen.
It imported every mac address and put the colons in for me!! My face hurt
from smiling so hard.

bJ

"Neill Massello" <nmassello@earthlink.net> wrote in message news:1fxqa0d.3hy3501vwe30sN%nmassello@earthlink.net...

Bobby Janow <bjanow@msn.com> wrote:
In Excel, arrange the columns with the MAC addresses (in hexadecimal
format with five colons -- one between each hexadecimal pair) in the
first column and the names of the machines in the second column. To
create a tab-delimited text file, either copy the range of cells and
paste them into your text editor or use Excel's "Save As..." command (in
the File menu) to export the entire file as a tab-delimited text file.

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

I'm really not that concerned about filesharing at the school. I was more concerned about a roaming user driving by and attaching to the internal
network due to the fact that there is a dhcp server there. There are student records that can be accessed if a user is sophisticated enough and I just
want to prevent some of those potential breaches if possible. At some point
in the near future I will be implementing VLANs to secure that part and then
I won't be so worried.

I've been fooling with an Aironet 1200 too and there is a way to VLAN the network so that some users have internal access to servers and other users
will have access to http only. But that's a project for after the summer.

bJ
"Bev A. Kupf" <bevakupf@ebv.mimnet.northwestern.edu> wrote in message news:slrnbgjp82.mai.bevakupf@ebv.mimnet.northwestern.edu...

A poorly chosen password for filesharing will give one student access to
the other's iBook irrespective of whether they say each other over a
WLAN or an ethernet LAN.

Bev
--
Bev A. Kupf
Bev's House of Pancakes

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

On Mon, 07 Jul 2003 23:09:27 GMT,
Bobby Janow (bjanow@msn.com) wrote:

I'm really not that concerned about filesharing at the school. I was more concerned about a roaming user driving by and attaching to the internal network due to the fact that there is a dhcp server there. There are student records that can be accessed if a user is sophisticated enough and I just want to prevent some of those potential breaches if possible.

If this is a concern, you should do two things:
a) implement WEP
b) restrict WLAN access to a defined list of MAC addresses (which
from other messages it appears you will be doing)

In my experience, "b", by itself is not sufficient. There are plenty
of operating systems that allow the MAC address of the wireless card
to be changed. "a" by itself is not very robust to keep a person out
either. A combination of "a" and "b" is better than either alone.

Take care, and good luck with this project!
Bev

--
Bev A. Kupf
Bev's House of Pancakes
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

I'm afraid you're right. Thanks again for all your valuable input. Everyone here has been a wonderful help to me. This is a very friendly newsgroup, I'm glad I stopped by.

Bobby J.
"Bev A. Kupf" <bevakupf@ebv.mimnet.northwestern.edu> wrote in message news:slrnbgk2k1.mj9.bevakupf@ebv.mimnet.northwestern.edu...

On Mon, 07 Jul 2003 23:09:27 GMT,
If this is a concern, you should do two things:
a) implement WEP
b)

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

Bev A. Kupf wrote:

This weekend I VPNed into University's VPN concentrator. This
gives my Mac an IP address that is no longer a non-routable address,
but one that can be seen on the Internet. I left to prepare lunch,
came back 30 minutes later, and ran 'netstat -p tcp -n' in a Terminal
window -- lo and behold someone from an Italian DSL site had connected
to the SMB server on my Mac (under OS X), and was trying to login ....

So that's a situation where by being VPNed into the Univ's network,
I made my Mac *less* secure than just being behind a NATed router.

Hmmm. That couldn't happen with the setup we had.
When I fired up the "connect to office" script,
the VPN KEXT began encrypting ALL ip packets, and
only the concentrator in Boston (or Dallas) could
decrypt them. Effectively, I was inside the company's
firewall, and could not talk to my own ISP even though
they were passing the packets to the concentrator for me.

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

Bev A. Kupf wrote:

On Mon, 07 Jul 2003 16:28:47 -0600,
Tom Harrington (tph@pcisys.no.spam.dammit.net) wrote:

Well, that's VPN all right. Connecting via VPN makes you part of the >>remote network you're connecting to, and renders you as safe-- or >>threatened-- as that network.

Precisely my point ...

Most companies would have had some kind
of firewall to prevent such access to their internal machines, and would >>therefore have avoided this problem. I'm not sure that VPN is even
useful on a network that's already as open as the one you describe.

And most Universities don't. The one thing that VPN lets me do is literature searches for research articles from home. The database
that Northwestern subscribes to (Ovid) is access limited to IP addresses
from the Northwestern campus (129.105.0.0 and 165.124.0.0). Without
VPN I couldn't access this research resource from home.

Bev

It looks like they also use a proxy, which is a way to provide service
to off-campus sites with authorization. This is a must faster solution
and is good for non-secure traffic.

--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

In article <58-dnbIr3aqoo5eiU-KYgw@gbronline.com>,
Wesley Groleau <wesgroleau@despammed.com> wrote:

Bev A. Kupf wrote:

This weekend I VPNed into University's VPN concentrator. This
gives my Mac an IP address that is no longer a non-routable address,
but one that can be seen on the Internet. I left to prepare lunch,
came back 30 minutes later, and ran 'netstat -p tcp -n' in a Terminal window -- lo and behold someone from an Italian DSL site had connected
to the SMB server on my Mac (under OS X), and was trying to login ....

So that's a situation where by being VPNed into the Univ's network,
I made my Mac *less* secure than just being behind a NATed router.

Hmmm. That couldn't happen with the setup we had.
When I fired up the "connect to office" script,
the VPN KEXT began encrypting ALL ip packets, and
only the concentrator in Boston (or Dallas) could
decrypt them. Effectively, I was inside the company's
firewall, and could not talk to my own ISP even though
they were passing the packets to the concentrator for me.

Whether that could or could not happen in your setup is not really
related to whether the packets are encrypted between you and the
company's network. What's described above is a case where the remote network-- in your case, I guess a company-- is not firewalled from the internet. By becoming part of that network, you become as secure or
insecure as that network, and if the firewall's remote or ineffective,
you're as vulnerable as the rest of the network.

--
Tom "Tom" Harrington
Macaroni, Automated System Maintenance for Mac OS X.
Version 1.4: Best cleanup yet, gets files other tools miss.
See http://www.atomicbird.com/
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.sys.mac.system

Tom Harrington wrote:

company's network. What's described above is a case where the remote network-- in your case, I guess a company-- is not firewalled from the internet. By becoming part of that network, you become as secure or insecure as that network, and if the firewall's remote or ineffective, you're as vulnerable as the rest of the network.

OK, I understand. In that case, it wasn't VPN
that made the Mac insecure, it was connecting it
to an insecure network.

--- Synchronet 3.18b-Win32 NewsLink 1.113