« Microsoft | Main | OS X Security Concerns »

created 15 June 2000

Networking in the Public Beta

With the public beta of OSX fast approaching, there are more than a few network administrators asking, "What will OSX do for me ?" Well, the answer is, quite a lot.

At the OS level, OSX fixes a number of annoyances that have been a part of the MacOS for a long time. The first one is the limitation on the number of active network interfaces. As it currently stands, you can only have one interface per protocol active. This means that if you have two ethernet cards, TCP/IP can only use one of them, the same for AppleTalk. Now, you could have AppleTalk on one card, and TCP/IP on the other, but still, you couldn't have both cards running TCP/IP and AppleTalk. The only way around this is to use a third party product, such as IPNetRouter, or SoftRouter, or to use AppleShareIP, (which only lets you get around this with AppleTalk, not TCP/IP.) This ability to use multiple network interfaces simultaneously is called multilink multihoming, and as I said, the lack of this ability has been a severe limitation of the MacOS for as long as it has had networking.

(Technically, this is not a limitation of the MacOS networking subsystem, aka Open Transport. Open Transport does allow you to have multiple active interfaces, otherwise things like SoftRouter and IPNetRouter wouldn't be able to work. More accurately, it is the AppleTalk and TCP/IP control panels that don't allow you to do this.)

OSX fixes this. With OSX, the user interface for the networking subsystem will allow you select multiple network interfaces and give them their own TCP/IP addresses, subnet masks, etc., and they will all work. Better still, you will be able to set up OSX to forward IP packets between interfaces, allowing it to act as a very simple router. So, for administrators wanting to set up the server version of OSX, you'll be able to set up, for example, a Gigabit Ethernet or ATM card, and set it to only communicate on a server subnet, where you would want clean, high-speed connections. You could then set up another Gigabit card, or a 100Mb Ethernet card so that Classic MacOS clients, as well as OSX clients could talk to the server OSX machine. This has been common practice with Unix, Windows, and other servers for years, and now the MacOS gets this as well. So, with OSX, you can have as many network interfaces as you have slots to stuff them in.

Another benefit that OSX brings is in security. The BSD/Darwin layer comes with the standard Unix security capabilities. For the network administrator, this is a huge benefit as the BSD underpinings give the admin better security capabilities than the current MacOS.

As secure as the current MacOS is, it's an accidental kind of security. Lack of a command line makes it by default, a very secure platform. But accidental security is not the same as deliberate security, and here is where OSX is far more capable than the current MacOS.

OSX, due to the BSD layer, has far more granular security capabilities than the Classic MacOS. You can apply separate permissions for the owner of a file or folder, the group that owner belongs to, and the general public. You can set not just read/write privileges, but execute privileges as well, so even if someone can see a file or application, they can't run it. You can apply different permissions for the directory that file is in, so, in a highly secure facility, the person who creates the file wouldn't be able to access it once they were done with it. So mobile workers can take laptops home, and not have to hide things from small children, as the child won't be able to touch it without the worker being logged in. While third party add-ons to the current MacOS give you this ability as well, with OSX, it's a part of the OS.

A further security advantage is that the primary user doesn't have to be the owner of that machine. Although first introduced with things like At Ease, MacOS 9's multiple users, and other third party products, OSX again, makes it a normal way to work, not an abnormal way. So in a corporate/educational setting, the owner of a given OSX Mac is going to be 'root', and everyone else logs in with various capabilities depending on the need. This is a wonderful thing when the person who has been working on a major product quits abruptly, and no one has their password. With OSX, not a problem, just have the administrator log in as 'root', and change the owner of the files to the person and/or that needs them.

A final security advantage is logging. Right now, even as secure as the current MacOS is, if you have physical access to a Mac, even Multiple Users takes about 5 minutes to bypass, and then the entire machine is yours. Worse yet, if the cracker in question is reasonably careful, they could copy every bit on that hard drive, and unless they left something out of place, no one would ever know. However, in the Unix world, there is an ability to log, not only major system events, but in a high-security configuration, you can log every action taken by every user, including 'root'. This means that you can easily track anyone's actions on not only an individual machine, but on the network as well. While this may sound disturbing from a personal freedom point of view, if you are the one in charge of making sure that your company's data and hard work stay that way, it's a serious advantage.

Obviously there are a lot more security features and capabilities in OSX than I went over here. There are also more security issues that need to be dealt with in OSX that I'll go over in my next column. But hopefully, the administrators out there who have maybe been a little nervous about OSX and it's Unix link can start to breathe easier, and feel better about what OSX will do for them instead of to them.

Comments