Security Over a Network
Network security has also been addressed in OS X. The first obvious step is the inclusion of an integrated firewall. It is based on IPFW, a FreeBSD technology. Personal firewall settings are defined in the Sharing preferences pane via checkboxes to enable or disable monitoring of services (see the following figure). In addition, the personal firewall can be customized for communications such as Internet Relay Chat (IRC), games, or other user-definable services.
The Mail and Safari web browser applications included with OS X 10.3 utilize both SSL 2 and SSL 3 along with Transport Layer Security (TLS) to provide secure encrypted channels over the internet. Mail can also use Secure Multipurpose Internet Mail Extensions (S/MIME) to support digital certificates for mail authentication, integrity, encryption and nonrepudiation. Safari also supports X.509 certificates for validation of users and hosts.
Both LAN and wireless networks can be secured by network protocols like OpenSSL and Open SSH. Virtual Private Networks (VPNs) using Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) can also be created as needed.
The 802.1X standard requires users to authenticate before connecting to a wired or wireless network. 802.1X ties the Extensible Authentication Protocol (EAP) to both wired and wireless networks with support for multiple authentication methods: Lightweight Extensible Authentication Protocol (LEAP), Protected Extensible Authentication Protocol (PEAP), Transport Layer Security (TLS), and Tunneled Transport Layer Security (TTLS).
The 802.1X solution in Mac OS X is simple to deploy, even for large numbers of network users. Client configurations can be exported as an Internet Connect file and distributed over email, on a secure website, or by using other out-of-band methods. When the user opens the file, all necessary settings are imported into Internet Connect, so the client is configured for secure wireless communications.
The Software Update built into OS X makes the inevitable administration of security features simple. Should any updating be necessary, Apple posts the solution (with embedded authentication of the file). SU then obtains the file and installs it (when the administrator allows it). User intervention is kept to a minimum, which also minimizes any configuration and installation problems.