jjmarcus

Creating a small, secure network in your home or office

Note: The recommendations, opinions, and prescriptions are just one man’s view on creating a basic secure network. There are infinite ways to do this dependably, and these are the ones I think are easiest and most cost-effective.

I’m setting up my home network. I would like to allow connections with just one computer from outside the firewall, via VPN, and not allow any other incoming browser or FTP or any other sessions. What hardware can accomplish this?

First of all, it’s worth reading this explanation of home networking.

In many ways, any proper router, including an Apple Airport device, provides a firewall when you don’t open ANY holes in its network configuration. When a router or server manufacturer promotes its “firewall” as a feature, they mean that you can configure those holes more specifically.

Definition: Here, I use “holes” as English for “ports,” which on a network are numerical openings in a firewall, through which network traffic is allowed to pass. We might open those ports using a protocol called NAT (network address translation). With NAT, I can say, just for example, “When I am away from home, I want to securely access my home network with a web browser, to see my security cameras.” So I set my router to direct all traffic on port 443 (the secure web browsing port, or HTTPS) to the network address — the IP address — of my security system.

You might, for example, schedule certain ports to be open at certain times of the day, or direct certain traffic to one IP on your network, in case you did indeed want to have a web or FTP server. A firewall might also let you restrict outgoing traffic to specific ports, and will also keep a log — at a detail level you specify — of incoming and outgoing traffic.

In your case, I’m seeing that you want all holes blocked, except for those that would permit the VPN. A VPN allows you to establish a tunnel through the firewall — a tunnel that encrypts all the traffic going through it.

Can I achieve this with a VPN installed on Mac mini?

Yes, combined with a good router.

If I do not have a dedicated firewall, what is keeping the bad guys out?

See above. One of the most important strategies in security is not to turn services ON. Older Windows machines, especially before XP Service Pack 2, seemed to me to be wide freakin’ open out of the box, advertising their presence on a network and too easily offering basic file sharing, even without requiring a password. Macs are not that open straight off, but their firewall is not on by default, so whenever you turn on a service — iTunes music sharing, for example — it does not request permission to open a port, which does happen when you have the firewall on. The firewall on the Mac also includes logging.

On a laptop or other mobile device, I usually turn almost all services fully off. But It’s nice to have some services turned on on some desktop computers. It would be a shame, for example, to have music or photo sharing turned off on the machine where those things mainly reside.

So here’s the HEADLINE: To maintain good security, the most absolutely crucial technique is to lock down all services with good passwords, and use as many different passwords as you can safely store and readily access.

“Good,” in this case, means letters (some capitalized), numbers, and a special character or two. Learn where and how to change your passwords, and do so regularly. Don’t write them down. Your Mac stores passwords, certificates, and private notes in a well-encrypted file, the keychain, and that’s the best place for them. There’s also software called 1Password that’s worth a look.

Learn to manage passwords and you’ve learned to manage your security.

I am renovating my house, and I want to wire most of the rooms with Ethernet.

That is a fantastic idea, for several reasons: It increases the resale value of your house just like a good electrical or HVAC system does. It’s also important to realize that, while wireless networking is cool and all, there is nothing as reliable as a cable.

I have more information, and a table to help calculate the costs of setting up your network posted at Google Docs, right here.

What email service should I use?

I have an earthlink.net email address, which comes with webmail and 10MB storage. But I’m thinking about changing my internet service provider? And sometimes I run out of storage at earthlink. I just don’t know if it’s worth it to me to convert to a new email address.

May I suggest Google Apps to host your email? It’s free, has a frigton of storage (7.5GB), and has all the bounteous benefit of the Gmail interface, or you can access it from Apple Mail or your email client of choice. There are few comparable alternatives out right now, and none of those are free.

This is important: You can KEEP your current email addresses. In the case of your earthlink.net address, we just start forwarding it to Gmail — either a general @gmail.com address or to your @yourdomain.com. Your correspondents may never have to know that you changed addresses. And for you@ (or whatevertheheckyouwant@) yourdomain.com, Google simply becomes your email host.

You can pay Earthlink a few bucks month to keep the address, but that’s a sucky long-term idea.

Also, the Gmail interface is importantly fantastic. I sometimes switch over to it just to get certain things like automatic organization accomplished. And lemme tell ya, the spam filtering is outta sight. I don’t see spam anymore. One message a month or less, and I can always look in the spam folder in Apple Mail just to double-check I haven’t missed a real message.

One last thing: There was once the perception that a @yahoo.com (or the like) implies an inconstant personality. I can say definitively that, especially since Gmail, that is no longer the case. The service is recognized net-wide as legitimate and unique. I practically insist on my clients using Gmail, unless they are already on Yahoo. If they have any address other than Yahoo, including using their own domain, 7 out of 10 times we get them over to Gmail quick as we can, and they never look back.

Should I buy a new Mac? (And what’s wrong with my old one?)

My laptop is a few years old, and running slowly. You suggest upgrading memory to speed a Mac up. Am I better off purchasing a completely new one rather than simply upgrading this one?

A Mac should last at least 3 years, the length of the extended AppleCare agreement. After AppleCare expires, you will have to pay for repairs. On a laptop, unless you’re skilled or intrepid, this is going to include parts and labor. Let’s ballpark the average likely repair — from a $200 hard drive to a $900 logic board — at $550.

Now, you can find a good, slightly used Intel Core 2 Duo MacBook on Craigslist for as little as $600. I used not to recommend that people buy used Macs, but the Core 2 Duos are just fantastic machines, and any one that can be upgraded to 4GB RAM is good enough for me or for almost any of my clients (the ones who don’t do serious graphics or multimedia production). If you do opt for a second-hand Mac, please make sure it is either covered by AppleCare or eligible for it, being younger than a year since original purchase date.

That said, I still place a lot of value in buying a new Mac, or one of Apple’s great refurb units.

When should I buy a new Mac?

My standard spiel (which usually starts with the words “my standard spiel”) is this:

After 3 years, you should have a new computer in your budget. After four years, be ready and willing to lay down some jack for a Mac. After five years, your Mac is past its prime, and will not be up to whatever awesome software Apple and other developer/magicians will have concocted.

Is it likely that a simple memory upgrade will solve my speed problem …

Yes, but depending on the model, a G4 Mac can, at most, go up to 2GB RAM, which is too little for modern computing.

… or would you expect others issues to be involved?

Check this post on slow macs and the spinning beach ball to learn how to use Activity Monitor to troubleshoot your Mac.

Maintaining OS X, generally

You have suggested performing a few maintenance operations that may improve speed. What would they be? Are they simple to perform?

Mac OS X actually does a lot of maintenance for you in the background. There are a few symptoms that require application of some basic clean-up, which can be done in the Terminal, or with a simple tool such as Maintenance (the same developer also makes the more robust OnyX, and there are several other similar packages, including Cocktail, Macaroni, Leopard Cache Cleaner, et al. The only times we have to use things like DiskWarrior, TechTool, or the like are when the Mac is barely functioning.

It’s important that one read up on the different functions each of these applications performs, and when you would want to use each. They can be sledgehammers, and your problem might be more mosquito-sized.

Switched to BusySync

Calgoo wasn’t cutting it. Failed once, and didn’t have a mechanism to kickstart it. I’ve been hearing about BusySync’s Google Calendar-syncing goodness for a while, and the reports are borne out: BusySync has low impact on my MacBook’s resources. It’s fast. And it makes nice two-way roads between iCal and Gcal.
I know it does other stuff, but I don’t care about those things right now.

Now, please, Apple: CalDAV on iPhone. Seriously.

Scheduling happens!

Welcome 2009, and welcome to Phase 1 of J2v2!

I’m so very pleased to announce a new appointment-making system up here at J2 HQ. As ofthis Tuesday,Lynn Gosnell has assumed the post of scheduling coordinator. It’s pretty cool that, with some of the amazing web services that have come out in the last couple of years, Lynn — a die-hard Mac fan, as well as writer and editor — can do this from pretty much anywhere — or at least from any internet connection.

Lynn has already made it possible to respond to client inquiries much more quickly than I could by myself. And I have enjoyed putting the mechanisms together to make a complete system. They run something like this:

First of all, GrandCentral (note: see Update below) gives us a permanent phone number (210.787.2709 for your scheduling pleasure). When Lynn wants to take point, she just signs into GrandCentral and points the service at her phone number, and then all calls will go to her. You can even point it at multiple phones, and it will ring in both places simultaneously. We can do custom greetings, custom ringing, spam archiving and blocking… the features are phenomenal.

And guess what? GrandCentral is free! They started out a couple of years ago, got some good press from people like David Pogue, and then the dream of every modern web startup came true: Google bought ’em.

Yet, while phone is a crucial piece of this puzzle, I think we would all agree that voice calls can take time — valuable time — to accomplish decisions that can be made much more efficiently. To that end, email has become the de facto preference for many of us, and text messaging (SMS) works well for others.

What if we could combine email, a collaborative calendar, and shared documents? Enter Google Apps. With 7+ GB storage per user, built-in IMAP support (a requisite for email on the iPhone), and super-easy asset sharing within one’s domain (e.g. j2mac.com) — and, yes, it’s free — Google has built a digital oasis where once was a desert. I have been floored with how well Google Apps has integrated into my business and into the organizations of our many clients who now benefit from this service.

In Google Calendar, the three of us can add to our respective calendars with ease. Lynn can manage mine and Erick’s calendars. We can each keep personal calendars whose event details are hidden from the others, though the “free/busy” information is available. And I can embed our layered calendars onto this siteso clients can see our upcoming availability. I like that someone can send us an appointment request such as “Ted Stevens, retrieve deleted emails, Thursday, 1pm-4pm” and we can copy and paste that into Google Calendar’s Quick Add field. How sweet it is!

We’re starting to use Google Docs to keep a history of our work for each client. We can see these docs on our iPhones, and anyone is welcome to ask us for a link to their J2 document.

Finally, a more new-fangled service called Yammer has enabled the three of us to message the others in a running narrative. Yammer is based on the idea of Twitter; both are geared toward short messages, and rely heavily on text messaging for posting and receiving updates. This is, for me, an important substitute for email, which is too cumbersome for quick updates while on the go. Yammer’s cost? You know it: $0.

Again, this whole on-the-go, location-agnostic way of working was not possible two or three years ago, certainly not with the minimal effort and expenditure we have spent this last week.

Phase 2 is a new look, comin’ your way shortly.

Update: Lynn Gosnell has decided to pursue other projects, so we will have a new scheduling coordinator soon. Also, GrandCentral is no longer subscribing new members.

LaCie SilverKeeper updated

LaCie wrote this free backup app called SilverKeeper a long time ago, and I quite liked it, but I had a hard time counting on it. It seemed like they weren’t serious about it. But they recently updated it to be a fully OS X Leopard-compatible, universal binary app. I’m testing it out now on a network volume, and will update this post with my findings.
Update: So far so good. I have SilverKeeper installed at a couple of environments, and it appears to be reliable and unobtrusive.

Amazon’s new mobile app

Download Amazon’s free app for the iPhone. Go to the “Remembers” section. Take a picture of any product. The picture will get uploaded to Amazon’s servers, which will try to match the image to a product in the catalog which you can then buy right then and there. I couldn’t believe it the first time I tried it. Nor the second time. It’s stellar! Doesn’t work every time, but the fact that it works at all blows me away.
I keep wondering: Why don’t they make these kinds of features more obviously available on our actual computers?

Will my Mac get a virus?

There was news earlier this week that Apple had released an article recommending that Mac users install anti-virus software. Many journalists made a big deal of this. Turns out the tech-support article in question was several years old, and had simply been updated, and looked recent. In response to the whole kerfuffle, Apple has since yanked the article, because…

We have still never seen a Mac virus “in the wild.”

Definition: virus = “a piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data.”

Viruses infect Windows computers, and they do so invisibly. But over the years, including just recently, a couple of anti-virus software companies recently reported a couple of “Trojan horses” exploits of the Mac.

Definition: Trojan horse = “a program designed to breach the security of a computer system while ostensibly performing some innocuous function.”

Trojans are somewhat different than viruses. Trojan horses require that you, the user, do something to accept and install the malicious app on your system. In one example from earlier this year, the OSX.RSPlug.A Trojan, a web site purportedly offering a movie — guess what kind of movie — says that the video cannot be displayed, and asks the user to download a “codec,” which is actually an app that changes your DNS servers to send you to phishing and spamming sites.

OSX.RSPlug.A may be a pest, but it ultimately does not really screw up your computer, and like other Trojan horses, it is removable. This one, for example, can be wiped through this admittedly annoying process or using a free tool now published by SecureMac.

But here’s the really important point: As with any system-level software on the Mac, one has to enter one’s administrative password to install this Trojan. Which is yet another reason Macs are more secure, and is also a lesson: If you don’t know where a piece of software comes from, don’t install it. Know your admin password, and know what you’re doing when you use it. Simple.

A wag of the finger went to the people at Intego, who publish VirusBarrier for the Mac, and who blew the worry about this exploit way out of the water, which created a media scare and gave Mac haters a change to spread fear, uncertainty, and doubt (FUD).

Finally, if a virus scare ever becomes real, Mac users will be able to download and run the free ClamXAV. But doing is neither my recommendation nor, apparently, Apple’s.

What the heck does “default” mean?

I get this question a lot, so I decided to type “default” into Spotlight … Hey, that’s cool: Spotlight in Leopard is not only faster, it also finds definitions in the built-in Dictionary, which itself now has a Wikipedia search. Awesome!

default |diˈfôlt|noun.

2. a preselected option adopted by a computer program or other mechanism when no alternative is specified by the user or programmer :

e.g. “the default is fifty lines” | [as adj. ] default settings.

So, a program’s defaults are the way it will behave unless you choose otherwise.