Got Macs? Be Sure to Maximize Security

by Paul Rubens

As the presence of Macs in the enterprise slowly increases, what steps should be taken to protect your servers?

Everyone loves an iPod, and the iPhone is this year's must have accessory. As far as consumer gadgets is concerned, Apple Computer — now just "Apple," as the "Computer" bit has been dropped to emphasis its consumer entertainment credentials — has never had it so good. Bravo, Mr. Jobs.

Discuss this article in the ServerWatch discussion forum

But Apple's computers haven't gone away. In fact, Apple is selling more Macintosh machines than ever — a record 1.7 million of the little white critters went out the door in the quarter ending June 30 alone. That's 30.3 percent more than the same period in 2006.

While that may be great news for Apple fanboys (and girls) everywhere, it's not such good tidings for anyone with responsibility for corporate serve security. That's because with more people buying Macs to use at home, and more young employees emerging from college having used only Macs, the pressure to allow employees to use Macs at work can only increase. If the CEO decides he wants to use his MacBook Pro on the network, it's hard to say no, and once you've let one Mac loose on the network, many more are sure to follow.

So what's wrong with Macs in the enterprise? After all, the rise in popularity of Web-based apps means many staff members can do most, if not all, of their work using nothing more than a browser. Can a Mac really put your servers at risk?

"Macs are consumer devices, and introducing them into the enterprise is a security risk because there's a lot less security built on to them than business PCs," said Rob Enderle, principal analyst at California-based Enderle Group. "For example, on the PC side we are seeing machines with built-in biometric security, but not on the Mac."

Yes, yes, scads of Macintoshes are used in the creative service industries like advertising and graphic design, but outside these specialist niches Macs are barely used at all. In fact, the occasional story about an obscure company in Vermont replacing its PCs with Macs merely serves as the exception that proves the rule.

Enderle also highlighted the fact that no Macs are available with Trusted Platform Module (TPM) chips. "With a TPM you can establish a trust relationship with a service, but Macs don't have TPMs, so with them you can't," he pointed out.

Although full-disk encryption system is available on a Mac, the lack of a TPM means data stored on the disk is (at least theoretically) less secure. Even if the key is discovered, a TPM-enabled disk can't be decrypted when removed from its original machine. This means that a hacker getting access to the Mac has a better chance of accessing your servers and doing untold damage than he would if it were a PC.

Hackers aside, the risk of an employee introducing malware onto the network and inadvertently bringing down your servers is higher if she's using a Mac than a PC.

"Hah, hah," you may say, "everyone knows Macs don't suffer from viruses, where's the risk?" While it's certainly true that Macs don't tend to get viruses, it's important to be absolutely clear that this is because Apple's market share has been too small for virus writers to bother with. It is certainly not because there is anything that makes OS X inherently virus-proof. Should Apple's market share rise significantly, its target rate for malware writers will increase accordingly. The OSX.RSPlug.A Trojan found in the wild in October may prove to be just the first of many.

In fact, the mindset that Macs don't need anti-malware software actually makes them more vulnerable. All things being equal, the opportunities are much richer on a system that tends to have no anti-malware protection vs. one that does. Mac users are unlikely to start protecting their systems until it is too late. That is, once malware infections become common enough for them to sit up and take notice.

One way an enterprise can best avoid this is through corporate policy: Macs must be protected before they can access enterprise systems. But how to enforce that? It's likely many Mac users will simply consider this a pointless precaution imposed by an IT department with a PC mindset and try to ignore it.

How about using a network access control (NAC) device? A NAC can control network access, preventing clients from signing on to the network unless they are running appropriate and up to date security software. The problem here is that since Macs are rarely used in the enterprise, many NACs do not support them.

"If a NAC needs to confirm that specified security software is running, then Macs won't be able to comply," said Enderle. "You can create an exception, but if you do that, others may use that exception to get on the network and compromise machines on it. So you can't bring a Mac onto the network without breaching security."

Authentication is a whole separate can of worms. If you're running Active Directory, for example, in theory adding Macs to the mix shouldn't be too much of a problem, as OS X can handle Active Directory itself. In practice, things aren't nearly as clear cut. It's early yet, but at the moment, many Leopard users are reporting difficulties using Active Directory. The last thing administrators want to do is spend their time tweaking Active Directory server or providing help for Mac users with authentication problems.

Some of these problems can be alleviated if there are a enough Mac users in the enterprise to justify running Leopard Server. This, however, begs the question of how to integrate them into the corporate server infrastructure. Assuming the skills are available, and given the current push toward virtualization, wouldn't it be great if you could run Leopard Server in a virtual machine (VM), along with your Windows and Linux VMs, on your existing physical servers?

Apple, however, does not allow OS X to run on non-Apple hardware, and — with a brief exception in the mid-90s — it never has. But what about the other way around? Now that Intel's "Woodcrest" Xeon processor powers the latest Xserve hardware, there's the intriguing possibility of running Leopard Server as a VM on an Xserve, alongside Linux and Windows VMs running on Parallels Server from SWsoft. (A recent change to the Leopard end user license agreement now explicitly allows it to be run as a VM on Apple hardware.)

Parallels Server is still in alpha so don't hold your breath, but VMware is likely doing something similar, so it may not be long before Xserve-based multi-OS virtualization using either Parallels or VMWare is possible.

If you've got no choice but to allow Macs to access your servers right now, though, then you almost certainly have some serious work to do. Among the most pressing jobs may be:

  • Providing Web access to enterprise apps that currently require PC client software
  • Updating NAC appliances, where possible, to ensure Macs comply with security policy before being given access to the network
  • Evaluating third-party software that may be beneficial to simplify access control identity management and policy enforcement
  • Ensuring the corporate VPN can support Macs, and changing or upgrading if necessary

Bear in mind that all of these changes must be trialled and tested, so the extra burden on IT resources will not be inconsiderable.

The good news is that with Apple, there's always the possibility that the current boom will turn into a bust just as quickly, and if Steve Jobs were to disappear, who knows what would happen. As an interim measure, you could always allow Intel Macs onto your network, but only if they use Boot Camp to boot into Windows.

That way, the CEO gets his shiny white computer. Since it is running as a PC, he can use it without adding risk to corporate security, straining IT department resources and blowing the IT budget.

This article was originally published on Thursday Nov 15th 2007
Mobile Site | Full Site