About Network Security
Network security is as important to data integrity as physical security. Although someone might immediately see the need to lock down an expensive server, he or she might not immediately see the need to restrict access to the data on that same server. The following sections provide considerations, techniques, and technologies to assist you in securing your network.
Firewalls and Packet Filters
Much like a physical firewall that acts as a physical barrier to provide heat and heat damage protection in a building or for a vehicle, a network firewall acts as a barrier for your network assets, preventing data tampering from external sources.
Mac OS X Server’s Firewall service is software that protects the network applications running on your Mac OS X Server.
Turning on Firewall service is similar to erecting a wall to limit access. The service scans incoming IP packets and rejects or accepts packets based on the rules you create.
You can restrict access to any IP service running on the server, and you can customize rules for incoming clients or a range of client IP addresses. Services such as Web and FTP services are identified on your server by a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number.
When a computer tries to connect to a service, Firewall service scans the rule list for a matching rule. When a packet matches a rule, the action specified in the rule (such as allow or deny) is taken. Then, depending on the action, additional rules might be applied.
If the server gets its Internet connection through an AirPort Extreme Base Station (802.11n) or a Time Capsule, you can use it instead of the server’s firewall to protect the network. You can automatically manage the base station or Time Capsule in the Security pane of Server Preferences. AirPort automanagement isn’t available using Server Admin.
You can also protect a small network with other kinds of Internet sharing routers, but you must manage them manually. For more information, see Mac OS X Server Getting Started.
Network DMZ
In computer network security, a demilitarized zone (DMZ) is a network area
(a subnetwork) that is between an organization’s internal network and an external network like the Internet.
You can make connections from the internal and external network to the DMZ, and you can make connections from the DMZ to the external network, but you cannot make connections from the DMZ to the internal network.
52
Chapter 4 Enhancing Security
