VLANs, MAC Filtering | Apple 10.6 specs

This allows an organization to provide services to the external network while protecting the internal network from being compromised by a host in the DMZ. If someone compromises a DMZ host, he or she cannot connect to the internal network.

The DMZ is often used to connect servers that need to be accessible from the external network or Internet, such as mail, web, and DNS servers.

Connections from the external network to the DMZ are often controlled using firewalls and address translation.

You can create a DMZ by configuring your firewall. Each network is connected to a different port on the firewall, called a three-legged firewall setup. This is simple to implement but creates a single point of failure.

Another approach is to use two firewalls with the DMZ in the middle, connected to both firewalls, and with one firewall connected to the internal network and the other to the external network. This is called a screened-subnet firewall.

This setup provides protection in case of firewall misconfiguration, allowing access from the external network to the internal network.

VLANs

Mac OS X Server provides 802.1q Virtual Local Area Network (VLAN) support on the Ethernet ports and secondary PCI gigabit Ethernet cards available or included with Xserves.

VLAN allows multiple computers on different physical LANs to communicate with each other as if they were on the same LAN. Benefits include more efficient network bandwidth utilization and greater security, because broadcast or multicast traffic is only sent to computers on the common network segment. Xserve VLAN support conforms to the IEEE 802.1q standard.

MAC Filtering

MAC filtering (or layer 2 address filtering) refers to a security access control where a network interface’s MAC address, or Ethernet address (the 42-bit address assigned to each network interface), is used to determine access to the network.

MAC addresses are unique to each card, so using MAC filtering on a network permits and denies network access to specific devices, rather than to specific users or network traffic types. Individual users are not identified by a MAC address, only a device, so an authorized person must have an allowed list of devices that he or she would use to access the network.

Chapter 4    Enhancing Security

53

Image 53

Apple 10.6 manual VLANs, MAC Filtering

Contents

Mac OS X Server 019-1410/2009-08-15 Contents Enhancing Security Administration Tools Installation and Deployment Initial Server Setup Ongoing System Management Monitoring Your System Index Push Notification Server Contents What’s in This Guide About This Guide To see the most recent server help topics Using Onscreen Help Getting Started Document Road Map Preface About This Guide Getting Additional Information Getting Documentation Updates Standards System Requirements for Installing Mac OS X Server ÂÂ iCal Server What’s New in Mac OS X Server Understanding Server Configuration Methods What’s New in Server Admin Snmp NFS Radius Supported Standards System Overview and Supported Standards System Overview and Supported Standards Mac OS X Server’s Unix Heritage Determining Your Server Needs Planning Server Usage Setting Up a Planning Team Determining Whether to Upgrade or Migrate Determining Services to Host on Each Server Identifying Servers to Set Up Planning Server Usage Defining an Integration Strategy Defining a Migration StrategyMigrating from Windows Defining Physical Infrastructure Requirements Defining Server Setup Infrastructure Requirements Setting up basic server infrastructure Making Sure Required Server Hardware Is Available Minimizing the Need to Relocate Servers After SetupDefining Backup and Restore Policies Understanding Backup and Restore Policies Understanding Backup Types Understanding Restores Understanding Backup Scheduling Defining a Backup Verification Mechanism Other Backup Policy Considerations Understanding Time Machine as a Server Backup Tool Command-Line Backup and Restoration Tools ÂÂ Wiki ÂÂ Xgrid ÂÂ Remote Access Settings ÂÂ Software Update Opening and Authenticating in Server Admin Server Admin M N Server Admin Interface Customizing the Server Admin Environment Server Assistant is used for Server Assistant Workgroup Manager Server Preferences Workgroup Manager Interface Customizing the Workgroup Manager Environment Server Monitor For additional information, see Server Monitor Help ICal Service Utility Interface ICal Service Utility Media Streaming Management System Image Management Server Status Widget Command-Line ToolsRAID Admin Podcast Capture, Composer, and Producer Xgrid Admin Apple Remote Desktop About Physical Security Enhancing Security Network DMZ About Network SecurityFirewalls and Packet Filters MAC Filtering VLANs Payload Encryption Transport Encryption About File Encryption About File SecurityFile and Folder Permissions Secure Delete About Authentication and Authorization ÂÂ Secure Shell SSH You have several options for authenticating users Single Sign-On Public and Private Keys About Certificates, SSL, and Public Key Infrastructure About Certificate Authorities CAs Certificates About Intermediate Trust About IdentitiesAbout Self-Signed Certificates From the command line Certificate Manager in Server AdminTo configure clients to trust a certificate Enhancing Security Readying Certificates Requesting a Certificate from a Certificate Authority Creating a Self-Signed CertificateTo create a self-signed certificate To request a signed certificate To create a CA Creating a Certificate Authority Enhancing Security Importing a Certificate Identity Using a CA to Create a Certificate for Someone ElseTo create a certificate for someone else To import an existing OpenSSL style certificate Editing a Certificate Managing Certificates Deleting a Certificate Distributing a CA Public Certificate to ClientsTo distribute your certificate to your clients To delete a certificate Renewing an Expiring Certificate Using CertificatesReplacing an Existing Certificate To renew an expiring certificate To do this, run the following commands in Terminal Key-Based SSH LoginSSH and SSH Keys Generating a Key Pair for SSH Key-Based SSH with Scripting Sample Setting Administration Level Privileges Administration Level Security To set Sacl permissions for a service Service Level SecuritySetting Sacl Permissions Security Best Practices Password Guidelines Creating Complex Passwords Gather your information Installation OverviewConfirm you meet the requirements Start up the computer from an installation disk Set up the environment Start the installer Prepare the target disk Gathering the Information You Need Set Up Services About the Server Install Disc Setting Up Network ServicesConnecting to the Directory During Installation SSH During Installation Administration Tools CD Preparing an Administrator ComputerMac OS X Server Install Disc Before Starting Up About Starting Up for InstallationTo install Mac OS X Server v10.6 administration tools Starting Up from an Alternate Partition Starting Up from the Install DVDTo start up the computer with the installation disc Restore the image to the alternate partition Create a restorable image of the Install DVDTo create an image of the Install DVD Prepare the disks and partitions on the target computer To restore the image to a free volume To access the computer with Server Assistant Remotely Accessing the Install DVD To access the computer with SSH To access the computer with VNCTo access the computer using Screen Sharing Identify the target server Identifying Remote Servers When Installing Mac OS X Server Starting Up from a NetBoot Environment Create a NetInstall image from the Install DVD Preparing Disks for Installing Mac OS X Server Start up the computer from the NetBoot server To create a NetInstall image from the Install DVD ÂÂ Mac OS Extended Journaled, Case-Sensitive aka Hfsx Choosing a File System About Hard Disk Partitioning Partitioning a Disk To partition a disk using Disk Utility About Creating a RAID Set So the command is You cannot create a RAID set from the startup disk To create a RAID set using Disk Utility Diskutil createRAID mirror setName format device device For example Installing Server Software Interactively To install server software locally Installing Locally from the Installation Disc To install on a remote server by using Server Assistant Installing Remotely with Server Assistant Installing Remotely with Screen Sharing and VNC To change a remote computer’s startup disk Changing a Remote Computer’s Startup Disk To use installer to install server software 105 More Interactive Methods of Installation Installing Multiple ServersMost Efficient Methods of Installation Upgrading a Computer from Mac OS X to Mac OS X Server How to Keep Current Information You Need Postponing Server Setup Following InstallationTo postpone setting up Mac OS X Server About Settings Established During Initial Server Setup Connecting to the Network During Initial Server SetupConfiguring Servers with Multiple Ethernet Ports ÂÂ Create Users and Groups Specifying Initial Open Directory Usage ÂÂ Import Users and Groups Not Changing Directory Usage When UpgradingÂÂ Configure Manually Binding a Server to Multiple Directory Servers Setting Up a Server as a Standalone Server To interactively connect to an additional directory server Setting up Servers Interactively Select the target servers from the configuration list To set up servers interactively Using Automatic Server Setup Creating and Saving Setup Data To create a setup data file How a Server Searches for Saved Setup Data Files Using Encryption with Setup Data Files Setting Up Servers Automatically Using Data Saved in a File Create the saved setup folder on the remote server To use setup data from a file remotelyRestart the remote server To set the server serial number Handling Setup Errors Adding Services to the Server View Setting Up ServicesTo change services to administer From the command-line Setting Up User Management Setting Up Open DirectorySetting Up All Other Services To set up a user account Setting Up an Administrator Computer Computers You Can Use to Administer a Server Insert the Mac OS X Server Admin Tools CD Using a Non-Mac OS X Computer for Administration Working with Pre-v10.6 Computers from v10.6 Servers Using the Administration Tools Ports Open By Default Ports Used for Administration Adding and Removing Servers in Server Admin Server Admin Basics To create a server group Grouping Servers Using Smart GroupsGrouping Servers Manually To create a server smart group Working with Settings for a Specific Server Toolbar button Shows 132 Understanding Mac OS X Server Names ÂÂ Directory Service ÂÂ Firewall ÂÂ Mobile AccessÂÂ NetBoot Dhcp Directory Service and Kerberos Firewall Mobile Access Proxy ServicesNetBoot Web ÂÂ MySQL Wiki Certificates for Web and Wiki ServicesMySQL 138 ÂÂ Certificates for collaboration services Certificates for Mail ServicesImap and POP Mailing List IChat Service Address Book ServiceICal Service Certificates for Collaboration Services To change the DNS name of the Podcast Producer computer To change the IP address of the Podcast Producer computer Print Software Update ServerPush Notification Xgrid Changing the IP Address of a Server Changing the Server’s DNS Name After SetupChanging the Server’s Computer Name and the Local Hostname To change the DNS name To change computer name and local hostname Administering ServicesFrom the command line Importing and Exporting Service Settings Adding and Removing Services in Server AdminTo add or remove a service in Server Admin To export service settings To configure service access SACLs Controlling Access to Services Managing Sharing Using SSL for Remote Server Administration Tiered Administration Permissions To assign permissions Defining Administrative PermissionsWorkgroup Manager Basics Working with Users and Groups Administering AccountsOpening and Authenticating in Workgroup Manager 152 Defining Managed Preferences To display the inspector Working with Directory Data Critical Configuration and Data Files Service Configuration AssistantsAssistants are available for the following services General Mail Service Firewall ServiceIChat Server Mail-POP/IMAP Server Dovecot NAT Service MySQL Service Notifications OpenDirectory ServiceQuickTime Streaming Server Tomcat App Server Web Service Improving Service AvailabilityEliminating Single Points of Failure Wiki and Blog Server Using Xserve for High Availability Using Backup Power Setting Up Your Server for Automatic RestartUsing UPS with Xserve Following is the Energy Saver panel of System Preferences Ensuring Proper Operational Conditions To enable automatic restartProviding Open Directory Replication Automatic restart options are Link Aggregation Link Aggregation Scenarios About the Link Aggregation Control Protocol Lacp Computer to Switch To create a link aggregate Setting Up Link Aggregation in Mac OS X Server To monitor the status of a link aggregate Monitoring Link Aggregation Status Load Balancing ÂÂ mDNSresponder local network service discovery process Using launchd for Daemon ControlDaemon Overview Viewing Running Daemons 170 Planning Monitoring Response Planning a Monitoring Policy To configure the Server Status widget Using with Server Status WidgetUsing Server Monitor Using Disk Monitoring Tools Using RAID Admin for Server MonitoringUsing Console for Server Monitoring Using Network Monitoring Tools Monitoring Server Status Overviews Using Server Admin Using Server Status Notification in Server AdminTo set a notification To see a status overview for one server Following shows a sample Overview pane for a single server Using Remote Kernel Core Dumps 177 Setting up a core dump server Setting Up a Core Dump Server Restart the computer for the settings to take effect Setting Up a Core Dump ClientSetting up a core dump client About Simple Network Management Protocol Snmp Configuring Common Core Dump Options Enabling Snmp reporting Configuring snmpdTo enable Snmp Restart snmpd to take changes To enable and configure Snmp Customize data Tools to Use with Snmp About Notification and Event Monitoring DaemonsAdditional Information about Snmp There are two main notification daemons syslogd and emond Syslog Logging Syslog Configuration File Directory Service Debug LoggingOpen Directory Logging To start debugging at startup Additional Monitoring Aids To enable client-side loggingAFP Logging To run slapd in debugging mode About Push Notification Server Push Notification Server Starting and Stopping Push Notification To enable Push Notification To change the existing push notification server Changing a Service’s Push Notification ServerClick Save, then restart the service Index 192 193 194 195 196 197