Security

Securing Mac OS X Lion using Firewall and FileVault 2

Mac Lion has the features to protect even the most sensitive systems but users should be aware of unintended side effects of both Firewall and FireVault before enabling either.

Fellow TechRepublic blogger and consultant Eric Eckel wrote a piece this week called "Macs are as secure as ever" and If you haven't read it already I highly suggest that you do for his perspective on why he thinks so.

Now I'd like to show you how to protect your Lion-installed Mac even further via Lion's Firewall and FileVault software, and explain when it is best to institute these features.

Your users love to feel secure and often times enable features, not knowing what side effects may come of their actions. While their intentions are coming from a good place, doing so can leave a user permanently removed from their files and prevent them from accessing important data on the web. It's good practice to share these concepts with your users and it will help to prevent future headaches for you, the beloved IT professional.

Lion's Firewall

Firewalls help prevent unwanted traffic from flowing in and out or your computer systems. The more services you have blocked, the more difficult it is for someone or something to compromise your computer from the outside world. In the workplace, I rarely, if ever, find it necessary to enable the software-based Firewall that Apple ships with its OS. A properly managed network should handle these duties by filtering data at the router level rather than the individual machine. Enabling the Firewall can sometimes have unintended consequences, however, ranging from file-sharing issues, iChat communications not working as expected, not being able to see other machines on the network, and even unexpected disconnects from the Internet are sometimes but not always the result of the Firewall being enabled.

So when is it a good time to use the software-based Firewall? Mobile workers with laptops who frequently attach to remote networks  are the prime candidates. Any machine that can come and go on a managed network is a liability. Portables have a much greater potential to be compromised when away from the mothership and connecting to other public or private networks than they do within the confines of a well-maintained internal network.

FileVault

FileVault is a completely different beast from the Firewall and it's important to truly appreciate what it is and what it does. Not taking the time to fully understand FileVault before enabling its use can cause a Mac to become unresponsive, prevent users from being able to log into their accounts, even permanently damage and/or lose users' data. So with that being said, I'll lay the ground work here for you to consider it's usefulness, but be sure to further research FileVault fore the particular needs of your environment.

In Lion, Apple has made some significant changes in FileVault 2. Most notably, Apple has changed the policy from encrypting individual users folders to now encrypting the whole drive, removing the standard OS X login and replacing with the EFI login, which is a lower level way of accessing your hardware when logging in, and granting FileVault access rights to a machine on a per user basis. All of this adds up to a faster, more secure way to protect a user's data using FileVault.

Unlike the Firewall, which has modest repercussions if you enable it, implementing FileVault requires more caution. As discussed before, just enabling FileVault can prevent a user from ever being able to access his data again. Here are a couple of simple questions to determine if FileVault is necessary for users in your organization.

  • Is the data on your Mac so sensitive that it must be protected at any cost?
  • Is the Mac that you're considering for FireVault used often for mobile workers?

If your answer is no to either of these questions it's safe to say that you and FileVault needn't ever cross paths.

If you answered yes to question one, FileVault should be considered to prevent any from being compromised, especially if there is risk associated with insider threats or physical security in the office is not at the highest level.

Finally, if you answered yes to question two, this is one of the rare times I would consider enabling FileVault even if the answer to question one is no. I say this because it is much more likely for laptops to be compromised, either through loss or theft. In either case, FileVault encryption is there to prevent someone from scouring the data on your machine, and it also makes it very difficult to use and reinstall the OS.

If you have any further questions regarding the topic of Firewall or FileVault, please feel free to post them below. I will follow up with a step-by-step article on how to set up FileVault in Lion, but meanwhile, see Apple's KBase article to get you started.

About

Wil Limoges is a Louisville, KY freelance web designer and Digital Savant at the vimarc group. He has had the pleasure of working for Apple as a Genius, loves science, and aspires to make great things!

10 comments
silentblue
silentblue

Sorry Wil but you lost me when you said don't enable the firewall at work???? This told me not to read any more!!!

bhimatech
bhimatech

Has the new FileVault helped clear up the incompatibility with TimeMachine back ups? That is to say, you could do one or the other but not both. If you ever tried to do a TM Back Up on a FileVaulted drive, the back up would not restore properly because of how it views an encrypted file. Any info appreciated, especially if you have a work around back up solution for encrypted drives. Thanks.

realvarezm
realvarezm

Like tone4sho im very interested in this new feature too.

tone4sho
tone4sho

Great article. I work in an education environment. We have been testing Lion's new features like Filevault over the past few days. We've found that unfortunately ANY administrator on the machine can disable encryption on the machine if it's enabled. Many would say 'well, don't give administrative rights to end users', but these end users sometimes require an administrator login to do things such as install flash player, or install other applications. We DO have a desktop management solution for our Apple machines, but sometimes an instructor may need to get something installed or configured immediately, so it's hard to say 'put in a ticket and we'll build/push that application to you'. Any thoughts on this? Thanks in advance.

Wil Limoges
Wil Limoges

So you didn't get to read the part where I said appropriately that Firewalls should be managed at the router? Software based Firewalls like the one that ships with Lion are designed to be used in public or unmanaged environments, as a "better than nothing" option, and therefore do not offer the robust features that a hardware based Firewall can. Enabling software Firewalls in a managed environment can actually create more problems than they can prevent for your users and admin. If you feel like your co-workers are trying to compromise your Mac I'd personally be more concerned with leaving your computer logged in without password protection then I would with them attempting to hack into your computer using one of it running services.

Wil Limoges
Wil Limoges

With FileVault 2 the entire drive is now encrypted. With that being said, Time Machine can reach inside of the encrypted disk and grab files while you are logged in, extract them, and store your data on an external drive unencrypted. This should resolve the issue you are experiencing, however, this creates a bit of a security risk because the Time Machine data is no longer secure. Thankfully FileVault 2 supports encrypting external drives as well so it is possible to protect your Time Machine back ups. I haven't fully tested this theory so if you give it a shot please come back and tell us about your experience.

Wil Limoges
Wil Limoges

My first question would have to be is FileVault mandatory? If no then I would recommend against it as it truly can complicate the management of medium to large environments. If its a required policy, well it is what it is. One thing to attempt would be to lock down the actual FileVault System Pref from within the Finder by granting access to it with a dedicated administrator account. I can't promise that this wont have some unforeseen consequences but its worth a shot if you want to provide users admin accounts without granting them access to FileVault. To do this navigate to the location where the Preferences Panes are stored /System/Library/PreferencePanes/ Located inside you will see the panes that appear in the System Preferences window. Right (control) click on Security.prefPane and Get Info. Here are where things are murky for me because this is untested so I recommend doing this in a testing environment or at the very least writing down or screen capturing the current permission settings in the Get Info pane, as well as getting a good backup before proceeding. Under Sharing & Permissions of the Get Info pane add the dedicated administrator account you wish to have grant access to and give them Read & Write permissions. Then remove "everyone" from the list. Test the theory by logging into another admin account and seeing if they can make changes to FileVault. If so log back into the dedicated admin account and remove wheel and test again. If it still doesn't produce the desired effect I'd recommend not proceeding any further and returning permissions back to their previous state. Let me know how that goes if you attempt it and I'll see if I can discover another solution in the mean time. I'm thinking that Parental Controls may hold the key. FYI if you have ever wondered if you can store a Preference Pane in your dock for fast access, you most certainly can! I keep my Startup Disk Pane in my dock so I can switch between Bootcamp and Mac just by clicking it from the dock instead of navigating to it.

silentblue
silentblue

A Hardware firewall/router only protects the gateway and yes other internal systems gets you to the point of 99% protected (Managed Environment). But when something gets in and it will! Having your internal workstations unprotected is just plan wrong. Network Secuirty 101 - Don't care what Steve Jobs & Co says!

Editor's Picks