Mac Lion has the features to protect even the most sensitive systems but users should be aware of unintended side effects of both Firewall and FireVault before enabling either.
Fellow TechRepublic blogger and consultant Eric Eckel wrote a piece this week called "Macs are as secure as ever" and If you haven't read it already I highly suggest that you do for his perspective on why he thinks so.
Now I'd like to show you how to protect your Lion-installed Mac even further via Lion's Firewall and FileVault software, and explain when it is best to institute these features.
Your users love to feel secure and often times enable features, not knowing what side effects may come of their actions. While their intentions are coming from a good place, doing so can leave a user permanently removed from their files and prevent them from accessing important data on the web. It's good practice to share these concepts with your users and it will help to prevent future headaches for you, the beloved IT professional.
Firewalls help prevent unwanted traffic from flowing in and out or your computer systems. The more services you have blocked, the more difficult it is for someone or something to compromise your computer from the outside world. In the workplace, I rarely, if ever, find it necessary to enable the software-based Firewall that Apple ships with its OS. A properly managed network should handle these duties by filtering data at the router level rather than the individual machine. Enabling the Firewall can sometimes have unintended consequences, however, ranging from file-sharing issues, iChat communications not working as expected, not being able to see other machines on the network, and even unexpected disconnects from the Internet are sometimes but not always the result of the Firewall being enabled.
So when is it a good time to use the software-based Firewall? Mobile workers with laptops who frequently attach to remote networks are the prime candidates. Any machine that can come and go on a managed network is a liability. Portables have a much greater potential to be compromised when away from the mothership and connecting to other public or private networks than they do within the confines of a well-maintained internal network.
FileVault is a completely different beast from the Firewall and it's important to truly appreciate what it is and what it does. Not taking the time to fully understand FileVault before enabling its use can cause a Mac to become unresponsive, prevent users from being able to log into their accounts, even permanently damage and/or lose users' data. So with that being said, I'll lay the ground work here for you to consider it's usefulness, but be sure to further research FileVault fore the particular needs of your environment.
In Lion, Apple has made some significant changes in FileVault 2. Most notably, Apple has changed the policy from encrypting individual users folders to now encrypting the whole drive, removing the standard OS X login and replacing with the EFI login, which is a lower level way of accessing your hardware when logging in, and granting FileVault access rights to a machine on a per user basis. All of this adds up to a faster, more secure way to protect a user's data using FileVault.
Unlike the Firewall, which has modest repercussions if you enable it, implementing FileVault requires more caution. As discussed before, just enabling FileVault can prevent a user from ever being able to access his data again. Here are a couple of simple questions to determine if FileVault is necessary for users in your organization.
- Is the data on your Mac so sensitive that it must be protected at any cost?
- Is the Mac that you're considering for FireVault used often for mobile workers?
If your answer is no to either of these questions it's safe to say that you and FileVault needn't ever cross paths.
If you answered yes to question one, FileVault should be considered to prevent any from being compromised, especially if there is risk associated with insider threats or physical security in the office is not at the highest level.
Finally, if you answered yes to question two, this is one of the rare times I would consider enabling FileVault even if the answer to question one is no. I say this because it is much more likely for laptops to be compromised, either through loss or theft. In either case, FileVault encryption is there to prevent someone from scouring the data on your machine, and it also makes it very difficult to use and reinstall the OS.
If you have any further questions regarding the topic of Firewall or FileVault, please feel free to post them below. I will follow up with a step-by-step article on how to set up FileVault in Lion, but meanwhile, see Apple's KBase article to get you started.