Today we have an interesting interview between our own Michael Hjorleifsson and Pat Lee from VMWare Fusion. Virtualization has become one of the most interesting and progressive areas for computer users of all platforms, and Pat answers some great questions concerning the future of running virtual machines on OS X. VMWare Fusion is arguably the leader in the virtualization space and Pat talks about some of the cool stuff the company has been working on, and what to expect down the road.

You might want to check out Marv’s excellent VMWare Fusion review while you listen.

[display_podcast]

Subscribe to the MacApper Podcast

The security technology, known as ASLR (address space layout randomization), randomly arranges the positions of key data areas to prevent malware authors from predicting target addresses. It is used in tandem with additional security features to reduce the effectiveness of exploit attempts. According to Apple, the library randomization feature will allow Leopard to defend against attackers with no effort at all. One of the most common security breaches occurs when a hacker’s code calls a known memory address to have a system function execute malicious code. Leopard frustrates this plan by relocating system libraries to one of several thousand possible randomly assigned addresses.

So what does this mean in English to the real people out there? Here is a little analogy that will give you a good idea of the technology. Picture your computer as the wastebasket across from your desk and you are the hacker. You keep throwing paper at the computer (this is akin to an attack) and every now and then you will get one in there – this is akin to knowing the memory location of an application in an operating system that you’re trying to penetrate. You know where it is and you keep firing at it until you figure out a way to get it in the basket. Now enter ASLR, and to keep with the current analogy, turn off the lights and have someone randomly move the wastebasket to any one of thousands of locations every few seconds. So how many pieces of paper are you going to get in there now? Would you even bother?

That is the entire point of ASLR – make it so difficult and hard a target to hit that it isn’t really worth your time to attempt it, because your odds of success are so minimal.

Apple has also added systrace (often referred to as Sand-boxing) to Leopard to limit an applications ability to affect the rest of the system. As there is some of this inherently in the Unix protected memory scheme, in Leopard systrace puts up some additional barriers to protect against misbehaving applications, enforcing access policies to ensure some rogue application doesn’t reformat your time-machine partition or other such nastiness. Not all applications will be sand-boxed initially, the most surprising of which is Safari, though I am confident that will get added in short order.

Note: Right now the Leopard website lists Bonjour, Spotlight, and Quick Look as being sandboxed. It will be interesting to see the entire list.

Some of the other improvements include:

• Tagging Downloaded Applications – Protection from potential threats. Any application downloaded to the operating system is tagged. Before it runs for the first time, the system asks for the user’s consent – notifying the user when it was downloaded, what application was used to download it, and, if applicable, what URL it came from. There is a similar feature in Vista but Apple’s approach has a more polished user experience.
• Application-Based Firewall – Leopard will feature the ability to specify the behavior of specific applications to either allow or block incoming connections. In other words if your FTP application suddenly tries doing some secure shell magic (which it should never do) the firewall will kill the connection as it violates what FTP traffic is supposed to look like.
• Application Signing – This is a pretty simple concept that has had mixed reviews on other platforms. Signed applications (like signed Java Applets for you Java folks) contain a certificate with the creators information, which you can verify or trust prior to installing any software from that publisher. If the application isn’t signed, the idea is, you shouldn’t trust the application. Apple will be signing all of their applications.
• The Keychain has been enhanced to manage multiple user certificates for email encryption and digital signatures better, a welcome update for multiple POP account email users.Apple is also doubling encrypted disk images from 128bit to 256bit AES encryption. While this is a good move for those requiring compartmentalized security for their documents, the processing hit is pretty high, so use this sparingly.

So what does this mean to the general business user of Mac OS X? Less worry, more stability, less time spent rebuilding and recovering from viruses, malware or network penetrations. For a very detailed run-down of these security improvements (and others), check out this article on TidBITS.

What do you think of the security side of OS X Leopard? Like a warm blanket?

Well, it’s a feature that will allow administrators to control who gets on their network, at the wired or access point level. Leopard server also includes a directory integrated radius server, which controls who gets on the wired/wireless network using 802.1x and WPA Enterprise authentication.

Wikipedia.org defines 802.1x as “IEEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol (RFC 2284).”

When a user attempts to access your network, the network switch (if it supports 802.1x) or access point will isolate the user and prompt that user for authentication. For instance if you had an Apple Airport Extreme you could set this access point up to use WPA-Enterprise, leveraging the Radius infrastructure now built-in to OSX Server 10.5 (Leopard).

Why deploy a solution like this? The answer is simple. If you need to know or ensure who is accessing your network and from where then you should take a serious look at deploying 802.1x. If you need to protect your wireless network with something stronger than a shared secret and don’t want to manage yet another database of usernames and passwords, then this solution is for you too.

Because Apple typically makes the powerful software easy to use, they have also integrated their Radius server directly into Apple Open Directory. This means you can easily just create a group in Open Directory the way you normally would and assign the access permissions using the tools you are already used to. Here is how it looks from a 10,000 foot view and how it works.

In 802.1x, when the switch receives a link-up or link-down (an indication that a machine has become connected to the port) the switch then prompts the user for credentials in one of several fashions. The most familiar one being the “hotel page,” aptly named for anyone who has accessed the internet from a hotel can tell you. That web page you get asking you to pay or click for your free day of Internet access is an 802.1x authentication page.

In a wireless network the WPA supplicant, which is a piece of software on your Mac or Windows XP/Vista machine will receive an authentication request which can be a pop-up username password box or even a client certificate (x.509) In either case the user must authenticate to gain access to the “wire” and then receive an IP address from a DHCP server. They will then be able to cruise and utilise the network resources that are available.

Another advantage to this type of access control methodology is the auditing that can be provided to administrators allowing for compliance with regulations (HIPPA, SOX, PCI, etc) or incident forensics (who hacked from where). Because Apple has integrated Radius with their Open Directory, it allows users to just remember and use a single set of credentials rather than yet another username and password. Administrators need only worry about maintaining the user accounts and passwords in the directory, rather than having to maintain another user directory or database.

What do you need to deploy a solution like this? Apple OSX 10.5 (Leopard) Server, and either (or both if you are running wired and wireless) an 802.1x capable switch like a Cisco 2924 with appropriate IOS (Check your firmware and cisco.com) for wired networks, or an Apple Airport Extreme/any WPA Enterprise enabled access point (most consumer 802.11g/n routers like D-Link, Linksys, Netgear support this). That’s all, a little configuration time and your off and running. This will support Mac OS X, Windows XP/Vista and most Linux clients right out of the box.

I most stress the importance of security on your wired and wireless network and point out that there are more complex access control solutions, like the up and coming NAC (network access control) products from vendors like AEP, Cisco, Juniper and others which do more granular control, end point policy enforcement, and in some cases integrated intrusion detection/prevention.

However, some security is better then none and starting out with WPA Enterprise and 802.1x is better than just open network access and WEP wireless security.

How We Got Here
Once upon a time in a business far, far, away there was something called Ethernet that was enabling small businesses to tie computers together for sharing resources at a relatively inexpensive cost. There was Artisoft Lantastic, Banyan Vines, Novell Netware and 3Com 3Server network operating systems with their own proprietary methods of connecting machines together, sharing files, and printing; life was good. Novell was the dominant player in the majority of the business space, Banyan Vines in the government and security conscious organizations, and Lantastic for the small workgroups. Back in these days, people had to learn key stroke combinations to make Word Perfect format their documents and yes believe it or not work got done.

In the early 90′s, a Redmond based company you may know released its first draft of its network operating system, Windows NT 3.1 . Initially no one really cared including me as Novell was the standard, Lantastic for the small guys, and Vines for the government folks. As time went by, I looked at NT 3.1 and tore apart the beta certification exam Microsoft was working on (which was inclusive of microkernel architecture concepts and questions) and I got pretty excited that Microsoft had included things like RAS (Remote Access Server). This allowed me to dial in and manage the server remotely and it didn’t even cost me or my clients extra. NT 3.1 also did all management with this neat thing called a GUI (graphical user interface), allowing you to actually use that mouse thing you bought. These features were all built into NT 2.1, but were features you had to pay for (and sometimes pay heavily) in Netware. Along came SNA Server, now just a memory, but at the time an epiphany of technology allowing companies that needed mainframe access, which at the time was most of them, to use pooling and other cool technologies that again saved customers a large amount of money. These Microsoft guys had something compelling, a lot of free features, a cool interface to administrate the system with and a price point we could live with.

Fast forward to 2007 and lets move some pieces on the chess board; Microsoft now sits where Novell sat, fat and happy. Novell has changed its model from proprietary Netware to open-source Linux based software through Suse acquisition. Then there is a company no one thinks of as a business server – OS X Server from Apple – the sleeping giant. Apple’s OS X Server provides businesses with, dare I say it, a better GUI, easier administrative tools and a bunch of included features you have to pay for from the other guys. This sounds like a history lesson, but I digress. Lets dig a little deeper and look at the bang for the buck you get with OS X Server.

The Value Proposition
Well it’s all fine and good that Apple has a great GUI, easy management tools, and a bunch of features, but the bottom line to the small business owner. Let’s take a side by side comparison of Microsoft’s Small Business Server (SBS) and Apple’s OS X Server Software and see how Apple’s server stacks up against the 800lb gorilla’s offering.

*(limited to 75gb mailboxes) **Limited Edition and/or 32 bit version ***Additional Users Require Licensing, Limited to 75 Users Max. ~Can act as File/Print/Authentication Server for Microsoft XP and Vista Client machines.

No I am not trying to sell you OS X Server, I just want to make you aware that OS X Server is a suitable alternative to the “mainstream” choice. There are a couple of other items of note that I should mention here. Apple includes 64 bit versions of Apache, and MySQL as well as web platforms JBOSS, PHP, Ruby to allow a business to leverage open source solutions to fill their application and groupware needs (more on these to come in future articles). Apple OS X Server can be used as the server in a network full of Windows machines providing them with authentication, file/print, and the balance of services listed above (except Patch Management, Xgrid and Netboot), so it’s not just an Apple to Apple solution either.

Wrap Up
This article just scratches the surface of the differences and overall value proposition of OS X Server. We haven’t delved into the redundancy options you have free with OS X Server that you pay for with the other guys, but that isn’t the purpose of this article. My purpose here was to get your attention and provide you with a brief introduction to business computing options in the Apple realm. Based on your feedback we can either dive deeper into this comparison or tackle other Apple in business issues, etc. so please provide some feedback so I can tailor the content of my next articles to suit you, the audience.