Back to Table of Contents Back to Getting Started
Forward to Using DoorStop - Basic Mode
DoorStop is a software firewall. Firewalls in general protect TCP/IP services from undesired access. DoorStop specifically protects TCP/IP services, such as Web Sharing or Mac OS 9's File Sharing over TCP/IP, on the machine on which it is running. DoorStop's protection is in addition to any protection provided by the service itself, such as users and groups.
With DoorStop Admin, you tell DoorStop which TCP/IP services to protect, and how each service should be protected, on a service-by-service basis. DoorStop also provides protection for all TCP/IP services not explicitly specified. For maximum security, the default protection for explicitly specified services and for "all other" services is set to deny all access. You can use DoorStop Admin to specify other types of protection for each service. A service can be protected so that anyone can access it, no one can access it, or only certain machines can or cannot access it.
When access to a service is limited to certain machines, those machines are specified by their IP address or host name. An IP address is a numerical address consisting of four numbers in the range of 0-255, connected by periods, like this:
192.168.0.10
Every machine on the Internet has a unique IP address.
Host names are user-friendly equivalents to IP addresses. For example, the host name www.opendoor.com and the IP address 198.68.10.253 both point to Open Door's Web server machine. Host names are converted to IP addresses by the Domain Name System (DNS). With DoorStop you can specify machines by using either IP addresses or host names, although DoorStop only stores IP addresses. IP addresses can be specified as a single IP address, a range of IP addresses that start with certain values, or a range of IP addresses corresponding to a subnet. A subnet is a local area network that is part of a larger intranet, or of the Internet.
Note for power users: On a machine configured with multiple IP addresses, the security settings specified in DoorStop (client addresses and type of protection for each service) apply to all IP addresses configured on that machine.
Internet services communicate by means of "ports", with each service using a unique port number. For instance, Web Sharing usually uses port 80, and File Sharing over TCP/IP uses port 548. Sometimes services are run on alternate ports, however. For instance, if two Web servers are running on the same machine, they could not both use the same port number -- one of them would be assigned an alternate port number.
DoorStop has two modes of operation: Basic and Advanced. Basic Mode provides the functionality needed to control access to the most commonly used services, in the simplest possible manner. Users need know nothing of which port number a service uses. In Basic Mode, you can only protect a specific predefined set of services, or "all other" services as a whole. Also, when specifying a range of IP addresses that corresponds to a subnet, you can only specify your own subnet.
In Advanced Mode you can:
Advanced Mode allows you to create protection for any port number. Specifying protection by port number is useful for creating protection for services not predefined by DoorStop, and for creating protection for services using alternate port numbers. Specifying protection by port number might also be useful if you determined from DoorStop's log file or notification mechanism (see below) that a certain port number was under attack. Without knowing what that port is used for, you could create protection for it, increasing the security of your system.
Advanced Mode also allows you to create a range of IP addresses by specifying any subnet. For example. a large organization's intranet might be broken down into two or more subnets. With DoorStop, you can specify all users on any given subnet, allowing you to tune access, for instance, to a particular part of an organization.
Finally, Advanced Mode allows you to specify protection for services that use the UDP protocol as well as those that use TCP. UDP (User Datagram Protocol) is a basic Internet protocol used mainly by system-level services. Since UDP is used by system-level services, denying access to UDP services can prevent your Mac from functioning correctly on the Internet, so this feature is intended only for those who understand the operation of Internet protocols well.
Additional security features of DoorStop are logging and notification. By keeping a log of all access attempts (allowed, denied, or both), you can see who has been accessing or attempting to access your machine's TCP/IP services. With real-time notification of access attempts, you are immediately alerted if an access attempt is made to any TCP/IP service on your machine.
Using DoorStop with File Sharing
With the creation of Open Door's ShareWay IP product, the Mac's built-in File Sharing can work over TCP/IP in addition to AppleTalk. ShareWay IP is available as a standalone product from Open Door Networks. It is also included with Mac OS 9 and used to implement the "File Sharing over TCP/IP" check box in the File Sharing Control Panel. In both cases, the Users and Groups Control Panel provides general security in terms of access to files on your machine over either AppleTalk or TCP/IP. ShareWay IP 3.0 can also add a second level of TCP-specific security.
Despite all these existing security measures, there are important benefits to using DoorStop. It is often convenient to allow guest access to your machine so that users on your AppleTalk network can access your files. However, when you grant guest access over AppleTalk, you also implicitly grant it over TCP/IP. If your network is connected to the Internet, you will want to carefully control IP access to your files. DoorStop allows you to leave AppleTalk security as it is, and add an independent layer of security for Internet access. Specifically, you could:
DoorStop thus becomes an easy way to add the necessary security needed for Internet exposure, without changing your existing security settings.
Using DoorStop with Program Linking
Program Linking can potentially give other users control of any application on your machine. With Program Linking over IP (new to Mac OS 9), this represents an especially large risk. DoorStop provides another level of protection, in case Guest access is accidentally (or maliciously) enabled on your machine. As with File Sharing over IP, access to Program Linking over IP can be denied to all other machines, or selectively allowed to one or more machines that you specify.
Using DoorStop with Web Sharing
Typically you will not want to limit access to Web Sharing, although if your intranet is connected to the Internet, and you have sensitive material on your Web site, you may want to limit access to Web Sharing to users within your company, or even within your subnet.
Using DoorStop with Other Services
With the growing popularity of TCP/IP, more and more applications are in use that allow access over both AppleTalk and TCP/IP. As an added security measure when installing new applications, it is recommended that DoorStop's "All Other" service be set to deny all access. If you add an application that needs TCP/IP accessibility, you can use DoorStop's Advanced Mode to allow access to that service, but all others should be denied. This approach limits the possibility of unknowingly installing software that can potentially create a security risk over TCP/IP.
DoorStop protects TCP/IP services on its machine from outside access. DoorStop does not prevent access to outside TCP/IP services from that machine. For instance, DoorStop will not prevent you from accessing Web sites or sending email. Due to limitations in the protocol, however, using FTP (File Transfer Protocol) to download or upload files may require some additional configuration. See DoorStop Interaction with Other Applications for details.
Back to Table of Contents
Back to Getting Started
Forward to Using DoorStop - Basic Mode