ShareWay IP significantly enhances the functionality of an AFP server by enabling access to the server over the Internet or an intranet. With this increased accessibility, however, come increased security risks. Without ShareWay IP, a server's exposure is limited to the AppleTalk network on which it resides. With ShareWay IP, exposure, through the Internet, can potentially include the whole world! ShareWay IP includes a number of security features, which, when combined with an AFP server's built-in security, can greatly mitigate these increased risks.

Limiting IP Access

ShareWay IP can control access over IP to a target server for guests and for specific users. The security provided by ShareWay IP works in conjunction with the security provided by the AFP server itself, allowing AppleTalk and IP to have different security settings.

As shown in Figure 1, AppleTalk and IP security have the target server's security features in common. The target server enables or disables guest access and defines users and passwords. Starting with the security parameters defined by the target server, ShareWay IP can further limit access over IP. In particular, ShareWay can:

• deny guest access over IP even if the target server allows it over AppleTalk
• allow access over IP for only certain users configured through the target server
• deny access over IP to certain users configured through the target server

In particular, guest access can be allowed for AppleTalk and denied over IP. This might prove useful in installations where guest access has historically been turned on for AppleTalk, but would be too great a security risk over IP. Likewise, access over IP can be limited to one or more users without affecting access to the server over AppleTalk.

To bring up ShareWay IP's Security window, select "Show Security" from the File menu. The window appears as shown below in Figure 2.

The upper pane controls guest access. Simply check or uncheck the box.

The lower pane controls access by user name. Using the radio buttons, IP access can be allowed for all users defined by the target server, or further restricted based on the user names in the list. To add a name to the list, enter it in the text box at the bottom of the pane and click "Add". To delete a name from the list, select it in the list and click "Delete". User names are case insensitive.

When a client who attempts to connect to the target server is denied access over IP, an error message will tell them that the user name is unknown, log on is disabled, or the password is incorrect -- the exact message depends on the version of AppleShare client they are using. If logging is enabled, such connection attempts are logged as failed logins, as though the client had entered a bad user name.

NOTE: You cannot use ShareWay's security to override security settings in the target server. Specifically, if in ShareWay you allow access to guests over IP, but have not configured guest access in the target server, guests will not be able to connect through IP. Likewise, if in ShareWay you allow access to a specific user over IP, but have not registered that user in the target server, that user will not be able to connect over IP.

Other Security Considerations

Since ShareWay IP makes the target server accessible over TCP/IP, potentially even over the Internet itself, the files on a target server may become accessible to a much larger number of people, making security an even more important issue. Consult the documentation on the target server for how to make it secure, using passwords, access privileges, and other techniques.

Connection log - ShareWay IP provides an optional connection log, which lists all access attempts to the target server, successful or otherwise. The connection log is particularly useful for identifying potential security issues. See Logging for details.

Other ShareWay machines - ShareWay IP helps you keep track of where it has been installed on your networks, and thus more easily address security issues:

• AppleTalk - While ShareWay IP is active, it registers on AppleTalk the machine name of the machine on which it is installed, using type "ShareWayIP". A network management utility which can search through an AppleTalk zone and display devices of a given type can be used to display all running copies of ShareWay IP, allowing you to keep track of who is using ShareWay.
  
  
• TCP/IP - With Mac OS 8.5 and later, while ShareWay IP is active it also registers on its TCP/IP network, using Service Location Protocol. Open Door's AFP Engage! 2.0 can, in turn, use SLP to display ShareWay servers by machine name. The IP address listed by AFP Engage! will be the ShareWay machine's IP address. If you do not want the ShareWay IP server to show up in AFP Engage!'s Browse window, turn off the SLP plug-in, using the Extensions Manager Control Panel.

For further security, it may be desirable to install a firewall product on the ShareWay machine, such as Open Door's DoorStop. With DoorStop, access can be controlled to ShareWay based on the IP address of the client. Connections can be allowed or denied for single IP addresses or a range of IP addresses.

Back to Table of Contents
Back to Using ShareWay IP
Forward to Connecting to ShareWay IP