ShareWay IP significantly enhances the functionality of the Macintosh's built-in personal file sharing by enabling access to file sharing over the Internet or an intranet. With this increased functionality, however, come increased security risks. Without ShareWay IP, file sharing's exposure is limited to the AppleTalk network on which it resides. With ShareWay IP, exposure, through the Internet, can potentially include the whole world! ShareWay IP includes a number of security features, which, when combined with personal file sharing's built-in security, can greatly mitigate these increased risks.

Limiting IP Access

ShareWay IP can control access over IP to personal file sharing for guests and for specific users. The security provided by ShareWay IP works in conjunction with the security provided by the Users & Groups Control Panel, allowing AppleTalk and IP to have different security settings.

As shown in Figure 1, AppleTalk and IP security have the Users & Groups Control Panel (UGCP) in common. The UGCP enables or disables guest access and defines users and passwords. Starting with the security parameters defined in the UGCP, ShareWay IP can further limit access over IP. In particular, ShareWay can:

• deny guest access over IP even if the UGCP allows it over AppleTalk
• allow access over IP for only certain users configured through the UGCP
• deny access over IP to certain users configured through the UGCP

In particular, guest access can be allowed for AppleTalk and denied over IP. This might prove useful in installations where guest access has historically been turned on for AppleTalk, but would be too great a security risk over IP. Likewise, access over IP can be limited to one or more users without affecting access to the server over AppleTalk.

To bring up ShareWay IP's Security window, select "Show Security" from the File menu. The window appears as shown below in Figure 2.

The upper pane controls guest access. Simply check or uncheck the box.

The lower pane controls access by user name. Using the radio buttons, IP access can be allowed for all users registered in the UGCP, or further restricted based on the user names in the list. To add a name to the list, enter it in the text box at the bottom of the pane and click "Add". To delete a name from the list, select it in the list and click "Delete". User names are case insensitive, as with the Users & Groups Control Panel.

When a client who attempts to connect to personal file sharing is denied access over IP, an error message will tell them that the user name is unknown, log on is disabled, or the password is incorrect -- the exact message depends on the version of AppleShare client they are using. If logging is enabled, such connection attempts are logged as failed logins, as though the client had entered a bad user name.

NOTE: You cannot override settings in the UGCP through ShareWay's security. Specifically, if in ShareWay you allow access to guests over IP, but have not configured guest access in the UGCP, guests will not be able to connect through IP. Likewise, if in ShareWay you allow access to a specific user over IP, but have not registered that user through the UGCP, that user will not be able to connect over IP.

Other Security Considerations

Since ShareWay IP makes personal file sharing accessible over TCP/IP, potentially even over the Internet itself, the files on any Macintosh running ShareWay IP may become accessible to a much larger number of people, making security an even more important issue. Consult the documentation on personal file sharing for how to make it secure, using passwords, access privileges, and other techniques.

Connection log - ShareWay IP provides an optional connection log, which lists all access attempts to personal file sharing, successful or otherwise. The connection log is particularly useful for identifying potential security issues. See Logging for details.

Other ShareWay machines - ShareWay IP helps you keep track of where it has been installed on your networks, and thus more easily address security issues:

• AppleTalk - While ShareWay IP is active, it registers on AppleTalk the machine name of the machine on which it is installed, using type "ShareWayIP". A network management utility which can search through an AppleTalk zone and display devices of a given type can be used to display all running copies of ShareWay IP, allowing you to keep track of who is using ShareWay.
  
  
• TCP/IP - With Mac OS 8.5 and later, while ShareWay IP is active it also registers on its TCP/IP network, using Service Location Protocol. Open Door's AFP Engage! 2.0 can, in turn, use SLP to display ShareWay servers by machine name. The IP address listed by AFP Engage! will be the ShareWay machine's IP address. If you do not want the ShareWay IP server to show up in AFP Engage!'s Browse window, turn off the SLP plug-in, using the Extensions Manager Control Panel.

For further security, it may be desirable to install a firewall product on the ShareWay machine, such as Open Door's DoorStop. With DoorStop, access can be controlled to ShareWay based on the IP address of the client. Connections can be allowed or denied for single IP addresses or a range of IP addresses. DoorStop Personal Edition has been specifically developed for use with ShareWay IP Personal and other end-user IP services.

Back to Table of Contents
Back to Using ShareWay IP
Forward to Connecting to ShareWay IP