How to use built-in community safety features for Apple products

Apple’s network features can be used to enhance security.
Apple devices adhere to many internet security standards. Here’s how to use each of them on your Apple hardware. In our networked society, internet connectivity has become ubiquitous. Internet technology is important because it helps keep network communications secure. Over the years, different standards have been developed to keep networks and devices safe. This article will examine several of these standards and how they relate Apple devices. IPsec IKEv2, L2TP There are three key technologies used to secure VPNs and connections: IPsec IKEv2 and L2TP. IPSec was developed from early DARPA ARPANET Research. Later, MIT, Motorola and NIST formalized the standard. IPSec, which provides secure authentication, key-exchange, encryption, and data integrity, is primarily used by VPNs. If you have ever installed VPN software on an Apple device, you’ve probably used IPSec. It is a “Layer 2” protocol that sits on top of Layer 3 protocols. We’ll look at this in a minute. There are a few excellent books on IPSec, including IPSec Design from Cisco and IPSec Securing VPNs by Carlton Davis. IKEv2 stands for Internet Key Exchange protocol. This protocol is available in three versions: IKEv1, IKEv2, and IKEv3. It is used by DNS and IPSec to create and exchange secure keys pairs during connections. Public Key Infrastructure (PKI), which replaces passwords, uses shared keys. IKE is based upon two older protocols: the Oakley protocol and ISAKMP. These protocols were developed in the late 90’s in response to efforts to secure early internet connections. The Oakley protocol uses Diffie-Helman Key Exchange, a well-known algorithm for securely exchanging keys. Network security server roomISAKMP, or a key-exchange framework, provides a security association as well as keys that can be used by key-exchange protocols like IKE. Cisco has adopted both the Oakley protocol and ISAKMP for use in its VPN and routers. Other key exchange protocols include Kerberized Internet Negotiation of Keys(KINK) or SKEME. L2TP is a tunneling protocol that is used to send control messages in network communication. L2TP does not encrypt or secure data or content, but only the control signals that are used to establish connections. This protocol was formalized by the RFC 2661 specification in 1999, which was created as a result between Cisco’s L2F and Microsoft’s PPTP protocols. It also uses User Datagram Protocol during packet transmission. UDP is a broadcast protocol that does not require acknowledgement. Listeners can wait for information on a port without having to respond to the sender. L2TP was created to provide security for PPP (Point To Point Protocol) at a time when dial-up modems still dominated. By using one of the additional encrypted protocols, data packets can be sent over a Layer 2-tunnel. Secure tunneling ensures that all data traveling through the tunnel is encrypted, and controlled by only two points. This makes it difficult for attackers execute replay and man in the middle attacks. L2TP is mainly used in corporate VPNs to provide secure access. Apple devices can download many VPN apps via the App Store. Apple’s operating systems include built-in tools for adding VPN profiles. IPsec, IKEv2, L2TP, and IKEv2 are mostly hidden and you won’t need to worry about them unless you want to change a specific setting. TLS, SSL and X.509 certificates When the internet first became popular in the late 90s, it was quickly apparent that all communication on the web needed to be encrypted. All to prevent data from being intercepted or listened to by browsers and servers. Secure Sockets Layer was created as a result. This protocol, now called Transport Layer Security (TLS), encrypts the majority of traffic between web browsers. The “s” in the “https” stands as “secure”, and indicates that you’re browsing a website using a secure connection. SSL/TLS is also used for some secure email communications. TLS, which was also proposed in 1998, has been revised three times. The current version is TLS 1.3. SSL was developed in 1994, for the first versions Netscape Navigator browsers. Today Mozilla Firefox is a descendant of that browser. Datagram Transport Layer Security protocol (DTLS) is also available. TLS uses X.509 certificate to exchange information with encryption and encrypted handshakes. Once the handshake is complete, the server will usually provide the client app a certificate to ensure that the server can be trusted. X.509 certificate allows a client application to verify the authenticity and integrity of the server. This prevents impersonation attacks. The International Telecommunications Union defines the X.509 Standard in RFC 5280. TLS has the major advantage of preventing anyone who is listening to the data exchange being able read the data in clear. It is encrypted. Modern Apple devices and the majority of software running on Apple products automatically know how TLS works, so you shouldn’t have to worry about this. TLS is automatically enabled as long as you are using an “https connection” when browsing the internet. Some email client apps such as Mozilla Thunderbird allow you to specify TLS/SSL as the communication security standard:
Mozilla Thunderbird’s TLS security setting interface.WPA/WPA2/WPA3 Enterprise and 802.1X
When WiFi networking first appeared at the end of the last century, a new security standard, WEP (Wired Equivalency Privacy) was developed to allow wireless networks to connect to other devices securely. Wi-Fi Protected Access was created as a response to WEP’s serious security flaws. Since the early 2000s this protocol has been revised three times. The current version is WPA3. Most modern WiFi devices, including Apple’s devices, provide WEP3 for connections. Apple’s WiFi devices and Ethernet devices support connections using another security protocol, 802.1X. This protocol is part the 802 standard, defined by IEEE. It covers both WiFi and Ethernet wired network. 802.1X protects against a type network attack called Hardware Addition where a malicious device attaches to a network to perform hacking. A Raspberry Pi, for example, could be plugged into an extra network port. 802.1X, by using an authentication server, can stop such attacks. It authenticates the user via WiFi or LAN. Hardware Addition attacks have become more common in today’s world with all the devices. Apple’s Platform Deployment Guide has a page on 802.1X connections, as well as a note on Secure access to wireless network. Apple’s modem versions no longer support WPA, so you’ll most likely want to use WPA2, WPA3, and other variants. Another tech note (102001), titled Use Login Window Mode to authenticate to a network using 802.1X, explains how to log into an 802.1X protected network securely on Macs. Login Window Mode is a way for Macs to connect to a network that supports Directory Services. To use LWM you will need to connect to an Active Directory or Open Directory Server. You’ll also need a Mac network configuration profile installed that enables LWM on the network to which you are trying to connect. Once configured, select Other in the list of users and enter your Directory Services username and password. Select the network interface (WiFi, Ethernet) from the popup menu. Active Directory and Open Directory technologies allow credentials and user information to be stored centrally for authentication. In the near future, we’ll write an article about Open Directory. Apple has a page called Use built-in security features for Apple products that covers all the topics listed above. From there, you can find links to other related topics. Apple has made most network security seamless, so you won’t have to worry. These technologies are all part of the web or internet standard and are used automatically in most software.