renee mariefromwilson wrote:
8 July 2015
Dear Mr. Hoffman:
I have just finished reading all of your communique between Francis Drouillard and yourself re: One IP Address being used with multiple websites.
I'd ask that you please start your own thread for what are unrelated questions — I tend to get confused by these mixed threads, and unrelated comments and replies and suggestions end up all interspersed.
I selected this subject matter because I am in the process of Purchasing OS X Server Software for a MACBook Pro;
It's not common to run OS X Server on a laptop, as servers are usually powered up and running continuously, and are generally connected to the same network and not roaming around networks. With OS X, it's more typical to have OS X Server on an iMac, Mac Mini or Mac Pro.
however, I am concerned about a few security issues because of all that I have had the mis-fortune of learning about the serious state of the Internet itself, via the unbelievably awful Windows environment with all of it's terrible and scary vulnerability issues, with simply way too many opportunities for all of the intense cyber-crime, everyone copying everybody else's exact same, ridiculous programming languages to use as the code in order to simply be able to learn code itself.
The word "Cyber" is used to instill specific reactions in the audience, often seeking to incite uncertainty, panic, numbness, deference or submission to potentially inappropriate or draconian policy proposals or decisions, or — worst of all — sheer wallet-opening cash-flinging panic. If you were to replace "Cyber" with "Scary Cloud", you might understand the use of that word in the current vernacular.
Internet-connected servers will get probed several times a minute and sometimes much more often, based on what I've read in various server logs. All operating systems are attacked. Some are bigger targets, and the shenanigans are continuous. Breaches and configuration mistakes can arise, too. For better or worse, you either end up learning how to deal with the dreck, or you will want to acquire hosting or will want to outsource this to somebody that deals with this stuff on your behalf.
As for learning to code or not, that's your call. It's a whole lot easier to understand what's going on with at least a little familiarity with some programming and some experience with networking — this thread is centrally about three of the most fundamental parts of the Internet, DNS and HTTP/HTTPS and IP — and coding quite helps when automating tasks by creating tools to deal with specific circumstances and requirements.
I was very pleased to read what you wrote about Comcast; as, one of my MAIN concerns is the fact that, I too, have a cable company proving me with my internet service.
Various common services want and need static IP — a fixed and unchanging IP address — and most ISPs can provide that as part of a business tier of service. Comcast is no different, here. With Comcast, you'd likely end up with a business account and the business-class service tier.
My question, as a novice to Server, is this: How do I protect myself, company, and my few workers' from the use of what my cable company refers to as a router/modem combination, with my one IP address which comes directly from them?
This is a deceptively complex and open-ended question, and something I could wrote a book or three about. (Well past this jargon-filled wall-of-text reply, too.)
...There are the remote schmucks that are probing the servers remotely looking for weaknesses, directly and also via networks of compromised systems. This is most commonly dealt with through network separation — what's called a DMZ, through keeping backups and keeping at least some backups separate from the server, through understanding what good passwords are (now), through watching the logs for unusual activities, and through keeping the server and network software current. This is a large topic area.
...There are also your own folks behind your firewall, and who can be causing as many problems for you through their own authorized (and sometimes unauthorized) remote access — receiving and opening files, downloading tools, errant backups, being targeted — I see a couple of booby-trapped resumés a week, sharing passwords across services — etc.
Security is also an evolving area. The sorts of attacks that are commonplace can and do evolve and change, and wholly new attacks can arise.
My reason for wanting to add Server software to my computer is to have firstly the VPN; in order for my IP to be hidden, where ever I go over the air.
There's little point in trying to hide your IP address — it takes a few minutes to scan the whole of the active IPv4 address space, and find all of the connected hosts. That scan is from one server with limited resources, and a moderate-sized network connection. Some of the folks on the net have vastly more computing power and bandwidth, too. I'm increasingly skeptical around trying to mask the address, too — you're inherently going to have some ports open, after all. Assume your IP address is public.
If all you want is an inbound VPN, you can get firewalls that have that capability. I tend to use ZyXEL ZYWALL USG series, which are quite powerful devices. They're capable and flexible, but they're definitely not devices that are intended for nor oriented toward inexperienced users. Some understanding of IP networking, routing, firewalls, VPNs and related topics and terminology are presumed.
I need to know how to create many different IP addresses; in order to host our own company system, as if initiating anywhere in the world, both internally, and externally to clients' who need to be able to connect to a host.
I'm not sure where you're headed with this — your clients have their own IPv4 or IPv6 addresses. You have one address, or maybe a small range of addresses. Other sites have their own addresses.
IPv4 addresses are getting scarce and correspondingly more expensive. IP (particularly IPv4) addresses are not something that an end-user can create on the open Internet, either — they're provided by and coordinated with your ISP.
And, not for any improper, nor illegal reasons, but simply to keep ourselves, and our company's secrets' private for both copyright, and trademarked reasons, and because of all of the cyber crime and corporate espionage.
You're going to have to figure out who might be interested in attacking you, and work out a budget and potentially dedicated staffing. Security is much like insurance. You probably want and need some insurance and some security, but having too much is a just waste of money. Or — worse — just a waste of time and effort and money, in the case of security.
How do I connect with a cable company, and even hide ourselves from them?
You don't hide from your cable company. If they — or an intelligence agency or nation-state security entity or other well-funded attacker is after you — you're probably toast.
What you can do is secure yourself against remote probes and remote sniffing and remote shenanigans and common breaches. That means learning how IP, DNS, certificates, encryption and authentication work, as well as how to keep a network compartmented and how to to detect and identify problems on your own internal network and your own clients. Keeping your servers and content management systems and the rest current. Or it means having somebody deal with IT and security on your behalf, of course.
Much like accounting has become specialized, so too have computers and networking and security.
Please, whoever can answer these questions, please let me know ASAP.
I didn't really see specific questions that I could answer — well, not questions I could answer in less than a few pages of text and research, and probably not without some questions around requirements and budgets and expectations.
Most of what's here is also generic networking and network security, as well. These are not topics specific to OS X and OS X Server.
If what you want involves "private" encrypted connections to your network or to a server on your network, that's VPNs into a firewall, and some form of authentication into the server. Details here vary widely, depending on the security requirements and the budgets and the numbers of folks accessing the server, among other details. I'd use a DMZ for the remote-access services where possible, and would get local and off-LAN or off-site backups going. This involves setting up the local network, the firewall and the VPN server, getting DNS working, documenting the VPN client(s) for the remote sites, setting up and issuing the access credentials, and various other details.
But I'm also somewhat hesitant to describe a VPN-based setup, as you might do just fine with HTTPS and web services and a private or hosted web server, or some other technology or some other configuration.
Probably the least understood part of all of these options involves the on-going costs — keeping servers and firewalls current, re-issuing credentials, monitoring the networks and the servers and the users and the backups for problems, cleaning up after any breaches that might arise, etc.
But this is not related to DNS and virtual hosting with OS X Server from this thread, so I'd again encourage either contacting somebody that specializes in this stuff for at least some discussions, or — this if you really want to get into providing IT services for yourself, and I'd infer that you don't — learning more about IT and IP and VPNs and digital certificates and the rest, and that's no small investment of time and effort.