How to Build a Network

What do you do when you want to launch a new business, grow an existing one or make a giant leap into another career? You do what any good entrepreneur would do, you start building a network. This is a short guide to how you can start a new network or just grow the one you already have.

-Peer to peer Hardware
-Peer to Peer software
-Setting Up The Client
-Network Protocols
-File and Printer Sharing
-Security, Internet, etc.
-DHCP Setup
-TCP/IP
-INTERNET CONNECTION SHARING  (ICS)
-What's a Firewall?
-Personal Internet Firewalls that really work!
-Windows Networking 101:
-What can you do to protect yourself?

Peer to peer Hardware

I had four computers for my business and family and I had long been considering creating a Local Area Network (LAN). The Micro Warehouse catalog was a fixture in my library, next to the throne by my office, and I spent hours pouring over the endless choice of hubs, network interface cards (NICs), cables, and print servers. With a simple peer to peer Ethernet LAN set up I could use Roadrunner on more than one machine. By putting it all together at once I would end up with a LAN that was compatible with the cable modem.

Two other events conspired to encourage my decision: a pal confided he had survived connecting his computers, and one of the Community Leaders on the AOL Windows Forum put together an online class on creating a LAN that he asked me to proofread. So I had motive, written instructions, and a pal to lend encouragement.

Being a software guy, I had been intimidated by the hardware end, thinking it would be the hardest part of setting up a network. As it turned out, the hardware is the easy part. You buy a hub, one NIC for each computer, and some cables. Plug one end of the cable into the hub (a little box with receptacles for plugs that look like oversized telephone plugs), and the other into the NIC. Presto! You have a LAN.

Jargon

First, a few terms: "Peer to Peer" means there isn't any particular server, so you are just connecting a bunch of computers. This is what I set up. On this kind of network a "Workstation" is just any computer on the LAN. A "Server" is hardware or software that provides something, "Client" is hardware or software that uses something from the server (like the computer using a printer attached to the print server, or a workstation accessing programs or files from a file server).

Cabling

The most difficult part of setting up the hardware was running a hundred foot cable through a hole in my office floor, through the crawl space in the basement, out a hole in the opposite side of the house, up the outside wall and back into the upstairs hallway where our family computer sits in a part of the house that has no other route to run cables. I was winded, bleeding, and nearly fell into a bush, but who cares? My LAN was connected!

Choosing Hardware

Choosing the hardware was intimidating for a novice, but it came down to this: did I want a fast LAN (10 base) or a very fast LAN (100 base)? I chose 10 base because 1) the equipment is cheaper, 2) Roadrunner requires a 10 base NIC, and 3) with only four computers and not many people being cheap made sense. Most of the NICs I bought are dual speed - they can tell whether I have a 10 base hub or a 100 base hub, so if I upgrade later all I have to replace is he hub. You have to use CAT5 cable to hook it all up. My cats liked that, even though I don't have five of them.

Here are numerous brands of hardware. I considered three - 3Com (Roadrunner strongly recommended it), Netgear, and LinkSys. I went with Netgear because it seemed to have a good reputation, was very reasonably priced, and offered a huge selection of configurations. I bought 1 3Com NIC (for the modem) at twice the price of the Netgear NICs. I bought a 6 port 10 base-T hub (the slower speed with six receptacles - I figured one for each computer, one for the cable modem, and one for expansion). One of the ports could either be a regular port or an "uplink" port, which is used to connect to another hub when you want to expand (or in my case the cable modem). The hub has a LED above each port so you can tell which computers are turned on if you can remember which are plugged into which ports. The NICs also have a LED showing the NIC is connected and working.

I later decided to connect the modem to one of my computers using a second NIC (one for the modem, one for the LAN). Originally I had planned to connect the modem to the hub, which you can do with Roadrunner. However, I was not satisfied with RR's system of grabbing the modem's IP address for the computer you want to use. It never seemed the right computer was getting it and I was constantly rebooting the whole LAN, or using the WINIPCFG program (part of Windows) to release the IP address on each workstation. Plugging it into one computer eliminated this issue.

In plain English, the above paragraph means I got a second NIC, plugged it into my computer, booted it up and let Windows recognize the new hardware. I then installed the drivers for the new NIC, plugged the modem into it, and set up TCP/IP the way Roadrunner told me to. This way that computer always worked with the cable modem.

Print Server

The last issue was a print server. I didn't get one at first. All the computers on the network can share printers plugged into any of them as long as the one with the printer you want to use has it set up for "sharing" and is turned on.

After a few months I decided to add a print server, which is a little box with one or more parallel ports and one ethernet port that lets any computer on the network use a printer without needing another computer to be turned on. The main reason I did it was that the cheapo color printer plugged into my laptop kept spitting out a sheet of paper when I forgot to turn it off before turning off the laptop. In addition the laptop was never on when I wanted a cheapo color printout.

I love my little print server - it handles two printers and has nifty flashing LEDs on the front panel. It works great, and my parallel ports are free for tape backups or a scanner.

Conclusion

So to review: I ended up with:

• a 6 port (you can plug six thingies into it) 10base-T (the slower of two available speeds) with one port that can either be "normal" or "uplink" (for daisy-chaining to another hub when I go corporate)
• five Network Interface Cards (NICs - one for each computer and a second one for the computer with the cable modem)
• a print server with two parallel ports (for my LaserJet II and my cheapo color printer)
• six different lengths of CAT5 cable for the four computers, the modem, and the print server.

Aside from my experience on the ladder, setting up the hardware was as easy as plugging in a telephone. Now I was ready for the real adventure: networking software configuration!

                                                                                                          Back to menu

Peer to Peer software

It was interesting how many times the word "voodoo" came up during my Local Area Networking adventure. Apparently nobody really knows how networks really work, or why. Setting up the software illustrated this to me, but as I was forced to deal with it I learned enough to handle it in terms even I could understand.

Windows actually comes with the networking software you need for a simple peer to peer network and it actually works once you get the hang of it. The adventure is getting the hang of it! The steps are:

1. Set up your network drivers including the Client for Microsoft Networking, at least one network protocol, and File and Printer Sharing.
2. Set up your shares so you can use drives and/or printers from other computers on the LAN.

Setting Up The Client

The first thing you have to do is make sure "Network Neighborhood" is properly installed. Windows installs it by default, but on my upstairs computer it had disappeared over the years and I couldn't figure out how to get it back until a friend suggested uninstalling and then reinstalling networking on that workstation. Duh! Worked like a charm!

On the Identification tab in Network setup, it is important to have a unique "Computer Name" for each computer, but an identical "Work Group" name on all of them. I chose two-letter computer names (like "dv" for my development machine, "nb" for the notebook, and so on) so that it wouldn't require much typing if I wanted to access a file on another workstation in a DOS window.

The Client for Microsoft Networking is included with Windows. Right click "Network Neighborhood" (or pick "Network" in Control Panel), and you can install everything you need from your Windows 95, 98 or whatever CD. If it is not already installed, click "Add" and pick "Client" and then "Microsoft," and then "Client for Microsoft Networks."

If "File and Printer Sharing for Microsoft Networks" is not already installed, click "Add" and then "Service" and then "File and Printer Sharing for Microsoft Networks."

Now pick "Properties" for "File and Printer Sharing for Microsoft Networks." On one machine only, set "Brose Master" to "Enabled." Set it to "Automatic" on all the others.

Network Protocols

NetBEUI, IPX/SPX, and TCP/IP are the protocols a network may use to connect. The most automatic is supposed to be NetBEUI, and this seems to work well for many people. However, I had a problem with the network recognizing one of my machines, so I opted for a TCP/IP setup. Since my cable modem also required TCP/IP (next month I'll talk about how I set the modem up for the other workstations) it seemed like a good choice. That you can explicitly assign an IP address to each machine makes it reliable.

So, on the "Configuration" tab, if TCP/IP isn't already installed click "Add" and then "Protocol" and then "Microsoft" and finally "TCP/IP."

With TCP/IP you must set up each computer with a static IP address. This is a number that uniquely identifies each machine. In Network settings, find the TCP/IP for your NIC (there may be more than one, but this will be labled with the brand of NIC you installed).

In the "IP Address" Tab Choose "Specify an IP Address" and type in the address and subnet mask. Each computer on the LAN must have a unique IP address. There are ranges of addresses you can use - I used the most commonly recommended (Class C):

192.168.0.1 dv: My development desktop
192.168.0.2 nb: My notebook computer
192.168.0.3 gw: The old 486 in the basement
192.168.0.4 fm: My family's computer upstairs
192.168.0.5 ps: The print server

 

On the WINS Configuration Tab check "Disable WINS Resolution."

Leave the "Gateway" tab blank.

On the DNS Configuration tab check "Disable DNS."

On the "Bindings" tab, make sure all the choices are checked, including "File and Printer Sharing for Microsoft Networks."

Forget about the other two tabs.

Now you "Ok" your way out and Windows prompts you to insert your Windows CD so it can copy the network drivers you just chose. Reboot for it all to take effect. Now, theoretically, each machine will be able to "see" all the others open "Network Neighborhood" and you should see them. Here's what I see when I do it:

                            Back to menu

File and Printer Sharing

There is one more step to making your network useful: set up your shares. These are resources on one computer that you are giving permission to the other computers to use. You can do it with disk drives (including CD-ROM drives, ZIP drives, and so on) and printers. In Explorer find the drive (or folder for that matter) or printer you want to share and right click it. Pick "Shared" from the popup menu and then click "Shared As" and fill in the fields. You do not have to fill in the "Password" field. If you do users on the other computers will have to enter it before they can use that drive or printer.

Now the fun begins. I use the old 486 (named "gw") in the basement to store files. All my downloads go to its drive I:, and I do quick backups to drive G:. In addition, the working copy of my web site is on G:\Danv. On GW I opened "My Computer" and double clicked drive G: and then right clicked the "\danv" folder. I picked "Sharing" and typed "DANV WEB" in "Share Name."

Now on all the other machines "DANV WEB" appears as a drive on the GW computer. On the DV computer I right click it, pick "Map Network Drive" and it is assigned a new drive letter on the development machine. As far as my computer is concerned, I have all my web site stuff on drive J:. Any program can access the files on that drive, even my tape backup that is hooked to the DV computer.

I do the same thing for drive I: on GW, which is assigned K: on DV, and all of G: as L (I do quick backups there at the end of the day on days when I don't make a tape backup). As far as DV is concerned it now has three more local drives than it really has. It behaves as if they are local drives. Additionally I can access any shared drive in Network Neighborhood.

Security, Internet, etc.

Introduction

Now that my peer to peer Windows network was set up I wanted to play with it. A few days after I got it all working the cable modem installers showed up and the first great toy arrived. I had figured out that my data phone line cost $20 per month and my ISP cost about $20 per month. The cable company wanted $40 per month for a cable modem. My ISP was unreliable and the phone connection out here in the woods was poor. I didn't need a calculator to do this math - as soon as I learned RoadRunner was available I called them, and dropped that phone line and ISP like a hot potato!

Cable Modem

You will think I am exaggerating when I say the cable modem changed my life, but this is a case where it is an understatement. The speed of the connection is amazing, especially after those 24K connections on my 56K modem. You can stay connected 24 hours a day, seven days a week. Since I work for AOL as well as my own company I am online a lot and the cable modem made me hugely more productive. No more endless Freecell sessions as I wait for AOL screens or email downloads.

But how to connect it? Three of my computers, the two in the office and the family's computer upstairs use the Internet. I had the installer plug the modem into my network hub. The theory is that the cable company dynamically assigns an IP address that one computer can use, so one computer at a time can snag that address. (You can buy more at $15 per month so others can use the modem at the same time. No thanks!)

So if I am using the modem on my notebook, I can release the IP address and then snag it on my desktop. Nice theory, but in practice it was very clumsy, often requiring me to run around the house rebooting the whole network and/or manipulating the address using the WinIPConfig program (Start > Run> WINIPCONFIG) to release the address and insure only the machine I wanted would grab it. While I did get a lot of exercise running up and down stairs, this did not prove to be a good system. I didn't want to pay an extra $30 per month, especially since it would use this method times three.

Sharing the Internet Connection

A friend told me about proxy server programs that allow more than one computer on a network to share one TCP/IP connection. Using one would mean the cable modem could connect to one computer all the time, solving my problem. It would also let the other two computers be on line simultaneously. Pretty great idea!

I tried three or four of these and settled WinGate. I used it (the Home version) for several months, but there were two problems: it conflicted with AOL's internal version of the IE browser so I could not access any of the proprietary web-based content on AOL (annoying at best, but serious for my work). Secondly, while the client workstations were protected by WinGate's firewall, the server was not. After several months of trying to resolve these problems I discovered SyGate, a NAT (Network Address Translation) based program that solved both of these issues. WinGate and SyGate are very easy to set up, and very smooth running. There is virtually no setup for either so you don't have to worry about setting the address of the server on the clients, redirecting via a gateway or other time-consuming Network-Administery things that the average person with a home LAN can do very well without. You just turn on your computers and as long as you have an Internet connection active on the "server" any of the workstations can use them.

This means my wife can use the cable modem to check her email, or to (shudder!) shop on line while I am busy updating my web site so my customers can (huzzah!) shop online. The combination of SyGate and a cable modem is awesome. No log-in, no waiting.

The most exciting thing about my LAN is file and printer sharing - all of a sudden I don't need to have that stack of floppies handy for copying multi-disk ZIP files, and I can use my LaserJet II and my color InkJet from every computer on the LAN. I never imagined how handy this would be or how dependent on it I would become. And the speed - very reasonable even with my 10base LAN. But with all this convenience comes one big worry: security.

Security

The problem is that when you are connected to the Internet, the Internet is connected to you. Each workstation on the Internet has an address (just as each computer on your LAN has one), and if someone knows your address they can send you a package. Unfortunately there are a lot of wannabe Ted Bundys on the Internet.

The first line of defense is your "shares," the hard drives and printers you have set up to be shared on your network. When I first settled on WinGate I knew that the shares on my "server" machine would not be protected, so I password protected them. WinGate's firewall protected the workstations. I have a talent for making up absurd passwords that nobody would guess, but I still didn't feel secure. I feel a bit better with SyGate's firewall protecting all the machines on the LAN.

A quick word about firewalls, a device or program that protects your network from outside access: hardware firewalls are probably the best solution. Of course they are also expensive. There are some very reasonably priced software solutions that are adequate for most people. Just consider what your system setup and data are worth to you and factor that into your decision.

I learned about a free utility called NukeNabber, which monitor your ports. When someone tries to gain access through one of your ports, NN quickly gathers information about the "nuker" and then closes the port for a short period, so that you system appears to be closed. The information gathered includes a traceroute, which gives you enough information to report the "nuker" to the webmaster of the ISP the nuke came from. I was shocked when my first nuke came in, and I did report some - especially if they tried more than once to get into my system. With SyGate's firewall on the server I no longer use NukeNabber, but it was a great learning tool, and interesting to see where the nukes were coming from.

The same author makes a scanner called "The Cleaner" that looks specifically for trojan horses and so on that target LANs. I use this shareware utility in addition to virus scanners to make sure I haven't unwittingly made myself vulnerable to attack. If programs with such unfortunate names as "Back Orifice" and "NetBus" are on your system then anyone can run your system from the Internet. They are similar to the client side of PCAnywhere - they allow a remote user to take control, and to do a huge amount of damage. But without such a client on your computer they can huff and can puff, but they can't blow your system away. So it is very important to scan periodically to make sure you haven't inadvertently downloaded one of these beasties.

Ultimately the best security is to turn off your computer, or at least turn off your Internet connections. But with reasonable caution you can protect yourself and have the fun of being connected. And I must say, it is fun.

Proxy and NAT Programs:

 

• Dave Central is a fantastic download site - this particular link has about 50 choices of proxy-server and NAT software.
• Analyse your net connection security - tells what info a site can get from you.
• SyGate
• Wingate

  Security:

   

• NukeNabber
• The Cleaner
• An excellent source of information about security and trojans
• More than you want to know about the NetBus trojan. Required reading!
• All about the Back Orifice trojan.
•                                                                             Back to menu

This article is meant to show a couple of different ways to connect a Mac (newer ones with built in Ethernet) to a Win 95/98 PC peer to peer network. After spending a couple of days figuring out which settings worked with what connections and who could see whom on the LAN, I thought about all the information that had helped and how confusing it all was. Most of the information was round about and didn't answer many questions completely, so I was left to "cut and paste" different sources together to get the "whole" answer. Some good sources for more information are MacWindows and Three Mac's and a Printer.

To make your client systems use your "server" Internet connections you need a proxy server software package. I don't like Microsoft's networking tools; instead I use SyGate server. It is a very simple to install program and reasonably priced, available on the web at www.sybergen.com. The reason for using SyGate is, first it's easier than Microsoft and second you can share a cable modem or ISP connection between machines with the modem being in the server. Most cable/ISP operators want to charge you $10 - $15 dollars a month for an extra IP address to access their systems. With SyGate's server system you can bypass this and only pay the SyGate registration fee once. I like the seamless way SyGate handles this problem, along with it's small footprint in memory.

With the Mac you will need a program to let the Mac talk to the PC. One of the most popular is DAVE by Thursbys Software at their web site http://www.thursby.com/ Installation is quite easy and if you follow the instructions you will have it running in no time. I will give you a quick trip through it though. The first thing you need is the workgroup name that you want DAVE to connect to. On my PC network it's just the simple name "Workgroup" that Windows offered when I set up the PC Network. If you haven't already, you should connect your Mac's internal modem, dial your ISP and download DAVE from the Thursbys web site.

 TCP/IP

		TCP/IP Adapter Binding Example
	In this example the binding to TCP/IP is shown as "TCP/IP -> AMD PCNET Family Ethernet Adapters(PCI&ISA).  If you need to use TCP/IP on your LAN look below for a how-to.
	Using Static IP Addresses in Win9x
	Each computer on a network using TCP/IP, whether it's a local area network or the Internet, must have a unique IP(internet protocol) number. DHCP is "Dynamic Host Configuration Protocol," which is a techno-speak way of saying it's a way to automatically assign IP addresses to computers on a local area network.  This is the default setup of Windows 95 TCP/IP.  Unfortunately DHCP services are only available from Windows NT Server and Netware servers.  Therefore on a Windows 95-only network you must manually assign IP numbers. There are sets of IP addresses that have been reserved for private use that will never appear on the Internet.  These are what to use.  There are two numbers that must be assigned - the IP address and a subnet mask.  The range of IP addresses to use are 192.168.0.1 through 192.168.0.255 with a subnet mask of 255.255.255.0.  If you know what I mean by that then you're done, otherwise read on. Open Control Panel and open the Network icon.  Highlight TCP/IP(or if you have multiple listings highlight the one that shows -> pointed at your network card) and click Properties.  Click on the IP Address tab.  Click next to "Specify an IP Address."  In the IP address block put 192.168.0.x where "x" is a number from 1 to 255.  In the Subnet mask box put 255.255.255.0.  Remember, each PC must have a unique IP number assigned so you're going to have to keep track of which ones you assign or things will get ugly.  I use a quick & dirty spreadsheet in Excel that has the numbers down one column and which computer I assigned it to down the other.  The subnet mask must be the same on all of the computers(assuming this is a small network - if you need subnets go hire somebody!). Example - three computers using TCP/IP Computer 1 Computer 2 Computer 3 IP address = 192.168.0.1 Subnet mask= 255.255.255.0 IP address = 192.168.0.2 Subnet mask= 255.255.255.0 IP address = 192.168.0.3 Subnet mask= 255.255.255.0 You just increment the last digit of the IP address on each subsequent PC. The only other thing to do is to click on the WINS Configuration tab and click on the "Disable WINS resolution" button. Click OK and then close the Network dialog (Close, not cancel!  You'd lose everything you just did!).  When prompted allow Windows to restart and things should work nicely.

Windows Networking 101: The networking technology built into Windows was designed to operate on small local area networks (LANs) where some amount of inter-system trust could be assumed. When the Internet "happened" this local area networking technology was quickly made to "go global" — though it was inappropriate for the job.

You have probably encountered the term "LAN", which stands for Local Area Network. The operative term here is LOCAL because the networking technology incorporated into Windows — called "NetBIOS" and "NetBEUI" and first designed more than fourteen years ago by IBM — received its first broad exposure in Microsoft's "MS-Net" product and then more widely in "Windows for Workgroups." NetBIOS and NetBEUI were designed to run on small LOCAL area networks. It was created way back before the Internet "happened" and it was meant to be used within corporations, small "workgroups", and homes where everyone with access to the computers on the LAN is playing on the same team.

As Microsoft's own Windows for Workgroups Resource Kit says:

"The primary protocol used by Windows for Workgroups is called NetBEUI (NetBIOS Extended User Interface). This protocol was first introduced by IBM in 1985. NetBEUI is a small and efficient protocol designed for use on a departmental LAN of 20 to 200 workstations."  (page 1-32)

Well, I couldn't have said that better myself. Windows networking technology is based upon NetBIOS and NetBEUI, which were NEVER designed to "go global". It wasn't ever meant to cope with foreign agents, competitors, pissed off ex-employees, previously significant others, or malicious teenage computer vandals with too much time on their hands. But when you hook your Windows-based computer to the Internet, this is precisely who has access to your machine! (For some background on NetBIOS/NetBEUI and why they aren't designed for the Internet click the "TechZone" link below.)

TechZone — Why shouldn't NetBIOS go global?

Truth & Consequences . . .

The Internet is incredibly powerful because it allows YOU to connect to "Internet Resources" located anywhere in the world. When you "browse the web" your web browser is connecting to web servers running on other people's machines and reading HTML files that have been prepared for you. But what you haven't been told is that this "Internet connectivity" is entirely reciprocal! As easily and effortlessly as you're able to connect to any other server on the Internet, anyone else's computer can connect to yours! It's true. I created this web site to demonstrate exactly this fact, to explain it, and to help you deal with the consequences.

The problem is that file and printer sharing services function by turning any PC wanting to share its files into a file and printer server. When this trusting and sharing computer is connected to a network, this "service" is naturally extended and made available to the all the other computers which are also connected to the network. But when that network is THE INTERNET, suddenly your computer is literally offering its files to every other computer in the world!

How Did This Happen?. . .

The first cause: Most home computer users never bother to password protect their own computer resources. It's annoying to have to "logon" to your own computer every time you want to use it or to provide a password when connecting to a shared directory. So the vast majority of PC users have left their passwords blank to make using their computers easier and quicker. But this means that anyone else on the same network — and that means THE ENTIRE INTERNET if your computer is connected to it! — can share your computer's resources by using the same BLANK password!

Windows NetBIOS networking technology does not require any sort of authorization to ask for and receive any computer's private "networking" names, including the name of the current logged-on user, the computer's own name and its workgroup. Such information is considered highly valuable to anyone preparing a break-in and is often used as a starting point by computer vandals planning an attack.

Secondly, it's much easier for most users if everything is turned on and "just works" on a PC. So most options are automatically set ON until you turn them OFF — even if you don't need them.

 

You may be amazed to learn . . . . . . that the whole of Microsoft's "Network Neighborhood" (and the "Client for Microsoft Networks" which lies behind the icon), are completely unneeded for any use of the Internet! They are installed automatically and needlessly. They slow down your computer's startup and its operation once started. They consume precious RAM memory and critically reduce your computer's security whenever it's connected to the Internet!

As you will see on the "Network Bondage" page here, it's easy to discipline the Client for Microsoft Networks to greatly enhance the security of your computer's connection to the Internet.

While Microsoft's networking client is installed, a default setting which would have protected many millions of computers if it were normally set to OFF instead of ON is TCP/IP File and Printer Sharing. We already know how useful it is to share files and printers among the machines on our LOCAL networks. But "binding" the NetBIOS protocol to the TCP/IP protocol with this setting automatically extends your computer's file sharing services out across the entire Internet. (The "Network Bondage" page also provides a clear explanation of changing this setting if you need or wish to retain the Client for Microsoft Networks but want to prevent Internet intruders from gaining access to your computer.)

Note that recent versions of Windows present a warning message that appears during the installation of the Windows TCP/IP protocol. The message warns users about the dangers of sharing the computer's files over the Internet. But most computers arrive pre-configured, or they're upgraded from previous versions, so this message is rarely seen. (And, frankly, even when the message does appear, most people don't fully appreciate the danger that it implies.)

So the happy and casual home computing user, who has never had much to worry about, and who never bothered with password protecting his own personal computer's logon or shared resources, simply connects his machines up to the Internet . . .

" Wow, look how fast I can browse!!! This is great!!! "

Yes . . . But now anyone who happens to be passing by on the Information Superhighway can take a pit stop at your machine to wreak any havoc they choose!

Today's News

MS on OS X client for Exchange. January 30, 2003 -- A Microsoft web page called the Software We Make, dated January 27, describes the company's position on a possible Exchange client for Mac OS X:

Business customers who run mixed networks of Macintosh and Windows-based computers have requested support for Exchange Server services on Mac OS X. We are currently evaluating the best way to support this request.

The page also contains a table comparing the various Mac and Windows versions of Microsoft Office. It also acknowledges that most users are cross-platform users, that "our research indicates that about 60 percent of our Office for Mac customers operate in a mixed Windows-Mac environment..."

(Thanks to Daniel Öhman for the tip.)

Reader confirms VPC 5 dropping net connections. January 30, 2003 -- Julius Lopez responded to yesterday's report of problems with Virtual PC 5.0.4 dropping network connections:

Having encountered similar problems with the same Mac OS/VPC version 5.0.4 and a custom app that requires a mapped drive, I too am finding error messages being generated when the apps SQL mapped drive gets dropped.

VPC problem with Win copy protection software prevents Birding software from running. January 30, 2003 -- Jim Groom discovered that a Virtual PC 5 and 6 won't run Thayer Birding software due to a copy protection file. The company, however, says it should work with VPC and Win XP. Groom's report:

Using Window's 98SE, Thayer Birding Software can not find the KeyLib32.dll file upon launch and reports an error to that effect. KeyLib32.dll, which appears to be part of the copy protection, is present in the Windows system, but apparently not where Thayer is looking. I have confirmed that it is in the same location on actual Windows PCs, where it does work.

I have discussed this with Thayer Tech Support, who says that it works with the native Windows 98SE. They also report that Mac users have had success using Virtual PC with XP, which I do not own so haven't tried.

Working with Thayer tech support, we found where the Thayer Software installed KeyLib32.dll in the native Windows environment, and found that it is in the same place on my copy with VPC. The only conclusion that we could come up with, therefore, is that it is related to Virtual PC in some way. KeyLib32.dll is part of the copy protection of the program. I looked up the properties of KeyLib32.dll and see the company that produces it is SoftwareKey.com. They do not, however, give any individual tech support for end users as far as I could see.

I have not had success with either VPC 5.X OR 6.X and have finally given up.

If you've had experience with SoftwareKey.com files in Virtual PC with Thayer Birding or other software, please let us know.

CNET posts review of Virtual PC 6. January 30, 2003 -- CNET has posted a review of Virtual PC 6 for Mac written by MacWindows' John Rizzo.

Further Cisco VPN Client observations. January 30, 2003 -- David Morgenstern, columnist for Ziff Davis Media's Storage Supersite, reports that the most recent Cisco virtual private network client works for Mac OS X works well, but drops an America Online Instant Messaging (AIM) connection:

Thanks for all the great information at MacWindows on VPNs. I installed Cisco's VPN Client Version 3.7.2 the other day. Despite an occasional moment of concern, the installation went smoothly and the program has a nice tabbed interface.

The client connected fine to the 3000-series concentrator. I'm running OS X 10.2.3 and haven't run into the reported sleep problem -- yet. (An aside: I wonder if folks used to AppleShare assume they will see the concentrator show up as a server in the Go/Connect to server... menu. Or see the network behind the concentrator? The client says it's connected and a check of its Tunnel Details tab shows the client and server addresses, an essential sign. Any ambiguity can be reduced by pinging a server address inside the network.)

One thing, I noticed that my AIM connection in iChat is disconnected after logging into the VPN. No idea.

We've added this report to others on our VPN Special Report page.

Reader report Basilisk for Mac OS X. January 30, 2003 -- Stewart Walker reports on Basilisk for Mac OS X, the 68k Mac emulator that was recently ported to Mac OS X from the PC version. It basically functions as an alternative to the Classic environment. Walker's report:

It took a while to get Basilisk setup on Mac OS X, but it runs very reliably. The full-screen video is great on my beige G3; on the other hand, the small screen video is slow, but sometimes useful.

I used a Centris 650 ROM, configured Basilisk to run as a Mac IIci, and have System 7.1 running an old compiler and a CAD program. The CAD program runs off a disk image I installed it onto - the old copy-protection didn't realize it wasn't a real disk.

Under system 7.5, the emulator can mount parts of the OS X file system which makes passing files back and forth easier. I did run into an issue where some text files weren't parsed correctly unless I copied them to the emulator's desktop or its virtual disks, possibly it is a carriage-return/linefeed substitution issue that comes from the UNIX heritage of the emulator.

With a bit more work, this would be a snazzy solution.

We've added this report to the previous reports of Basilisk II on our Mac Emulation for PCs page. If you've tried Basilisk for Mac OS X, or the relatively new Basilisk II JIT, please let us know what you think of it.

Apple and Linux cross-fertilization. January 30, 2003 -- In his eWeek column, Matthew Rothenberg speculates on the influence of the Macintosh and Linux worlds on each other. Yesterday's News

Disappearing files w/name changes still in OS X 10.2.3. January 29, 2003 -- Jack Albright verifies that the problem of Windows 2000-based files disappearing from the Finder when their names are changed still occurs with Mac OS X 10.2.3:

We are also seeing the "disappearing files" problem with Windows 2000 Server and Mac OS X v 10.2.3.

Create file on Windows 2000 server from Mac.
Rename the file from Windows.
Go back to Mac and the file is gone.
Dismount and remount the volume from Mac and the file reappears.

Readers report that the problem began with Mac OS X 10.2.

Windows 2000 Server and Word X Errors. January 29, 2003 -- Mark Read is another reader reporting the problem of Word X problems with Apple File Protocol (AFP) file servers, over both AppleTalk and IP connections:

I can verify that this problem exists with both AFP on AppleTalk (Windows NT4 Server) and AFP on TCP/IP (Windows 2000 Server) connections from 10.2.3. Microsoft Word then quits (automatically).

We also had a previous report that said Microsoft is aware of the issue.

Bochs for Mac OS X 2.0.1 released: version for OS 9 "soon." January 29, 2003 -- Two weeks ago, Bochs for Mac OS X 2.0.1 was released, a bug-fix upgrade to the open source PC emulator.

The page also says that Mac OS 9 binaries will be available "soon." Previously, the only pre-OS X version was MacBochs, a Mac version from a different source, which, as we reported yesterday, is no longer available.

More on Macs and Garmin GPS handheld. January 29, 2003 -- Christopher Duckworth responds to yesterday's report about using Macs with the Garmin GPS handhelds by expanding on his report of January 24 about using Virtual PC, and why it might be better than using the native MacGPS Pro:

Bud Kuenzli is correct in stating that one can use Garmin GPS units with MacGPS Pro software [instead of Virtual PC]. In fact, James Associates, developers and sellers of MacGPS Pro offer not only software but hardware solutions (cables and adapters) to what is a frustrating problem for Macintosh owners who want to use Garmin GPS.

The MacGPS Pro is, however, an alternative to the Garmin-base software. That is, you cannot use Garmin MapSource products. As James Associates state: "MacGPS Pro cannot transfer Garmin's MapSource maps into Garmin receivers - only MapSource software has that ability."

I assume, though do not know for certain, that MacGPS Pro also cannot transfer Garmin GPS software updates to the handheld, which would be a real limitation.

If you want to use Garmin's maps and a Macintosh, you have to find a solution. I know that using Virtual PC does work on my computer and my Garmin, using my setup. Except for having to learn (or tolerate) the Windows interface, this solution is quite workable.

Let's hope that Garmin will see the light and offer a Macintosh version as well as begin using USB or FireWire in place of an antiquated serial connection.

Network connections dropping in Virtual PC 5.0.4. January 29, 2003 -- Daniel Foshee reports a problem with Virtual PC 5.0.4 dropping network connections in Mac OS X:

We're seeing a problem four users running Mac OS X 10.2.3 and Virtual PC 5.04 with Windows 2000. At least twice a day the users (who have mapped drives in Windows 2000) get errors about the connection being terminated. This mainly happens in custom apps that require a mapped drive, but also with Windows Explorer. The error messages:

DataWindow Error
Select error: ct_cmd_alloc(): user api layer: external error: The connection has been terminated.

Program Error
NAble.exe has generated errors and will be closed by Windows. You will need to restart the program.
An error log is being created.

Windows
An error occurred while reconnecting F: to \\tysona\pdflables
Microsoft Windows Network: The local devices name is already in use. This connection has not been restored.

We have one user (also on a Mirror G4, same config) who's still on OS 9, with VPC 5.04, and she doesn't have this problem.

The network connections and the cables themselves check out fine, as does the Mac hardware. Since I'm unwilling to let the users have root user access or use Pseudo (per Connectix's Knowledge Base Article #4670), I can't use Shared Networking; the Virtual Switch is my only option. FWIW, the Macs use a static IP, while the VPC uses DHCP. This connection drop-off happens whether I use the Default or Built-in Ethernet setting in VPC's Preferences.

My best guess at this point is that either the server (also a Win 2000 box with Services for Macintosh) or the OS X clients are disconnecting due to inactivity. My NT guys are claiming it's the OS X and that I should get an XServe. I'd love to get one, but I'm not sure that would solve the problem; it seems to me that if multiple people are having the same problem, same errors, then it's server-based. Thing is, short of getting in the Terminal, I don't know where you would modify that in OS X, if you even could. For that matter, I'm not sure where you'd modify that on the server.

Problem occurs on three Mirror/Wind Tunnel 1 GHz G4s, 1 GB RAM and one DP 450 MHz Graphite G4.

If you've seen this problem or can help, please let us know.

Recent News

Basilisk II, 68k Mac emulator, ported to Linux, Mac OS X. January 28, 2003 -- There are two additional versions of Basilisk II, the open source 68k Mac emulator for PCs. One is called Basilisk II JIT, which is an "an attempt to add a dynamically recompiling 680x0 CPU core to the original Basilisk II." Basilisk II JIT runs Mac OS 8.1 and earlier on Linux on x86 hardware. (The original Basilisk II runs on Windows.)

There is also a version of Basilisk II that runs on Mac OS X, making it a competitor to the Classic environment. Reader J. Slade described this version: "It does not have Ethernet support, but may set up a better way to run Legacy OS 7.55 to OS 8.1 software on the newer Macs. I still have not found a good solution for OS 6."

If you've tried either of these versions, please let us know what you think. (For previous reports on Basilisk II, see our Mac Emulators for PC page. David Scherer also contributed to this story.)

Wanted: the last version of MacBochs PC emulator. January 28, 2003 -- MacBochs is an old PC emulator that has been on our list of PC Emulators for Mac OS since 1998, but has not been updated. Recently, the developer lost his home page, and his last version. David Scherer reports:

MacBochs has not been updated in a while, but one of the sad things is that the last version that David made was lost when Xoom.com shut down their hosting services. I am considering making a call of some kind to see if anyone happens to have an archived copy of that last version or if someone can contact David for a copy. I did have a SMI image of MacBochs at one time but that has since been lost too. I am going to make another one soon.

If you think you have a copy of the last version, please let us know.

Using Garmin GPS devices with Macs. January 28, 2003 -- Responding to our January 24 report about using Virtual PC to connect a Mac and a Garmin GPS handheld device, Bud Kuenzli tells that there there already is native Mac software that does the job for at least some models:

It may be that his particular Garmin doesn't work with his Mac but many or most Garmins do. I've used the program MacGPS Pro for years with my Garmin 12xl. Currently the cables require a USB converter but the software is regularly updated, runs natively on OS X (or OS 9) and is great. It's my guess that Christopher's GPS, or another program he uses, requires Windows, but that is not true of all Garmin models by a long shot.

Problem and fix with RDC Client for Mac OS X. January 27, 2003 -- Rick Gutlon found that Microsoft's free Remote Desktop Connection (RDC) for Mac OS X would not connect to a Windows Terminal Server when he tried to add a port number to the IP address or domain (as in x.x.x.x:port). He contacted Microsoft, which acknowledged the problem as a limitation of the current version of RDC. Gutlon then located a shareware solution, Port Reflector (US $10) from Wickedly Simple Software that worked around the problem.

You can read Gutlon's full report on our Application Server Report page.

Citrix 6.30 problems with built-in PPTP. January 27, 2003 -- Robert Lefkowitz verified a report from last week about problems with the Citrix ICA clients for Mac OS X and OS 9:

I'm seeing this problem. 6.30 doesn't connect. 6.20 under Classic works fine.

TIP: Defining OS X firewall for Timbuktu for Win. January 27, 2003 -- A reader named Peter sent in this tip for using setting the Mac OS X built-in firewall to enable users of Timbuktu for Windows to access it:

Apple provides some predefined, non-editable firewall rules with Mac OS X 10.2.3. There is one set up for Netopia's Timbuktu that only opens TCP port 407. This allows another Mac using Timbuktu to make a connection, but if you are trying to connect from a Windows version of Timbuktu, the connection will be blocked.

You need to create new rules that open UDP 407 and TCP ports 1417, 1418, 1419, and 1420 to get full functions from a Windows Timbuktu connection.

(Netopia has confirmed this problem and will try to get Apple to fix it, but suggested end user messages to Apple might also be helpful.)

Gimp-Print 4.2.5 fixes bugs, improves printing. January 27, 2003 -- Gimp-Print 4.2.5 (free) is a new version of the set of printer drivers for Mac OS X 10.2 and later. Gimp-Print uses the CUPS printing system of Jaguar to print to dozens of PC printers. The new version fixes a number of bugs and improves printing with several models of Epson printers. (See our Jaguar Reports page for more on printing to PC printers with CUPS.) The Gimp-Print web page also describes some known problems.

Apple posts FAQ on X11 for Mac OS X Public Beta. January 27, 2003 -- Apple has posted an FAQ on X11 for Mac OS X Public Beta, which it released earlier this month during Macworld Expo in San Francisco. X11 for Mac OS X Public Beta is a version of the open source Unix windowing system from the XFree86 project, and enables users to run current X11 applications that have been recompiled, including OpenOffice.org 1.0 for Mac OS X. X11 can also be used as a cross-platform application-sharing system, allowing users to operate applications that are actually running on another host computer on a network. X11 for Mac OS X Public Beta is a free download.

We recently spoke to Apple about X11 for Mac OS X Public Beta. Apple verified that this public beta is the fastest implementation of X11 that runs on Mac OS X. Apple optimized X11 for Mac OS X, including ties to the Quartz graphic engine and making specific calls down to the hardware level. Apple also said that Pearl scripts and Java are functional in the Public beta. This may also be the easiest way to get X11 running on Mac OS X, as Apple said everything you need is contained in a single download.

Apple has been working with the open source community to get Mac OS X included in standard distributions, to enlarge the number of applications available to Mac OS X. The company sees education, the sciences, government, video, animation, modeling, and simulations as some of the fields that actively use X11 applications.

Apple also sees X11 as a stepping stone to getting Unix developers to port applications to native Cocoa applications. In fact, the developers of OpenOffice for Mac OS X told us they will be doing a Cocoa version of OpenOffice for Mac OS X next year.  

Workaround for Novell Bordermanager lockout--use VPC. January 27, 2003 --Bill Brothers found a workaround to the problem of Macs on NetWare networks being blocked from accessing the Internet with Novell Bordermanager on the network-- he uses Virtual PC to log into the Bordermanager. Then he can use Mac Internet software:

I can log in through the Novell Bordermanager using Virtual PC from Connectix VPC using Windows 2000 and Internet Explorer on the VPC and a shared IP address between my Mac and the VPC .

After logging in on the virtual machine I can use the Mac IE or Safari to surf the web, run Software Update, etc. and Apple's Mail, Sherlock or any app that needs the web. It's a little time consuming to boot the Mac, then the VPC, the VPC IE, get through Novell Bordermanager, and then start the Mac app like Safari to access the web.

If you don't need anything else with the VPC you can quit the Connectix app (save the VPC settings) and the Internet port will still be open. However, if there is a timeout on the Novell system and you don't access the web for awhile, you'll have to repeat the process by booting the VPC again. Unless having the VPC minimized causes you grief, leave it minimized. If a timeout occurs, going to any new web address using the VPC IE will force a new login through the Novell Bordermanager. Log in again, then just minimize it again and work with the Mac.

VPC 6 on sub-500 MHz Macs: More CPU than v 5. January 27, 2003 -- Bruce Miller is running Virtual PC 6 on a Mac that is below Connectix recommended 500 MHz, and found the version 6 takes up more CPU utilization than did Version 5:

I'm running VPC 6.0.1 in Mac OS X 10.2.3 with both 98SE and XP Home on a PowerBook G3 400 with 1 GB RAM just fine. I allocate 256 MB RAM to each virtual PC, turn off all unnecessary features (like sound) and for XP, turned off every single eye candy feature and run in Classic GUI. Also I'm a firm believer in keeping the drive images as small as possible, loaded only with few applications.

My 6.0.1 98SE runs slightly slower than in 5.0.4, seems to use more CPU: percentages, while my XP Home in 6.0.1 is the opposite, faster than in 5.0.4, definitely using less CPU percentages, dropping down to as low as 20 percent idle, never the case in VPC 5 where it seemed to use 50-60 percent when idle. I find XP adequate for IE surfing (dial-up speed using DSL), verifying burned image file CDs, etc. Windows 98SE works great both Hotsyncing Palm Windows apps and Activesyncing and app installations for my iPaq PPC.

If you've seen this on a pre-500 MHz Mac, please let us know.

VPC 6: Win 2000 vs. Win XP. January 27, 2003 --Robert McLachlan finds that Virtual PC 6 runs Windows 2000 faster than Windows XP:

I am running VPC 6 on a dual 867 MDD Mac. I find Win2K Pro pretty good, but find XP Pro okay for computation but the interface graphics are a little on the slow side and not quite as snappy as with Win2K Pro. Running benchmark software backs this up with XP pro CPU performance slightly faster but graphics slower. All in all the update is very worthwhile, especially the inclusion of the Start Menu application and the ability to open disc images. I feel Connectix really need to look at the graphics and try to improve the interface performance as this often gives the impression that VPC is slow.

Word X problems occur on Netatalk. January 27, 2003 -- Daniel Lautenschleger reports that the problem of errors when saving Word X files saved to Windows AFP servers also occurs on Netatalk servers (AFP for Linux and Unix):

I can confirm that the saving of Word X files to a Windows 2000 server and the "unrecoverable disk error" problem also occurs when the file is opened from a Netatalk volume.

CDFinder 4.0.2 fixes bugs. January 27, 2003 -- This weekend, Norbert Doerner released CDFinder 4.0.2 (US $25, free upgrade), an update to the 4.0 version that we reported last week. The new version 4.0.2 fixes some bugs in the 4.0 and 4.0.1 versions that had caused CDFinder to quit or crash. CDFinder is a disk cataloging tool for the Mac OS 8.6 - 10.2.4 that can work together with CDWinder 1.7 for Windows as a cross-platform, network solution to catalog disks and CD-ROMs on a Macintosh and a PC.

VPC 6 on older Macs. January 24, 2003 -- Several readers report using Virtual PC 6 on Macs slower than the Connectix recommended minimum for Mac OS X (500 MHz). Bob Brunk thought there was a speed improvement:

I have a 400 MHz Power Mac G4, 384 megs of RAM. For me, Windows 2000 ran unusably slow in VPC 5, but will actually run okay in VPC 6. Windows XP is okay, but definitely a resource hog. The IE browser runs well when I have no other apps running on my computer. Windows 98 moves pretty good, but always has, even in VPC 5.

Overall though, I noticed significant increase in speed in VPC 6. A big improvement as far as I'm concerned.

Peter Lindsay has an even older Mac (a Blue and White) right at 500 MHz, but found the speed increase to be marginal:

I am running VPC 6.0.1 on a Blue and White G3 upgraded to a 500 G4 with 1 GB of RAM. The performance of VPC 5 was just acceptable under OS 9 with Windows 98SE and unacceptable with Windows 2000 PRO. It was unusable under OS X 10.2.3

The upgrade to VPC 6.0.1 has made a marginal difference under OS X. I use VPC primarily to check web code in Internet Explorer on Windows and to access my companies VPN from home. The VPN is painfully slow, even with my DSL connection. This certainly has not improved from VPC 5 to 6.

For me, the single advantage of VPC is that I can run multiple copies of Windows with different versions of IE on each. There is no substitute for this function other than owning several PCs. Something that I am not inclined to do.

BC Kelly is using VPC 6 on a Power Mac Cube, mostly using an Internet file sharing program called WinMX. Performance is better, but he has one problem:

VPC 6 with Win 98 seems okay on my 450 MHz Cube. I have Mac OS X 10.2.3 with Gforce 32 meg video and 1 gig of RAM. Cranked the VPC memory to 512 meg, which appears to be the application's "max".

About all I use VPC for is to run WinMX, which seems fine, if not as good or even a little better, least compared to what it was in OS 9 (forget any comparison to OS X and VPC 5). Otherwise have nothing else to compare it to, so don't know what I may be missing. Oh yes, WMP video is still slow and choppy in VPC 6, even with 'networking' turned off. Had run fine in VPC 5 on OS 9, but seems to have a long ways to go to be "right" in OS X ( and again, forget it when using OS X with VPC 5, ugly). Also, use a Shared Folder to move the downloaded files from Win 98 over to a Mac Partition -- THAT part, the x-fer, is much smoother and faster now.

Have had one nagging problem which can't solve. Either Win 98 and /or WinMX freezes up after a period of time... What I'm doing is setting up WinMX to run on automatic, and then go to bed, work, whatever. Sometimes it'll run fine for 24 hrs or so, other times 12 hrs. I don't think it's made it much past 24 though. With OS 9 and VPC 5, it'd go for days and days without any hiccups.

If you've seen this problem, please let us know.

VPC 6 connects Garmin GPS handheld. January 24, 2003 -- Christopher Duckworth reports that he can use Virtual PC 6 to connect to a Garmin GPS handheld device, which works only with Windows. His device had a serial port, which he connected with a USB adapter:

I am using a dual 1 GHz G4 running 10.2.3 and VP 6.0.1 with Windows XP. I have a Garmin GPSMap 76S, and, as you may know, Garmin does not support Macintosh. I added an Iogear USB-to-serial adapter, with downloaded Iogear software, and everything works fine, including some very long (15+ minutes) downloads to the handheld. I downloaded the Iogear software to the Windows desktop, and plugged in the adapter with Windows running. The New Hardware Wizard came up; I followed the instructions (pointing the Wizard to the Iogear folder manually), and everything worked out fine.

(For previous reports on VPC 6, see our Virtual PC Reports page. )

Reader raves on the new Prosoft NetWare Client for Mac OS X. January 24, 2003 -- Michael Campbell has good things to say about Prosoft Engineering's new NetWare Client for Mac OS X 1.1.2, which we reported on January 8. (The new version allows users to make aliases of NetWare volumes and improves browsing of networks.) Campbell says:

I just purchased the latest client from Prosoft for X 1.1.2 and I must say that I am impressed, browsing now works, password expire now works which was an issue on the old client. We have a mixed NT and Novell 5.1 and when the login password expired Mac users would not get a warning, however with 1.1.2 when the password expires it informs you.

A brilliant client and well worth the price.

(See our NetWare and Mac Issues page for previous reports on Prosoft and other NetWare issues.)

Fourth World ships WebMerge 2.2. January 24, 2003 -- Fourth World yesterday released 4W WebMerge 2.2 ($79), an update to its Mac OS 8/9/X and Windows tool for generating static Web pages from databases or spreadsheets. New features include multicolumn page layouts, a new tag for including external files, enhanced support for JavaScript and CSS, and some new interface features.

IBM earns $1 billion from Linux. January 24, 2003 -- eWeek reports that IBM announced that in 2002, it earned over $1 billion in revenue selling Linux-based software and services.

New MacWindows Virtual VP 6 Report page. January 22, 2003 -- We've created a new MacWindows Virtual PC 6 Notes and Reports page, which contains our previously published reader reports as well our take on Connectix' latest PC emulator for Macintosh.

(We also have special report pages on Virtual PC 5, Virtual PC 4, and Virtual PC 3.)

VPC 6 printing problem with TurboTax. January 22, 2003 -- Daniel Dobbert reports a problem printing TurboTax for Windows with Virtual PC 6. He solution:

I can run TurboTax Windows 2002 on VPC 6. Problem is printing which is solved by using print to PDF file and then print that file.

Virtual PC 6.0 had a problem the prevented users from installing and running TurboTax for Windows. Version 6.0.1 fixed the problem.

TIP: Using a Apple USB keyboard on a PC, mapping keys. January 22, 2003 --Todd Miller is using an Apple Pro USB keyboard on a Windows machine, and found a way to remap the F13, F14, and F15 keys so that they act as the Windows Print Screen, Scroll Lock, and Break functions. His method involves creating a text with registry information. You can read Miller's procedure on our Tips for Sharing Keyboards and Monitors.

Netopia Timbuktu Pro 6.0.3. January 22, 2003 -- Netopia released Timbuktu Pro 6.0.3 for Mac (US 95, free upgrade for users of v6.0.2), a maintenance upgrade the cross-platform remote-control, file exchange, and collaboration program. Changes in the new version include the following:

• Fixes a problem with the Host Relauncher
• Adds a new preference to limit the color depth of your computer when hosting a screen-sharing session. This can improve performance.

Thursby working on the Clients and Profits issue. January 22, 2003 -- Richard Heend reports back that he has been in communication with the Thursby Software regarding the problem with Clients and Profit, which we reported yesterday. "Thursby (and C and P) are aware of the problem and at least Thursby is working on a solution."

VPN Tracker 1.5 Preview Release 3 released. January 22, 2003 -- Equinux Software has released VPN Tracker 1.5 Preview Release 3, a beta version of the upcoming version 1.5 of the IPsec virtual private network client for Mac OS X. The new version fixes a number of problems, including a kernel panic that would occur with previous beta versions when configuring network interfaces.

This beta release will expire on February 5. Equinux said it expects to ship the final version 1.5 by that time. Version Tracker 1.5 Preview Release versions 1 and 2 expired yesterday. VPN Tracker 1.5 will be a free upgrade for all existing users of VPN Tracker.

Macs locked out of Internet by Novell Bordermanager. July 23, 2001 -- Marc-André Rioux reports having the problem described on our NetWare Reports page, where Novell Bordermanager is preventing Macs on NetWare networks from accessing the Internet. If you've seen this problem and know of a workaround, please let us know.

WebCast on OS X Server NetInstall, NetRestore. January 22, 2003 -- Tomorrow (Thursday, Jan 23rd) MacOSLabs.org is webcasting a presentation by Apple Computer's Eric Zelenka and Mike Bombich called NetInstall in Depth. The webcast will occur at 10:00 am - 11:30 am Pacific (1:00 - 2:30 pm Eastern). The webcast will cover two Mac OS X Server technologies, Network Install and NetRestore.

Thursby posts white paper on Goliath--Active Directory integration. January 21, 2003 -- Thursby Software has posted a white paper about it's upcoming Goliath, software that will provide Mac OS X integration with Microsoft's Active Directory without making changes to the Active Directory schema or the domain structure.

Thursby publicly demonstrated Goliath earlier this month at Macworld Expo San Francisco, where we got to see it. For our previous of coverage Goliath, see our DAVE Special Report page. DAVE problem with Clients and Profits software. January 21, 2003 -- Richard Heend reports a problem with Thursby Software's DAVE file sharing software and Clients and Profits, a network-based, cross-platform agency management package for Mac and Windows clients:

We are a cross-platform ad agency, with about 10 PCs and 6 Macs. We recently migrated to a Windows 2000 Server to centralize our files and backup system. In order to give everyone access to all of the files of the server (with some secure/protected areas, of course), we opted against Services for Macintosh and went, instead, for the popular DAVE program.

Unfortunately, it appears our accounting/agency management software has "issues" with Dave. The software -- which uses a multi-user database stored on the server and client software on each workstation -- does not allow Mac users to login to the database if there are any PC users logged in to the software.

I have spoken with Clients and Profits and they say there is a "known issue" with DAVE and the "only option" is to install Services for Macintosh. (Unfortunately said issue not listed on their website or in their discussion forums and their customer service isn't very timely in their responses.)

If you've seen this problem, or know of a workaround, please let us know.

Correction to script for fixing Citrix NFuse and Error 51 problem. January 21, 2003 -- Tom Allen sent us a correction to the script he sent us yesterday, which offered a fix for the Error 51 problem with Citrix ICA Client 6.30 and NFuse Server. Turns out e-mail inserted a carriage return where it didn't belong:

One little thing; The long line in my script got split by the email process. The part that starts with the "sed" command should be all one line ending with "launch.ica". There should be a space on both sides of the ">" character.

We've posted Allen's corrected script on our Citrix special report page. If you've tried it, please let us know how it worked for you.

Suggestion for Word X and Win Server doesn't work. January 21, 2003 -- Daniel Foshee tried yesterday's suggestion of mounting the Windows server before launching Word to prevent the problem of errors with saving Word X files to a Windows 2000 Server. It didn't work:

I'm glad that works for Timothy, but it does not work for us. We have users running OS X 10.2.3, and they leave the workstations up 24/7. They have shares mounted all day, and only occasionally use Word X. However, after they fire up Word, they still experience the error. I've done a restart, let the shares boot up in OS X, and then start up Word, per Timothy's suggestion, but the error still pops up.

HELIOS posts faster IP print drivers for Mac OS X. January 21, 2003 -- HELIOS Software GmbH released the HELIOS TCP/IP Print Driver for Mac OS X to use with its EtherShare 3.1 file and print server software. (The IP driver was previously available for Mac OS 9.) The company says the HELIOS TCP/IP Print Driver enables Macs to print up to three times faster than via AppleTalk PAP or Apple Remote LPR. Then new driver is integrated with the Mac OS X Print Center and supports the Service Location Protocol (SLP) browsing of printers. It also automates PPD (PostScript Printer Description) installation from the HELIOS print spooler.

A Better Finder Rename 5.2 adds Win filename conversion. January 21, 2003 -- PUBLICSPACE.NET has released A Better Finder Rename 5.2 (US $15), and upgrade to its Mac Finder contextual menu plugin for changing file names for multiple files. The new version adds the ability to convert Macintosh file names to legal Windows 95/98/Me/NT/2000/XP file names. The software is available for Mac OS 8 and later as well as Mac OS X 10.0 and later.

CDFinder 4 reworks interface. January 21, 2003 -- Norbert Doerner has released CDFinder 4 (US $25), a new version of a disk cataloging tool for the Mac OS 8.6 - 10.2.4. CDFinder can work together with CDWinder 1.7 for Windows as a cross-platform, network solution to catalog disks and CD-ROMs on a Macintosh and a PC. CDFinder 4 adds a brand new user interface and fixes a few minor bugs.

For items older than 10 days, see the News Archives.

Back to menu

Personal Internet Firewalls that really work! If you've reached this point, you probably know more about Internet security and securing a Windows PC for safe Internet access than you ever thought you would. If you are using a single stand-alone PC for Internet access, the preceding pages will have equipped you to secure that machine without the need for any additional software. But if your needs are more complex, and especially if you do need to share files across the Internet, you will need some additional software to secure both ends of the Internet connection.

You need a Personal Internet Firewall if:

	Your computer's files need to be accessed remotely across the Internet.
	You are operating any sort of Internet server such as Personal Web Server.
	You use any sort of Internet-based remote control or remote access program such as PC Anywhere, Laplink, or Wingate.
	You want to properly and safely monitor your Internet connection for intrusion attempts.
	You want to preemptively protect yourself from compromise by "inside the wall" Trojan horse programs like NetBus and Back Orifice.

What's a Firewall?

You can probably guess what a firewall does just from its name. The idea is a simple one, which is why it works so well:

 

In fact, the PC Industry press now reports that the next version of Microsoft Windows, codenamed "Whistler", will include a built-in firewall. However, its exact nature and capabilities are currently unknown.

But today, firewalls need to be added where needed — which is pretty much everywhere.

The firewall concept is so exactly correct that the term "firewall" has been badly abused by many weak "firewall wanna-be" products in an attempt to trade on the power of the concept. MANY, if not most, of the Evil Port Monitors I discussed on the prior page try to pass themselves off as "high security firewalls", yet not one of them is. Also, many "Application-Based" firewalls provide poor protection against malicious spyware.

How does a Firewall Work?

All internet communication is accomplished by the exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine. Packets are the fundamental unit of information flow across the Internet. Even though we refer to "connections" between computers, this "connection" is actually comprised of individual packets travelling between those two "connected" machines. Essentially, they "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received.

In order to reach its destination — whether it's another computer two feet away or two continents distant — every Internet packet must contain a destination address and port number. And, so that the receiving computer knows who sent the packet, every packet must also contain the IP address and a port number of the originating machine. In other words, any packet travelling the net contains — first and foremost — its complete source and destination addresses. As we've seen earlier on this site, an IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.

A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it!

But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks. Since every arriving packet must contain the correct IP address of the sender's machine, (in order for the receiver to send back a receipt acknowledgement) the firewall can be selective about which packets are admitted and which are dropped. It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port.

So, for example, if you were running a web server and needed to allow remote machines to connect to your machine on port 80 (http), the firewall could inspect every arriving packet and only permit connection initiation on your port 80. New connections would be denied on all other ports. Even if your system were to inadvertently pick up a Trojan horse program which opened a Trojan listening port to the outside world, no passing Trojan scanner could detect or know of the Trojan's existence since all attempts to contact the Trojan inside your computer would be blocked by the firewall!

Or suppose that you wish to create a secure "tunnel" across the Internet to allow your home and office computers to share their files without any danger of unauthorized intrusion. Firewall technology makes this possible and relatively simple. You would instruct the firewall running on your office computer to permit connections on the NetBIOS file sharing ports 137-139 only from the IP address of your home computer. The firewall running on your home machine would similarly be instructed to permit connections on ports 137-139 only from your office machine's IP address. Thus, either machine can "see" the other's NetBIOS ports, but no one else on the Internet can see that either machine has established such a secure tunnel across the Net.

But what about you originating your own connections to other machines on the Internet? For example, when you surf the web you need to connect to web servers that might have any IP address. You wouldn't want all those to be blocked just because you want to block everyone from getting into your machine. It turns out that this is easy for a firewall too. Since each end of an Internet connection is always acknowledging the other end's data, every packet that flows between the two machines has a bit set in it called the "ACK" bit. This bit says that the packet is acknowledging the receipt of all previous data. But this means that only the very first packet which initiates a new connection would NOT be acknowledging any previous data from the other machine. In other words, a firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection would be allowed to pass through the firewall, but packets representing new connection attempts would be discarded. Thus, a firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.

Another example of the power of a high-quality firewall is "application level" filtering and response: Most firewalls do pretty much what I've explained above, and this affords tremendous protection. But they don't attempt to "understand" the data in the packets they're admitting or blocking. Their "permit" or "deny" decisions are only based upon the source and destination addresses. But an "application level" firewall involves itself in the actual dialog taking place. For example, we've seen that one of the biggest problems with Microsoft's file and printer sharing is its lack of ability to prevent password crackers from pounding away on a password until it's broken. But an intelligent application level firewall can monitor what's happening on port 139 (where password protection occurs) and step in to completely block an offending remote computer! It can automatically "black list" the originating IP address to completely prevent any and all future access from that outsider.

I hope I've conveyed some sense for the powerful benefits and features created by firewalls. At a cost ranging from $29 to $39 USD, these personal firewalls are a terrific bargain! If you have also received the sense that this can be very tricky stuff I'd have to agree.

                                                                                                                                Back to menu 

What can you do to protect yourself? There is no better defense than knowledge. Acquiring the knowledge you need to defend yourself against the bad guys on the Internet will not be instantaneous, but, thanks to this web site . . . at least it's free! So I ask you to make some time to read through the following pages. If you do, you will easily learn enough about networking to feel comfortable with the task of securing your computer and those of your friends. Beyond the knowledge which you'll need, the exact answer to how you proceed depends upon your Internet usage patterns, your communication needs, and the level of security and privacy you require. The checklists below provide some guidelines and strategies to consider. Please read both sets of answers since your requirements may combine aspects of each.

 

If you DO NOT NEED to share files across the Internet:
	Windows insecure networking can be easily neutered to immediately disable file sharing across the Internet! The single BIGGEST security hole that exists is Windows File and Printer Sharing over your TCP/IP (Internet) connection. I've encountered many freely available scanners that specifically target "open Windows shares" and password crackers are free for the downloading. If your Internet-connected computer is not networked to any other machines there's absolutely no need to have file and printer sharing installed and often no need to have Microsoft networking loaded, running, consuming precious RAM memory, and dramatically lowering your Internet security! Client for Microsoft Networks — Just Say No The "Client for Microsoft Networks" is only used when connecting your Microsoft operating system to other Microsoft operating systems. It has NOTHING to do with the Internet (which somehow manages to operate even without the help of Microsoft.) All web browsing, eMail, newsgroups — everything — will continue to work just as it did before. It was unnecessarily installed and should be immediately removed. The next page shows you how! (There are a few known exceptions to this for some — but not all — users of the @Home Internet cable modem system. This is explained on the pages that follow.) For the vast majority of Internet users . . . The best FREE thing you can do for your Internet security is to cut yourself loose from the Client for Microsoft Networks! Unbinding the Client for Microsoft Networks After you "unbind" the Client for Microsoft Networks (and its related file and printer sharing) from all of your TCP/IP-using adapters, it quietly disappears from sight and your system's security skyrockets. You won't miss it at all, Windows will boot faster, and you'll have more memory for things you do need. And if you later decide to share your files with another computer (which is almost the only reason for Microsoft's networking) it's very easy to bring it back from the grave. Not only does unbinding TCP/IP from the Microsoft networking components prevent your computer's files from being accessed through abuses of Microsoft's networking, but as you can see from the text in the image above, even Microsoft knows that turning this stuff off will speed up your computer!  The next page provides detailed instructions for improving your Internet security by cutting your system loose from Microsoft's Networking for Windows 9x and NT.   Note that if you want to share files or printers with another machine locally, you will need to bind these two services to the non-routable NetBEUI transport protocol. The next page provides detailed instructions for doing this too. The key is to NOT have them bound to TCP/IP! After making these changes and rebooting your machine your files can not be accessed across the Internet though the NetBIOS file sharing system. There is no evidence to suggest that any intruder has ever been able to use NetBIOS to remotely access files on a Windows machine that had either removed its networking components or "unbound" and disabled its file and printer sharing over TCP/IP. (And given how wiley these Net hackers are, that's saying a lot!)
	Beware OTHER backdoors It is very important to note, however, that removing or disabling file sharing does not preclude the possibility of an intruder gaining access to your system through any of a number of other Internet services or systems that might be present in your computer. For example, numerous exploits have been documented of hackers entering a system through Microsoft's Personal Web Server, IRC, ICQ, telnet, web browsers, eMail readers, and anything else you can imagine! Therefore, if the security of your system is of true concern, you must act to proactively guard against intrusion. Any component within your system that touches the Internet creates a potential opening for attack. The Master Hackers are REALLY good. I've been very impressed by what I've seen them achieve. They are arguably more talented and focussed than most of the people writing the software that's being attacked. They don't have "management" telling them to ship this stuff before it's ready and still littered with known bugs and security holes, and they love nothing more than a challenge. Therefore, the only workable strategy is for you to keep a low profile and give them as little as possible to chew on. Speaking of which . . .
	Protect your privacy Windows opens the NetBIOS file sharing ports 137-139 unless the Client for Microsoft Networks is completely removed. While it's open all passing Internet scanners will find and log its presence. And if the Networking Client is bound to the TCP/IP transport (as it is by default), Windows will be blabbing your user, computer, and workgroup names out across the Internet. You can demonstrate all of these variations for yourself by using the Shields UP! tests and the Port Probe (see the "Evil Port Monitors" page for details). If you don't make any of these changes, any scanner can sweep past and log the fact of your existence along with your user, computer, and workgroup names! You should keep that in mind when choosing them. It would be a good idea to avoid names like "SWISS ACCOUNTS" since any intruder who stumbled over that in his scanner logs would probably go nuts trying to break into your system! So try to choose share names that don't sound like they're worth cracking ... like "Favorite DustBunnies" or "Freudian Quips". Those ought to be safe. Some folks append a "$" (dollar sign) onto the end of share names to "hide" them. But this merely prevents Windows from DISPLAYING them! Those shares remain completely visible to anyone who knows how to look for them on the Internet! See the "COMPLETELY HIDE your Share names!" topic below for all the details.
	What's a little firewall between friends? The Personal Firewalls page discusses firewall technology in detail and contains my reviews of five I have looked at closely. A true personal firewall can provide extremely robust intruder protection, analysis, and monitoring of all internet activity. My favorite firewall, ZoneAlarm 2, is FREE for individual use. I think this stuff is way cool so I will be creating a feature-packed firewall of my own, see box below. If you have no immediate need to share your files with any other computer — local or remote — the safest, cleanest, and simplest solution is the "unbinding" of Windows insecure networking client from your network. And you should ABSOLUTELY do this even if you plan to get a firewall . . . mine or someone else's.   My firewall will secure Windows networking, block commercial and Trojan applications from accessing the Internet (phoning home) behind your back and without your knowledge or permission, and will repair several other problems I've encountered. However, much as I'd love to do this right now, my backlog of Internet security project commitments prevents me from getting to it for a while. So, even though I (naturally) think that my solution will be the best available, PLEASE don't wait for me! If you are interested in receiving a short eMail note from me when my own firewall is ready, please be sure to join my User-Managed eMail System and select the "Internet Security" checkbox! (You'll probably also want to receive my brief monthly updates so you can stay in the loop and keep track of my other Internet security project work!) It should be noted, however, that using a prophylactic program (like a firewall) to suppress the operation of another (like Microsoft's Networking) is not nearly as safe and sane as removing the program whose operation and behavior you wish to suppress.

 

If you MUST share files across the Internet: If Windows File and Printer Sharing is bound to the TCP/IP protocol (and thus free to wander the Internet) because you need to share files with your office, family, or friends, you must address some serious security concerns: Not ONLY will your user, computer, and workgroup names be public knowledge, but so will the names of ALL your shared resources. (Shields UP! can show this to you at any time.) If your computer has a persistent connection to the Internet it will be quickly located, logged, and targeted as an opportunity for break-in by Windows share scanning intruders. The following measures will minimize your exposure:
	Choose uncrackable passwords As we've already seen, Windows file share password cracking programs are commonplace on the Net. Their especially insidious aspect is that Windows provides no indication when a cracker is pounding away at the passwords protecting your protected shares! Cracking attempts can also be "overlapped" so that hundreds of attempts can be going on simultaneously. And these password crackers succeed much more often than you might imagine. Such programs are typically based upon a dictionary of proper names and words because most people choose the names of their children, pets, or relatives as their passwords. Since these programs have all the time in the world — and since you have no idea when they're grinding away at your machine trying and failing to get in — this guessing approach usually succeeds sooner or later. Therefore, you will want to immediately employ STRONG, cryptic, and unguessable passwords to all exposed file shares. You'll want to keep in mind that anyone trying to access your files will already know your user, machine, and workgroup names (Thanks to Windows NetBIOS blabbing.) Your passwords should therefore have NO relationship to any of those always visible names. Ideally they should be LONG random strings of characters. A good one might be something like: "4F3hw9Egh84d2" (But DON'T use that one since it's mine. (Just kidding)) I know it's annoying to have a password like that, but any phrase that is meaningful to you might either be in a password cracker's dictionary (see below) or be guessable by someone who knows you. ALWAYS REMEMBER that your system really IS being watched! It's creepy but true!
	Share Names can NOT be COMPLETELY HIDDEN! You must NOT depend upon "Hidden Shares" for any sort of security! Many people falsely believe that appending a '$' (dollar sign) to the end of a share name provides useful protection by hiding its existence from external prying eyes. But in typical insecure Microsoft fashion, that's not the case at all! Although Microsoft's Windows does not show any share names that it receives from a remote computer, it continues blabbing those hidden share names at every opportunity! This means that anyone with a little bit of technology can readily see and attack those "hidden" shares!
	Always watch out for backdoors! Other means of entry into your system must be avoided. Since the presence of your computer's shared resources will be obvious to any curious cracker, this will tend to draw more attention to your system than other machines that are blabbing less about themselves. Therefore, everything I wrote about other means of entry applies to you more strongly. You need to be very careful. Remember: Many of these guys are really good!
	If you MUST share files across the Internet a personal firewall is the ONLY WAY to be safe! If you've noticed how much I enjoy providing free solutions to relatively small problems (things people shouldn't have to pay for) then you know that I don't like recommending that you spend money to fix something that shouldn't be broken in the first place. That's why I'm committed to creating a small freeware firewall to address these key problems myself. (To be notified when that's ready, be sure to join my User-Managed eMail System.) But until I can get around to making something available for free (and that won't be happening until next year, some really good firewalls are very inexpensive at just $29 to $39 and well worth the price for the comprehensive protection and detection they provide. I have located and examined some inexpensive firewall products which I describe on the Personal Firewalls page. But before we look at them, a serious issue needs to be addressed: The frenzy to secure our Internet connected PC's has spawned a hoard of really bad pseudo-firewalls. So please don't miss my discussion of "Evil Port Monitors" which follows the next page . . .

                                                                                   Back to top