Everywhere we look we see reports and hear anecdotes that the Macintosh invasion of the enterprise is underway....
Indeed, when one travels to a technical conference, you’re far more likely to see a sea of glowing Apples staring at you than hear the familiar startup sounds of Microsoft Windows. There’s also a persistent theme in the security community that “Macs just aren’t enterprise ready.”
So where does the truth lie? Are Macs more secure than Windows boxes? It is safe to have them on your enterprise network? In this tip, we'll offer a brief enterprise endpoint security comparison, looking at how both device types fair in several key categories, and wrap up with some advice to help you assess the risk of adding more Mac endpoints to a Windows-dominant environment.
First, in the interest of full disclosure, I have only recently admitted to myself that I am, indeed, a Mac guy. I don’t exactly know how it happened, but a few years ago I bought a first-generation iPhone, and then, all of a sudden, my household and office were overrun by Apple products. I realized recently that the only Windows box at my ready disposal is an old clunker running Vista that my kids use for homework and games. Otherwise, Windows is now, to me, a completely virtual experience found by using Boot Camp or Parallels. I’ll set these personal preferences aside as we explore Windows vs. Mac security on the network.
Let's see how Macs shape up with Windows devices in the following categories:
Network security protocols
Network security professionals rely upon a common toolkit for protecting sensitive information in transit over the network. We use VPNs to protect remote users connecting back to the home network and depend upon strong IPsec and SSL VPNs to provide rock-solid security. We also spend a lot of time focusing on the security of wireless networks and depend upon the Wi-Fi Protected Access (WPA) standard to secure those communications.
The verdict? It’s a draw. Both Macs and PCs support the basic set of network security tools needed to provide secure communications over both public and private networks. Neither platform has an advantage here, as long as you configure each to use strong encryption.
The larger your enterprise, the more you probably rely upon centralized tools to manage your desktop configurations, antimalware protection, data loss prevention and other network security technologies. Windows shops typically rely upon Active Directory (AD) for many of these tasks and there’s simply not a reliable, consistent way to take AD policies and apply them to your average OS X box.
Even third-party products meant to ease centralized device management typically fall short when it comes to Mac support. They leave administrators with the impression (probably not a false one!) that the vendors' developers focused for months or years on developing a Windows-based product and then quickly rushed out Mac support so they can say they have it. Indeed, I experienced this recently with the rollout of a popular DLP product. The PC deployment went smoothly with the assistance of Active Directory, while the Mac deployment required technicians to visit each machine individually and install the client. Not exactly a smooth experience!
The bottom line here is that PCs get the definite advantage for enterprise management. Apple hasn’t moved the ball far enough down the field to claim true enterprise support. The edge here goes to the folks in Redmond.
Server network security
Are you considering running a Mac OS X server in your environment? You might want to think again. From a network security perspective, Microsoft has simply put much more time and effort into developing a product that is enterprise-ready.
At a Black Hat 2011 presentation, researchers from iSEC Partners shared the results of a detailed side-by-side comparison of Windows and Macintosh security. In one section they compared the vulnerability of Windows Server 2008 R2 to Mac OS X 10.7 Server. The conclusion? Windows had the advantage across the board, with a shocking bottom line, according to iSEC, that “OS X networks are significantly more vulnerable to network privilege escalation. Almost every OS X Server service offers weak or broken authentication methods.”
Once again, Microsoft gets the nod in this category. In fact, I don’t know of a single enterprise that is trying to rely entirely upon Apple products. (Before you all start flaming me, I said I personally don’t know of such a case -- I’m sure you’re out there somewhere!)
So what should you do?
First, accept the fact that you most likely can’t run a pure Windows environment anymore. The combined forces of the consumerization of technology and the demand from users for Macs likely mean you’ll see Mac devices on your network in the near future, if they’re not there already.
That said, as much as the Mac lover in me hates to admit it, Apple just isn’t yet producing a product that’s ready to support in an enterprise environment on any large scale. I suspect they’ll remain in the hands of IT professionals (you’ll have to pry my MacBook out of my hands!) who can self-support their devices and creative types who need the unique tools available only on Macs (and have the dedicated IT support to back them up), but the crew in Cupertino still has a lot more work to do before enterprise can easily support and secure truly mixed environments.
So, in the meantime, make sure you carefully think about the network security implications of having Macs around. When you select and deploy configuration management products that contribute to your network security management, make sure Macs are represented in the use cases you consider. If you’re rolling out a VPN or wireless network, be sure you test it on a few different versions of Mac OS X before releasing it to production. The presence of Macs on our networks is inevitable, and it’s up to us to keep them secure.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.