Jump to content
Sign in to follow this  
Ruahrc

Time Capsule- no SPI firewall!?

Recommended Posts

I'm planning to get a new mac soon as my old PBG4 is getting to be too slow for what I need. Anyways I was thinking maybe at the same time I woudl pick up a Time Capsule. I recently started playing with Time Machine using a FW800 external drive to back up my PBG4 (I used to use Synk to do a full system backup prior to this) and like its transparentness. I still do Synk backups of selected folders (i.e. documents, music, etc) for an added layer of security.

 

Anyways, the thing that really surprises me is that time Capsule (and the Airport Extreme actually) lack 2 of the most basic features found on even the cheapest routers...

 

1) no SPI firewall

2) lack of web browser interface

 

The SPI firewall concerns me because I feel that for what is supposed to be a high qualtiy feature packed base station, the lack of SPI firewall is surprising. Especially when my $30 Netgear router has one? "OS X is secure enough" you may say, and it may be true, but again why skimp on such a basic function? And also I have a windows XP SP3 PC on the network as well. I don't run antivirus or other garbage like that on it because I only use it for very light browsing and figure the hardware firewall plus the windows firewall are protecting me. I've been using Windows XP for years and have never had a problem.

 

The lack of a web-based browser interface may not be as bad, but certainly makes it more difficult to manage the Airport Express from the Windows PC that is on my network. Why force me to use my Mac and it's software utility to manage the router when again even the cheapest piece of junk router has web browser based configuration? Doesn't make sense if you ask me.

 

Anyhow, I'm asking if you think either of these is a big enough deal to worry about. Remember, I will have 1-2 Macs and 1 Windows XP computer on the network.

 

Having the TC seems like a nice clean way to get backup for my proposed new mac, but these 2 issues (particularly the subpar firewall) seem almost like a deal-breaker.

 

Ruahrc

Share this post


Link to post
Share on other sites

Of the two, I would think that the lack of a web-based interface would be more of an issue. I'm not a real network expert but I always thought that the reason a router acts as a hardware firewall is a function of the routing process ( attackers would see the router as a "computer" and try to attack that as opposed to your computer ). Again I may be totally off base here.

 

I think the main thing that needs to be considered here though is just who the Time Capsule and Airport Extreme are designed for. I wouldn't think, given the attitude of most Windows users, that there would be much of a market for selling these devices to people who use Windows and "PC's" only. Therefore I would also think that since the main market is for Mac users ( even those using Bootcamp will still have OS X on their system for administrating the router ) it would be a bit redundant to provide a web interface when it can easily be done through the OS X interface.

 

In any event, in your case I would suggest using a "generic" router .... Macs will play better with the PC world than the other way around IMO and since one of your networked computers is on Windows ( and XP ) I think that is your "weak link" and therefore you would be better tailoring your security and network to it.

Share this post


Link to post
Share on other sites

You may be right about the routing, but I think having a hardware firewall in the router adds additional protection. I only complain about Time Capsule's lack of SPI firewall because it can be found on other brand routers even the low cost ones. In fact I don't think I can find a router that includes a firewall and doesn't do SPI.

 

Your point on the interface is well taken, but I still don't see where the OS interface is any better than just implementing a web interface instead. There don't seem to be any distinct advantages to using a program (faster operation, maybe?), whereas there are clear advantages to using a web based setup (platform independence). I can't configure the TC from my iPod Touch, but I can configure my current Netgear router with it.

 

Ultimately you may be right. The TC may just not fit my needs. It's just frustrating when Apple makes great strides with products like these, then stumble on the last few steps with bonehead decisions like no SPI firewall. Especially when I have yet to read a legitimate justification or explanation for doing so. Clearly, charging people more for premium products with premium features doesn't bother Apple, so why leave off almost universally common features? Another example is laptop screen resolution. IMO there are enough users out there who want a higher res 15" MBP that adding a cost-extra option for one should be available. Every other major notebook manufacturer does it, why not apple? I think they said once that their users did not want the screen elements to be too small. We also didn't want mice with more than one button either I suppose.

 

Ruahrc

Share this post


Link to post
Share on other sites

I think you are missing my point. According to people like Leo Laporte and Steve Gibson ( TWiT network and specifically the Security Now Podcast ) a router IS a hardware firewall. According to them and other experts, the mere process of routing by definition makes it a firewall. They have repeatedly mentioned that you do not need to buy special routers that have additional feature ... any router will work as a firewall. If that is what Apple was thinking I could hardly call not including SPI a "boneheaded decision".

 

On the interface issue, it's not a matter of advantage, just a matter of design. If you are a Mac only user the only limitation is what you pointed out ... you cannot configure that router from the iPod touch maybe an issue that Apple just didn't consider. Yes that makes it less convenient for people with "mixed" networks, but as I said earlier, I would think most of them will use other routers ( which the Macs play with quite well ). For better or worse, Apple products are simply designed for use on Macs.

 

You sound like someone who has had issues with Apple for some time. There's no problem with that, we all have our preferences, but if Apple products don't meet your needs and there are others out there that do, that's what you need to use. Case in point your opinion about the one button mouse. There are many longtime Mac users that had no issue with that design - in fact I would submit that most people that did have a problem with it came from the Windows world and thus were trying to make Macs more similar to other computers ( I myself was one of those people BTW ). Ultimately all companies are driven by demand. Sometimes companies are wrong in their estimation of what people want but if there was really enough demand in a certain market for a certain feature it will eventually be released ( as was the "Mighty" two button mouse ).

Edited by Dolphbucs

Share this post


Link to post
Share on other sites

Simply having the router in place is a big part of the security- but SPI also helps prevent other types of attacks that a router alone won't. And I don't think that anybody can successfully argue that adding an SPI firewall will not make the system more secure. Considering that SPI-capable routers can be had easily for under $40, it's clearly not an expensive item or feature to be adding into the featureset either. Heck Apple could put one in and then charge more premium for it!

 

By design perhaps, but from a software engineering point of view, it's a poor design. Why depend on local copies of software when it can be implemented in a server-style solution? Apple clearly buys into this philosophy big time with major portions of their OS, putting a lot of effort into common frameworks for things like Core Audio or Grand Central- why make every software have their own copy of this code when it can be implemented in a central location? The same logic can be extended to configuring the router- why have every computer keep a local copy of the configurator, when it can be made to run centrally from the router? It's just a more efficient, more elegant design- something that Apple typically likes to do also. Besides if the Airport was designed to run only with Macs, why did they go through the effort to produce a windows version of the Airport configuration software?

 

I suspect the likely reason is that way back when the first Airport router was released, web-based configuration of the routers was not the norm. So they went with the software utility solution, and as new models came out and were upgraded, they didn't want to "rock the boat" too much by switching it up. So they stick with their old standard, until I suppose eventually demand will dictate that they update their paradigm, and they will move to a new design. I guess I just hope it happens sooner rather than later.

 

I do have some issues with Apple, as no company or product I have seen so far is perfect. I will still buy a new Apple computer to replace my current one, but the more I think about it the less I think I am inclined to get the TC.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing

    No registered users viewing this page.

  • Who's Online (See full list)

    There are no registered users currently online

×