NAT firewall in Time Capsule and config via AirPort Utility

Question

NAT firewall in Time Capsule and config via AirPort Utility

I just checked the firewall on my Time Capsule via http://www.grc.com/ and it failed on the "All Service Ports" test with "Stealth" on the following ports:

135/epmap : DCE end point resolution
139/netbios-ssn : NetBIOS Session Service
445/microsoft-ds : Microsoft Directory Service
593/http-rpc-epmap : HTTP RPC Ep Map

I'm sure this isn't a major security violation but having looked at AirPort Utility v 5.3.2 (Under; Advanced --> Port Mapping/IPv6) I can't see any useful options to increase the security of the firewall by blocking the above ports.

Having looked at the help page for AirPort Utility: "Customizing the IPv6 firewall" I'm confused because it refers to a "IPv6 Firewall" tab under the advanced settings in AirPort Utility that does not appear on my screen (i.e. 'Allow Teredo tunnels' etc).

Has anyone managed to setup Time Capsule so that it passes the above 'Shields Up' test? I'd be interested if they could post some instructions here.

MacBook Pro, Mac OS X (10.5.4), 2008 model w Time Capsule

Posted on Aug 2, 2008 1:55 PM

Reply

Answer 1

Tesserax

Level 10

148,345 points

Aug 2, 2008 2:26 PM in response to pja_cambridge_uk

Hello pja cambridgeuk. Welcome to the Apple Discussions!

I just checked the firewall on my Time Capsule via http://www.grc.com/ and it failed on the "All Service Ports" test with "Stealth"...

The Time Capsule, like the other AirPort routers, do not support port stealthing by design.

Reply

Answer 2

Aug 3, 2008 8:59 AM in response to Tesserax

Hi, I don't think you read my post properly. I'm not asking for 'stealthing' support. I'm complaining about the fact that the Time Capsule fails security tests when the ports I list are probed. The report I get says:

"one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers."

Note that all the other ports that I've not listed passed the test (Time Capsule did not respond to probes) and I just want to configure the same behavior for these failing ports.

The report also said:

"Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."

Like I said in my first post - this isn't exactly a major security violation but the firewalls I've used in the past passed all these test (which I found rather reassuring).

Reply

Answer 3

Tesserax

Level 10

148,345 points

Aug 3, 2008 1:56 PM in response to pja_cambridge_uk

Hi, I don't think you read my post properly. I'm not asking for 'stealthing' support. I'm complaining about the fact that the Time Capsule fails security tests when the ports I list are probed.

It's possible that I did ... and if so, I apologize. I assumed that when you stated "... it failed on the "All Service Ports" test with "Stealth"", you were referring to the desired outcome to have the Time Capsule respond with a status of "Stealth" for all ports tested.

Note that all the other ports that I've not listed passed the test (Time Capsule did not respond to probes) and I just want to configure the same behavior for these failing ports.

Again, if you want the Time Capsule to respond to the GRC tests with "Stealth" this may not be achievable. The AirPorts do not have an option to close individual ports or control their status when responding to tests like these that I'm aware of ... at least not natively through the AirPort Utility.

You may find the following blog an interesting read: Just how important is it to be stealthy on the 'Net?. I offer it only as an alternate opinion to GRC's stance on the topic.

Reply

Answer 4

Aug 4, 2008 3:23 AM in response to Tesserax

Thank you very much for your response and for pointing me at that excellent Blog on the subject. I certainly feel you've helped my general security education here and apprecate the time you've taken to give me some more detail here.

I think you can see why consumers get confused about the importance of 'stealth', particularly when some of Apples products support it (the SW firewall in OS X) when others do not (AirPort/Time Capsule).

Reply