Does Time Capsule have a firewall? Does it do SPI? What else does qualifies it as a firewall? NAT isn't really much protection? Would it be better to put TC upstream of a router that has a true firewall?
Turns out TC does NOT have a firewall. Too bad. That would render it a complete device and more useful. I have to keep my Linksys router. I know ... I know ... no Apple has every been infected. Or so we're told. Why not pre-empt the dirty scoundrels?
Apple tech support told me it has no firewall. Also, I could find neither documentation nor any firewall setup options anywhere in the TC set up utility, leading me to conclude tech support was correct. If you know otherwise please point me in that direction.
But when you have NAT (Network address translation), why do you need SPI firewall? They both do the same thing.
In order for NAT to keep track of the host computers on the private network, it has to do stateful packet inspection. And it keeps track of the state of network connections, UDP and TCP. So when the response packets come back from the internet, it can route them to the correct host. When a connection is idle for a period of time, it will close it automatically.
Plus, you are most likely to get a single dynamic IP address from a large pool of random IP addresses. Every time you reset the router or modem, the address will change. No hacker will be interested in attacking this random pool of address's.
If you are the owner of a class-c IP addresses and are interested in hosting some web services yourself. Then do consider a CISCO firewall.
Define "firewall". Look, if you want to run ipfw or do anything fancy beyond what 99.99% of all home consumers need, then heck by all means get or custom-build a full-blown firewall. But please don't spread misinformation that TC doesn't have what any reasonable home consumer would consider a firewall: the blocking of all incoming packets except those allowed via configuration, the same thing that every other router on the market does. (Even though, yes, Apple is notorious for not having as many bells and whistles in its configuration as other network vendors.) And yes, TC is a consumer product, its obviously not a business enterprise-grade product so no one in their right mind would imagine a fully configurable business-grade firewall.
Let me suggest that you both contact Apple and lecture their tech support staff re: firewalls, particularly why NAT alone is sufficient for home networks. While my home network is not as lucrative to thieves as is, say Apple Inc's, my data is important to me, and I want to secure it the best that I can. So I've kept my old Linksys RV042 router and set up TC behind it. Everything works fine, even though I appear to have two layers of NAT as a result. And, given the dearth of ports on the TC I can now service all of my devices. If the TC USB port functioned as advertised (Apple support is clueless there, after three phone discussions trying various things), I could use TC as a primary router / firewall with just a switch.
SPI firewalls are designed to stop Denial of Service (DoS) attacks like SYN flooding.
For most home user who are are on dynamic addresses. Does it matter? Nope, no hacker is going to SYN flood your little home router.
Are you going to loss data from DoS attack? Nope! Your router might stop working, due to the large amount of SYN packets. So what, just go and power-cycle the router and modem, you will be on different IP address, problem solved.
Before your little home router even get bombarded by SYN packets, your ISP will intervene and reset your modem and IP address. ISP's do not like SYN flooding on their own networks either.
NAT will close all ports to the outside world, unless opened by user manually. If you really want to make sure your home network is 100% safe, just stop opening unnecessary ports.
Please take some time to research Stateful Packet Inspection (SPI).
SPI checks incoming packets to see if the packet matches a current session that is in the state table, among other things. In layman's terms, it checks to see if the return server packets were initially requested by your PC on the inside of the firewall. NAT firewalls, just open an IP and port from your PC to the server, which can allow a hacker to spoof the server's IP connectivity and connect to your PC.
Google Stateful Packet Inspection for more details.
I find it appalling that Apple does not care enough about their customers network security to add SPI security feature to the firewall. This feature has been on home based routers for many years and provides a substantially higher level of security. I had planned on utilizing my new Time Capsule as my core router/firewall and was shocked to learn that SPI was not available.
NAT firewalls _+*DO NOT*+_ do SPI. Please research the differences.
NAT simply opens IP addresses and ports, it does not track any information crossing the translation.
SPI does track the session information to validate that the response was part of an existing session flow.
Hackers attack cable modems all the time. It is a great place to hack into PC's that are unaware of the threat, then turn those PC's into attack tools to create distributed denial of service (DDoS) attacks.
As far as resetting the router, you will likely obtain the same IP address during a router reset, unless there is an extended amount of time that the router is powered off. The DHCP server lease time, would have to expire during the power down interval, and the router IP address would have to be returned to the DHCP pool.
Cisco, Linksys, Linux based - there are a lot of firewalls out there. Please make sure you are using a SPI firewall on your system at a minimum.
