Modems and Apple Time Capsule Question

[Andrew]

Hello,

Since there appears to be so many IT and/or networking professionals on this forum I thought it a good place to ask...

I have been trying to remotely connect to my Time Capsule (TC) hanging attached to my Netgear router for some time. Long story short, including wandering around PPPoA and PPPoE I ended up finding a solution which includes replacing my Netgear DGND3300v2 with a 'pure' modem (i.e. Draytek Vigor 120) and using the Time Capsule to take care of the NAT and DHCP services, currently the router in the TC it is operating in 'Bridge' i.e. off mode.

This has left me wondering about whether the Time Capsule's firewall capabilities (e.g. NAT) are secure enough with the firewall software I have on my MAC and PC or should I invest in another firewall to place between the modem and the TC? There are equal amount of answers swinging both ways on the IT/MAC forums boards. I am a fairly standard and non-Porn user.

What does the Flyer IT crowd think?

Regards

Andrew

[Boing_737]

NAT is not a firewall, it's a mechanism for providing a publicly addressable IP address to a private network. While it hides the topology of the network behind it, the protection offered is only as good as the protection set up on the device providing the NAT service. For instance, if the box running NAT also happens to have TCP port 23 open, that could be port scanned by someone on the Internet (for instance a script kiddie...) and then they could attempt to get a login prompt using telnet (actually pretty much any TCP port open to the Internet can be connected to by telnet and people will just to see what is returned). If they get a prompt, they will attempt to login...

So, unless time machine has some kind of configurable firewall where you can restrict ports, and also IP addresses that can access it, I wouldn't open it up to the Internet in that way.

What you probably need to do is setup a VPN between your two networks so that you can access either securely from the other (Keef will be along in a minute 'cos this is what he does)

[Keef]

I don't know that particular Draytek - it sounds like a modem, to which you connect a separate router, WiFi, etc. What (if any) firewall or security capability does it have? I don't know the Time Capsule - the name sounds like something Apple would make. The Fine Manual that comes with it may reveal more about it, or I'm sure the Colonel will know.

NAT is Network Address Translation - the way the different devices on your local network see each other and the internet, without being seen from outside. There's a simple explanation here. It provides a modicum of security from hackers trying to access the devices on your network if it's set up right, but a firewall it ain't. The easy way to test it is to go to Gibson's Shields Up! and test "Common Ports". If you get anything other than all green, you have a problem. It's worth doing that test every so often anyway to make sure your system is as secure as it should be.

If you want to connect to your home network from outside, you need a VPN. That is a function of your modem and router, and needs to be done properly or you will have the Botnets in before you know it. If the Fine Manual doesn't explain it, and tell you what security it offers, then I'd be wary. I use a (now old and obsolete) Draytek Vigor 2800G which does all that stuff well. The other end was a Netgear Modem/Router, but that's gone now that we've stopped using the Norfolk hideaway. The VPN is still there, for those odd occasions I'm out and about with the laptop.

There is an alternative to a VPN: for access to another PC over the web. LogMeIn (if you choose to trust them) provide a similar service to VPN, which is a lot simpler to operate. It does away with the need for the technology of VPNs (and expensive modem/routers). It's also free for simple domestic use. It doesn't provide full access to your local network, unless you can do that from the PC you LogMeInto, but it may meet your needs.

[pb6797]

What's doing the routing at the moment? You said your Time Capsule is in "Bridge" mode and is connected to a pure modem. Which sort of implies you have bridged your internal network directly to the internet - which I doubt, unless you're very rich indeed and can afford to buy a block of global IP addresses.

Since you then mention using NAT on the time capsule (and DHCP) that implies it is routing.

Sorry to be thick, I'm confused.

You definitely want to be hiding your PC from the big wide world. Ideally you want it inside and airtight cabinet with no wires in or out.

I think the best bet is to wait for stevelup to turn up, he knows this stuff inside out, including the Apple bits ...

[Andrew]

Hello Boing_737, Keef and pb6797,

Thanks for the responses and advice so far. I think it is best to explain the current setup and the proposed set-up in a bit more detail.

Current Set-Up
ADSL/WAN is connected to the Netgear DGND3300v2 N300 Wireless Dual Band ADSL2+ Modem Router. This provides both modem, router services and also has a configurable firewall. I just profiled my MacBook Pro using ShieldsUP! and received 'all greens'. Also, connected to this Netgear router is an Apple Time Capsule which I use for backups and file storage in Bridge mode, (i.e. the router services that are offered by the Apple Time Capsule are disabled, also the Time Capsule does not have a built in modem). I use the Time Machine application on my MacBook Pro to periodically back up and also I access the file storage by simply using the Finder application in my Mac, both via WiFi, when at home so all is well.

I am trying to access file storage on the Apple Time Capsule remotely over the internet. This is a valid use case, the Apple Time Capsule offers this functionality and configuration is quite easy as long as the Apple Time Capsule has 7.6.1 firmware, you have an iCloud account and the Time Capsule is configured to provide the NAT and DHCP services. If I enable the NAT and DHCP servies on the Apple Time Capsule then I received a 'double NAT' error because the NAT service is being provided by both the Apple Time Capsule and the Netgear Modem Router. The obvious answer is to turn off the NAT in the Netgear Modem Router but the Time Capsule only offers PPPoE encapsulation and my ISP, in common with most other UK ISPs apparently, uses PPPoA. Thus I need a modem only product which is also a PPPoA to PPPoE bridge and the product that seems to be reoccurring on different Google provided threads is the Draytek Vigor 120

Proposed Set-Up
ADSL/WAN in connected to the Draytek Vigor 120 and this, true ADSL Ethernet modem only product with no firewall, connected to the Apple Time Capsule which will provide the router services and all should be well.

When it comes to the firewall like functionality that is offered by the Time Capsule, the wisdom from Apple gurus seems to be…

The TimeCapsule has a built in hardware firewall that uses NAT port configuration for local network access. Technically, that should be enough to protect your internal network from any attack via the Internet, but it's always a good idea to have your Apple OS firewall running as well. In short, there's generally no need to purchase a third party software firewall if you have a good router (i.e. the Time Capsule) between your modem and your Mac.

…other advice continues thus

Usually in the security world there is no kind of "NAT firewall"! The Time Capsule does support NAT, that means every system behind the Time Capsule will be hide NATed (sic) when accessing the Internet. In that case there is no way back from the Internet to the system... But the established connection from inside to outside could be exploited!
So you have to keep in mind that the "firewall" capability of the Time Capsule is not a really firewall.

I assume that the security flaw could be if a rouge piece of software inside my Mac establishes a connection from inside to outside and that the Apple OS firewall will protect me from that.

Thanks for the advice so far. Also, I am happy to remunerate for quality advice, not expecting something for nothing. Having been around this forum for around a decade I rather trust the faces here more than I do on the IT type forums.

Thanks again

Andrew

[Keef]

For Apple-specific kit, you need Stevelup who knows more than I'll ever suspect.

Draytek make good stuff, and if the Time Capsule and the Draytek show all-green on Shields Up, then you are in reasonable shape.

When it comes to remote access over the internet, the dangers creep in unless it's done right. Where you can get in, the hackers can (and will). The safe method is VPN, if the Time Capsule and the Draytek will do that. If they won't, I would be disinclined to open a port unless it's a very obscure one and well locked down: in that case, I'd go with LogMeIn, which will give you access to the "desktop" machine, via which you can probably access the stuff on the Time Capsule - but let Steve speak to that.

[Boing_737]

NAT is used in the security world as it enables you to hide your network topology, but it is but one link in the chain.

Also, the other confusing thing here is that you seem to described a DSL connection that has both bridged (layer 2) and PPPoA/E (layer 3) running. Unless you have two lines that's not possible as far as I know (at least on an Openreach line anyway).

VPN is by far the best and securest way I think, either connecting two networks together or having a VPN server that you can "dial in" to (some Draytek modems have this capability and there are plenty of free clients out there, OSX has one built in) or a mixture of the two....

[Andrew]

Hello Boing_737 and Keef,

I'll drop Stevelup a private message and seek his advice. Regarding the protocol Layers, this is indeed confusing. I don't really think I know what I am talking about to be honest as networking is not my specialist field. I'll do so more research and see what I can learn.

I am obliged for the comments thus far, it has made me decide to look deeper into this topic before I make any changes.

Regards

Andrew

[Peter Pan]

Blimey! I can see now why I dumped all this stuff for Logmein Hamachi. I had a VPN when I was in the Manchester and then White Waltham homes, but moved around since then so have used Logmein ever since. I have always had servers at home running 24/7 (Windows 2008 R2 x 3 and 2 x Exchange 2010), but can access these easily from any device from iPhone, ipad, MacBook and PC from anywhere in the world.

I do have a secure https connection with a certificate on my Exchange email as I host my own email but that is a different and much more complicated story
PP

[Andrew]

Hello Peter Pan,

I had a look at the LogMeIn product but it isn't immediately clear to me how I add my Apple Time Capsule so that I can access it. It easily adds my Mac Book Pro but I don't need remote access to that because I have it with me when working remotely, it is the storage on the Time Capsule I am trying to connect to.

Regards

Andrew

[Keef]

LogMeIn connects to computers, rather than to routers. Connect it to your home PC/Apple, and if that has access to the router, get your stuff that way.

[stevelup]

Hi

You've done the right thing using the Draytek modem and putting your TC into bridged mode - this won't work if you're double NATted.

Open the AirPort utility and select your Time Capsule.

Sign into iCloud on the TC. Restart the TC at this point using AirPort utility. Not sure why this is necessary, but if you don't, the tick box on the next bit is sometimes missing.

Click the Disks tab, then click the partition you want to make accessible and tick the 'Share disks over WAN' box.

It should 'just work', and doesn't leave any ports open - perfectly safe.

Steve

[Andrew]

Hello Steve,

Thank you for your input. The modem arrives later this week and I'll try it out and run 'Shield's Up!', although given your comment regarding port closure I am pretty sure it will be a clean green sweep.

Seems I am on the right track!

Regards

Andrew

[Andrew]

Keef,

A huge public thank you for introducing me to LogMeIn!

I 'look after' my parents and in-laws IT needs and am always asked to solve small problems which I tend to do over the phone which causes some challenges since hearing aids are involved and explaining to elderly folks over a narrow band PSTN with poor hearing can be frustrating for them.

Now I can log in to their PC and simply show them - bliss!

Regards

Andrew