Router security - airport extreme base unit

Discussion in 'Mac Accessories' started by maflynn, Dec 31, 2013.

  1. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #1
    I have an airport extreme base unit (the 802.11n flavor) and given the lack of details in apple's airport utility, is it as secure as other routers?

    I'm thinking of maybe "upgrading", while I have a 2012 rMBP which means I won't be able to take advantage of 802.11ac speeds I'm thinking I'd like to take more control over the security of the router, MAC address filtering, logging, monitoring, etc etc.

    Any thoughts on this, Apple is great at plugging and going, but I'm thinking I may be better served with taking a more hands on approach.

    Any recommendations over which router? I'm partial to Cisco/Linksys but to be honest I'm just starting my research.
     
  2. priitv8 macrumors 68020

    Joined:
    Jan 13, 2011
    Location:
    Estonia
    #2
    WPA2 with good password should be as secure as WPA2 gets.
    If that's not enough, you can deploy Radius authentication.
     
  3. maflynn thread starter Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #3
    I have WPA2 already set up, but I'd like to have more hands on, i.e., view the logs to see if someone is trying to access my wifi etc, etc.
     
  4. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #4
    I have no reason to believe it is any less secure than other routers - I am pretty sure that it is more secure than some (it is a many to one NAT device - if you do not forward any ports, it drops all incoming connections. Hard to get more secure than that).

    Your current Airport Extreme lets you do most of this already. Not sure why you feel the need to 'upgrade' (you may want to use Airport Utility 5.6 to see all the options).

    I used to run a commercial firewall at home, with all the logging and custom rules you could ask for. In the end, the logs told me that at any given moment, someone, somewhere, was trying to attack my IP address. I switched to the same Airport Extreme you are using and stopped thinking about it.

    A.
     
  5. maflynn thread starter Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #5
    I'm on Mavericks, I cannot run the older airport utility :(
     
  6. robgendreau macrumors 68040

    Joined:
    Jul 13, 2008
    #6
    There are ways to run 5.6 on Mavericks, but it involves a bit of hacking. Search around.

    But that should tell you something...Apple's devices all tend toward the black box, hands off types and you may be WAY happier with something you can actually tweak, which is pretty much everything else. And you can modify not just internal settings, but also things like external antennas. Or even go to open source software, which allows all kinds of things. Apple doesn't even do logs, and sorting IP issues is a real PITA with their stuff.

    And although I agree with WPA2 it's not like you're vulnerable, but there are lots of routers that are both user-friendly, more configurable, and as reliable as Apple's. And often cheaper. Check smallnetbuilder.com
     
  7. drsox macrumors 65816

    drsox

    Joined:
    Apr 29, 2011
    Location:
    Xhystos
    #8
    Agree ! It's easy to get paranoid about all the external possibilities. Just like worrying every time crossing the road.

    One thing AEs do do that isn't best practice - they do respond to a WAN ping. There doesn't seem to be any way to turn this off. Most modern routers can turn this off.
     
  8. maflynn thread starter Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #9
    Thanks, I forgot about smallnetbuilders, I'm checking them out now :)
     
  9. priitv8, Jan 1, 2014
    Last edited: Jan 1, 2014

    priitv8 macrumors 68020

    Joined:
    Jan 13, 2011
    Location:
    Estonia
    #10
    You can also:
    - config AirPort to log to std syslog server. This requires APU 5.6 though
    - monitor it via std SNMP tool, eg Cacti

    And then there's this nice little app: PeakHour
     
  10. maflynn thread starter Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #11
    I'll check out later thanks :)

    I wouldn't qualify this as paranoia as a desire to have a more hands on approach to my infrastructure. In this day and age, I think "trusting" a company isn't the best approach. I don't distrust apple, but I think being more proactive is better.

    There's the rub, the older version had these features but apple dumbed it down. Looks like there is a way to get it to work on Mavericks as posted by the other member and I'll see if that works for me :)
     
  11. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #12
    I'm still rocking a 2nd gen AEBS and its been fine for me. I have a strong WPA2 password and I don't worry about anything.

    As already mentioned and pointed out by you, I am sorely disappointed that Apple dumbed down the interface software and made it so the older software doesn't work on Mavericks. I'll be interested to hear if you can get it to work with the aforementioned tricks.
     
  12. maflynn thread starter Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #13
    Once I feed my kids breakfast and have some time on my laptop, I'll give it a go. :)
     
  13. priitv8 macrumors 68020

    Joined:
    Jan 13, 2011
    Location:
    Estonia
    #14
    It runs for me, on 10.9.1 using the Launcher app.
    You just have to remember, that current gen of AirPort basestations (the tower shape), can't be seen or confed by the old APU 5.x version. That's the deal.
     
  14. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #15
    I just downloaded it anyway and it works great.

    No problem for me since I have a 2nd gen. But someday, I'm sure, I'll be forced to upgrade.
     
  15. priitv8 macrumors 68020

    Joined:
    Jan 13, 2011
    Location:
    Estonia
    #16
    It should be also fairly simple to get these confs (syslog and SNMP) modded in the exported router conf files. These are plaintext XML files.
    And finally reloaded back to router via the new AP utility.
     
  16. maflynn thread starter Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #17
    The link that Alrescha provided did the trick, I'm now running the old version and that seems to work well enough. I'll still investigate other routers as part of my due diligence but this may be enough :)
     

Share This Page