AR Infotek's new entry into the network security appliance market is the Teak 3018, which the AR Infotek Web site bills as having “...reliable high performance that meets trusted wireless network security appliance requirements in ROBO (Remote Office, Branch Office), SOHO (Small Office, Home Office), SMB (Small/Medium Business) environments.”
That was part of the announcement that ran in all the Linux hardware rags in December '07 and January '08. A small, low-profile, hackable fanless box, the Teak 3018 looked to be a great entry into the realm of appliance hardware. It promoted itself as a solid platform with excellent capabilities, good security and an all-around solution for SOHO network security woes. We laid our grubby little paws on a pair of them and dug deep inside to answer some important questions about them:
Are they, as the press releases imply, consumer appliances, or are they something else?
Do they perform as advertised?
What other nefarious ends might they be put to by the intrepid hardware hacker?
After a lot of delving, digging, hacking and cataloging, I bring you the good, the bad, and the ugly of this unassuming-looking little brown box.
The Teak 3018 is compact, unobtrusive and looks pretty spiffy sitting on fashionable bookshelves—mostly because, unlike the rather gaudy Linksys firewalls, it stays out of the way, visually speaking. The whole thing, both in its design and implementation, is (as designed) fairly hospitable to Linux hackers. The CPU chipset and peripheral components are all well supported by the kernel, but just in case you're installing a distro that doesn't have the right drivers, it includes the source for the kernel modules and device drivers on the included SDK CD-ROM.
Under the hood, the Teak is a low-power x86 system. Specifically, it's a 500MHz AMD Geode LX-800 processor with the CS5536 companion device, equipped with 128–512MB of DDR RAM (128MB standard) soldered onto the motherboard. It sports a CompactFlash socket and a 2.5" hard drive bay with an Ultra DMA 66/100 IDE controller for your internal storage needs, as well as two OHCI-compliant USB 2.0 ports. A serial COM port gives auxiliary access for those wishing to hook up extra peripherals, such as a Linux console or a home automation device, while four 10/100Mbps auto-switching Ethernet ports—two of which have a hardware bridge that keeps your network signals traveling through the box in case of power failure—and a pair of Wi-Fi aerials hooked up to an Atheros 5004X SuperAG 802.11a/b/g chipset-based Wi-Fi module round out the feature set. Further icing on the cake is a watchdog timer, which can cause the system to reboot automatically if the software crashes.
The box the Teak sits in is sturdily built. Everything is securely bolted down. The top slides off easily after you remove just four screws, and the quality of the external design is a cut above—not only is it unobtrusive as previously mentioned, it also has a reset switch on the front, rather than hidden around back as is common on most SOHO network appliances. A front panel mounted set of four system status lights, and a pair of status lights located by each Ethernet port, let you verify the operation of your system as well. The power supply—external, to help maintain the fanlessness and keep the case quiet—has all the proper international safety certifications and provides very clean power from a wide range of power sources.
Of course, with a setup like that in an easily accessible box, you can build pretty much anything you like. AR Infotek's marketing and press releases for the 3018 pitch it as a network security appliance, but with that kind of open hardware sitting under the hood, you can make it sit up and do tricks with a little bit of work. Still, what review would be complete without a good look at whether the machine can do what it says it's supposed to be able to do?
The manual suggests a number of uses for the box, most of which are actually doable.
Table 1. Uses for the Teak
Purpose | Suitable? | Comments |
---|---|---|
Router | Possibly as a subnet router | Too few ports to be really useful as a general-purpose router. |
Gateway | Yes | |
Access pointers | Uncertain | It's hard to tell from the documentation what is meant by “access pointers”. |
VPN endpoint | Yes | Hardware AES encryption is a plus. |
Firewall | Yes | |
Antivirus filter | Yes | |
Antispam filter | Yes | |
Intrusion detection system | Yes | |
Content filtering | Yes | |
Bandwidth management device | Yes |
The hardware itself meets all the trusted wireless network security appliance requirements for ROBO, SOHO and SMB environments, with the AES encryption standard supported in hardware.
There are a few other interesting little tricks up the Teak's sleeve. The system is built on a commodity motherboard, which means it not only runs a standard Phoenix BIOS, but it also has a sound chip and, because it's an AMD chipset with an ATI graphics package, a video capture chip. Although the pinouts for the video capture hardware and the sound hardware aren't documented in the manual, they may be among the undocumented functions of J12. This isn't the kind of board that can easily be hacked up by a hardware hacker with a soldering iron—multilayer boards with flat packs aren't really designed for that sort of thing. If the interface pins were brought out onto pads or connectors, that'd be another thing entirely, but as it stands, some of the more interesting functions of the Geode chipset are inaccessible.
So, is the Teak a “network security appliance” suitable for small-/medium-sized business, small office/home office and remote office/branch office applications?
Unfortunately, that brings us to the bad part of the review.
To put it bluntly, the Teak 3018 isn't as advertised. The BIOS is its only firmware. No operating system, firewall, routing software or anything else that would qualify it as a “Network Security Appliance” comes with the box. The real story is that the 3018 is simply a general-purpose platform that can be made into pretty much anything your geeky heart desires. Be that as it may, it isn't anything out of the package but a bare-bones system. It's not a network security “appliance” as delivered. It's a system designed for OEMs to build into network security appliances.
As an OEM system, the Teak provides a good solid hardware platform, but it's not without a few serious flaws. There are two basic classes of beefs I have with the thing: hardware problems and documentation issues.
Although the selection of the hardware that goes into the Teak is deliberately Linux-friendly, the way the hardware is put together isn't particularly impressive. To begin with, in both of the systems we received, the wireless antenna wires were routed through the cooling fins on the CPU heat sink—not an auspicious way to string a thin-gauge coax, to say the least. Sharp bends over sharp edges not only abrade the insulation, they also mess with the impedance of the cable, which can cause RF signal loss and other nasty problems.
The internal layout problems don't stop there. The wireless chipset isn't on the motherboard, but is instead plugged in via a MiniPCI wireless card, which sits on a riser card floating above the motherboard. This would be a fine arrangement if the card didn't sit directly above the CompactFlash card slot and cover it so completely that it's not possible to load or unload a CF card without pulling out the wireless apparatus. If you're wanting to use a hard drive instead of a CF card, you're still going to run into some trouble. The system includes a handy drive-mounting cage that will hold your 2.5" IDE drive almost exactly the right distance from the controller port for the included hard drive cable to reach. “Almost” is the keyword here. The supplied flat cable had been crimped into a rough cylinder by a pair of tie-wraps, leaving no slack in the cable and putting excess stress on both connectors. This isn't a good idea, as it introduces unnecessary failure points in the cable and connectors.
The unit also includes an XVGA port that isn't routed to the outside of the box, which is itself a fairly defensible decision in something intended to be a network appliance. However, there is no pre-scored punch-out for those who wish to add a video connection permanently to their product, perhaps as a real-time network status display. Note that only one XVGA cable and one SDK CD-ROM were supplied for the two units. This is most likely because this is an OEM product, and an OEM will usually need only one of each as samples and then duplicate them as needed for production.
Particularly vital to a piece of OEM hardware is good documentation. Here again, the Teak falls down. There is no hard-copy documentation, only a CD-ROM full of text files and PDFs (with no PDF reader included).
The CD-ROM contains a slew of documentation for a wide range of models and is not particularly well organized. What's worse, it doesn't actually include some of the most important pieces of documentation on, for example, the motherboard, which you're left to find yourself on-line. Worse yet is that the documentation supplied for the Geode chipset is the preliminary set. The current documentation on the AMD Web site is at revision 2, and there are some significant changes from the preliminary docs. The CD-ROM itself doesn't have a README file, and the package the Teak comes in doesn't have a packing list, so there's no way to be sure that you've gotten everything you're supposed to unless, for example, you bought two or more of them. As an OEM company, that's not a problem, because it's something that's generally covered in the purchase order when the contract is negotiated, but if you're ordering a single box to hack for your own personal project, you're going to have a hard time figuring out whether you got everything you were supposed to. See the sidebar for a packing list I built based on the two boxes I got for this review.
Unfortunately, the documentation's troubles don't end there.
The block diagram—essential for proper software and embedded system design—is scanned at a very low resolution. Hard to read on the included PDF, it becomes marginally legible when printed out. The block diagram itself is incomplete—the Wi-Fi module isn't included on the generic block diagram, not to mention there's no indication that it's plugged in to the MiniPCI slot. Neither the block diagram, nor the other documentation, indicates the type of Wi-Fi card—we identified it by looking at the labels on the chipset and finding the manufacturer details on the FCC Web site.
There's also the curious matter of J12, a set of pin connectors on the motherboard that do something—what, you may ask? We haven't the foggiest idea. It may be for the video capture hardware, or it may be for the sound chip, or something else. There's no way to tell—it's not in the documentation, and it's not silk screened on the motherboard.
Information on the BIOS—including any place to download updates—is also curiously absent from the documentation. Meanwhile, on the CD-ROM, they do supply an audio driver compatible with the onboard audio chipset, while the location of the pins for accessing and wiring up the speaker/microphone/line-in ports to the audio hardware is curiously absent from all documentation. This is understandable, as this is a network security appliance, not a general-purpose box.
The specs for the box mention a BIOS ROM upgrade utility, but there's no sign of it on the SDK CD-ROM. And then, there's the GeodeROM documentation. AMD doesn't make the GeodeROM available, so why's it there? Checking the AMD Web site, we found out that the GeodeROM documentation is supplied because it contains useful hints on how to make the best use of the chipset.
The two boxes we got had an external label problem as well. The first box was labeled NSM-3018-1, while the second box had a label showing NSM-3018-7. We suspect this is a printer's error on the second label, but there's no way to be sure with what we were provided.
The ugly truth of the matter is that the AR Infotek Teak 3018 doesn't know very well what it's trying to be. The marketing literature makes it look like it's designed to compete with the sort of firewall/switch appliances that you get at your local computer shop, when in fact it's an OEM device that is incomplete without a lot of tinkering. Presumably, it was designed to sell in large quantities to OEMs and VARs who will then install the appropriate add-ons to make it sing right out of the retail packaging, but if this is the case, the folks over at AR Infotek need to do a lot more work on improving their documentation and organizing it in a way that's intelligible. It also could use some basic niceties like a packing list, a price guide, environmental specs and a readable block diagram.
On the other hand, it's a hardware platform that's well suited to hackers—particularly hackers willing to do their own legwork and not rely on their hardware vendor to tell them what it is they're actually buying. The possibility of teasing audio and video capture functionality out of a network appliance is interesting as well, raising the prospect of constructing low-end PVR for capturing content destined for one's iPod rather than one's TV. The careful selection of Linux-friendly hardware throughout and the inclusion of driver sources on the CD is another point in its favor for the hobbyist. We'd give it a B+ as an OEM product for network security, mostly for its inadequate documentation.