Slashdot Mirror
Firewall On A PCI card
robags writes: "The people at Merilus have grabbed a PCI card, embedded Linux, added some Ethernet ports and come up with the FireCard. The OS on the host system can crash out, without affecting your firewall. 'Once installed, the FireCard provides firewalling, routing, bandwidth management, virtual private networking, redundant failover, intrusion detection and much more.'" This sounds like a smart product, especially for telecommuters; I sure hope it's not a pointless hoax or vaporware.
Since this seems to be a single board computer without a disk, couldn't one plug a bunch of these into a passive backplane to create a pile of independent firewalls (not very useful for the home user, but useful for those in the ISP business)? These backplanes would also eliminate the concern over power dependency. Along these lines, the home user could grab a 2 or 3 slot backplane and a power supply and have a pc-power-independent solution.
Along these lines, can one take an SBC and plug it into an ISA or PCI slot on a regular MB to power a second PC from the first, inthe same case?
Domain Name: MERILUS.COM
:)
Created on..............: Fri, Sep 01, 2000
Expires on..............: Sun, Sep 01, 2002
Record last updated on..: Tue, Sep 05, 2000
And the company started 1997?
Well at least they did a lot of work on the website
The issue is that when you connect to a cable modem, you immediately have a perhaps-24x7 connection that someone can attack. Hooking up a Windows box to this is nigh unto suicidal.
The thought I had had was to have a little "shoebox" system; no screen; only two Ethernet ports, one to go towards the outside world, and one to provide services "inside."
The "FireCard" is a quite clever idea; it cuts down on the requirements by one Ethernet port by itself replacing the usual Ethernet card that gets put in the PC.
With luck, they have some scheme for remote management whereby it knows just enough SSL (or some other cryptographic protocol) that it can be possible for folks at the ISP to log into it to help out if there are problems.
This isn't a "B1 System" for people who thought Multics wasn't tough enough to crack; it's a "C1 system" for the people running "D1 secure" PCs...
If you're not part of the solution, you're part of the precipitate.
quit being a damned karma whore. Why the hell would andover own shares in Merilus. And despite the fact the posted it twice, two separate users submitted the story. Get a goddamned life and stop worrying that the FBI is really only after YOUR computer.
---
Video meliora proboque deteriora sequor - Ovidius
"Product details are not being provided at this time but the companies confirmed that products resulting from their cooperation would be announced in the first half of 2001. "
The Press release
I just helped an acquaintance build one from an old 486 and two new, cheap ISA Ethernet cards using the EigerStein beta2 Linux Router Project-based floppy. Hardware & software took 2 hours, and I was showing him how all the way. Of course, it was the 3rd one I had done, but I'm also no Linux expert so I suspect most of the readership here would have no trouble matching my 2 hours.
The down side is the cost of electricity for keeping this PC running (but no hard drive, so that saves a bit). I think the firewall-on-a-pci card has a decent market niche, for those who don't want to spend the electricity, take up the space, or put up with the noise of a separate firewall box. But if you have a 486 kicking around, the LRP makes a very nice firewall option.
There have been PCs on PCI cards before. For example, http://home.netscape.com?cp=wn6/ I don't think they make them anymore, though.
Whoops, wrong URL. http://www.orangemicro.com/opc660.html is what I meant to paste.
since I'm going to a presentation on the Merilus card at my local Linux user's group on Monday.
:)
www.vanlug.bc.ca
I'll keep you all updated
The PCI slots only lose power on a power cycle (or maybe a hard reset on older power supplies). With this thing being completely self-contained it will continue to function during normal reboots, resets (on ATX power) or even total OS failure.
Though it does beg the question of why it couldn't just be a seperate device... space, maybe? With those 3 ports it can perform the duties of a 4-port hub with less hardware and cabling.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
Saw this yesterday, linked at "UserFriendly." It rocks!
Lots of small businesses and home LANs (2 - 25 PCs, with T1/Cable/xDSL) need something like this. GUI for configuration, no maintenance (read, Staff), good security. If I didn't already have a strong software firewall (Injoy), I'd order one today. I'm going to recommend this to a friend who needs a minimal broadband firewall server.
Dave Chalk? "Yes Dave, but wait... there is more. If you buy our Firecard before the end of the /. effect you'll get a screwdriver for free so you can easily screw it into your computer. Please allow 28 days for deliviry, and remember... If your network somehow does get totally r00ted and fucked beyond repair you are can use our money back guarantee. Yes Dave, thats right... If you get h4x0r3d within the first 6 weeks of your purchase we will refund you the entire amount spend on our card and whats more... You can keep the card for free as a token of our good faith!." Now where did I hear that before?
And whoever moderated this up should have all moderator rights removed completly.
http://merilus.com/firecard/entspecs.shtml
wolruf@gmail.com
I took the lid off my Livingstone firewall, 90% air. I took the lid off my 2501, 90% air. Why do Cisco/Lucent/etc. think that comms equiptment has to be big to be any good. I't just like the old shitty Amstrad hifis of yonder. 90% Air.
OK, the 'housed inside one computer' aspect may not be brilliant, but the simple fact that thye've proven that this kind of technology can be miniturised. Shame on the big companies for lagging.
FP
Also FatPhil on SoylentNews, id 863
After some research, it turns out that the cost for ne of these is 595.00USD for thew SOHO and 1195.00 USD for the enterprise. And you have to install software on the pc.
The Kruger Dunning explains most post on
If it takes you 20 to 40 hours to set up a linux firewall box, you have a serious problem. As far as a simple LRP box goes, I can set one up in 30 minutes. Try coyote LRP at http://www.coyotelinux.com, download the free Linux version, run the makefloppy.sh script, and you're ready to go.
The important one you missed is that they can get a linksys (or similar) firewall box, and plug it in. If the other side supports DHCP, they don't need to do ANY configuration to get up and running. At all. If not, they have to set an IP, netmask, and default route.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
effnet (www.effnet.com) has been making the
ROC (router on a card) for long time now
does andover own shares in Merilus, or what?
The board is also joe users ethernet card, which they would also have to buy along with the separate box.
If they price it "correctly" it should be somewhere between the price of a plain old ethernet card, and the separate box.
For those that haven't designed consumer electronics before, the case and any switches are the most expensive part of the thing, usually about half the total budget. So by being a parasite off another box, you can save significant amounts of money. And as bad as they are, a PC power supply is going to be a whole lot more reliable than the typical wall wart that poweres the tiny boxes.
As to "when they reboot", as long as they don't actually power cycle the machine, the card should be fine. Only the host ethernet part has to notice that RESET got asserted. The part doing actual routing (which only depends on the box for a couple of watts of power) won't care that someone applied the defibrilator. I am sure the configuration paramaters are in some form of non-volatile RAM.
I agree that a good place for this is inside the DSL or cable box. (the cable boxes already have most of it, as they include packet filtering, to deter the amateur packet sniffers).
For that matter, why duplicate so much hardware and software?. Perhaps there is a niche for ISP's that provide firewall service. If I wasn't running a server, or didn't have the skills to do it myself, I would pay an extra buck a month to have someone full time looking after a best-available-technology-with-current-patches firewall on the othe side of the DSLAM from my wire. While they are at it, a realtime blackhole spam filter would also be nice.
-dp-
Junkyard Wars Marathon Nov 24th TLC noon->3AM.
MIT Sneak Preview Nov 20. Email for invatation.
Organizer:New England Rubbish Deconstruction Society;The NERDS,first US team in the UK Scrapheap Challenge/Junkyard Wars
I couldn't follow the link, either my routing table is f-d up, or the site is down. /.ed already?
Have to give them credit the red board looks cool!
AF-Design, web development.
You can get the LinkSys dedicated box for under $200 (around $100 if you only want a single port on the home side), another $20 for an ethernet card for your box. Too bad, this could have been interesting.
Organizer:New England Rubbish Deconstruction Society;The NERDS,first US team in the UK Scrapheap Challenge/Junkyard Wars
Didn't I hear something like this before, about some Seti card...?
My Gravis Ultrasound PnP is red.
I work as a security architect/consultant for a pretty major bank - let me give you a potentially major advantage of this kind of system.
Cost.
When we talk about providing VPNed telecommuting connections to home systems, or physical token based identification for tens of thousands of employees then a cost differential of even 5 dollars can be a huge cash saving and make or break a project.
Now, lets say (and this *is* genuinely hypothetical) that we want a major home working rollout but are unhappy with software based "personal firewalls", and so forth. If these cards are reasonably cheap when bought in bulk we can give them to all staff who need to telework to plug into their systems, regardless of system spec or connection method, and perform the VPN'ing from the card which requires the card to be in and enabled for connectivity.
We save ourselves the cost of dedicated dialup facilities, of standalone firewalls, of buggy or circumventable software. (buggy and circumventable firmware is another issue ... ;) )
Shrug. I'm not saying we use it, or plan to, but... there are reasons this sort of stuff can be interesting to people, even if its not immediately apparent to the uber-home-networking crowd...
(yah,yah. My home nets got an OpenBSD firewall, a sparc 20 and NFR. But I am not normal. and thats a fact. ;) )
cheers.
Companies do change their name sometimes.
They say its independent of the OS on the computer, but what happens when Winblows craches and I have to reboot? That would screw it up wouldn't it? or would it have its own backup power or power source like the Voodoo5
Well the case on that small independent computer costs as much as the circut board (populated). And that wall wart power supply has a mtbf measured in months. Hopefully it dies in a way that doesn't take the machine with it. If you want a 1u case and ps, figure it will be $200 extra at retail. (rule of thumb for consumer electronics: the whole is 6 times the cost of the parts)
Having said all that, I set my father up with one of the Linksys boxes. (middle brother is in the computer surplus biz, I could get a fine mini desktop case p75 that was easily the master of the job, for free, some assembly required)
The dedicated box was cheap, and a lot less work than putting together, and more importantly keeping running, a linux box 40 miles from home. I promised the father-in-law the same when he is ready to get a cable connect. (he is 300 miles away. They get software maintence and consumer electronics repair for christmas each year)
Junkyard Wars Marathon TLC Nov 24 noon->3 AM
MIT Junkyard Wars sneak preview Nov 20. Email for an invatation.
Its also silent, so I don't have to worry about it getting shut off (wasting electricity) with the computer, and him having to wait while fsck grovels the disk before he could use it.
Organizer:New England Rubbish Deconstruction Society;The NERDS,first US team in the UK Scrapheap Challenge/Junkyard Wars
I'd rather have a Linux-based firewall built into my cable modem or whatever other means my network is connecting the the Net. It'd just simplify the number of devices chained together for me.
:)
What I'd really like as a PCI card capable of doing encryption for standard things like SSL and PGP (GPG for me actually) so it wouldn't hit my CPU so hard serving https pages etc. gzip/bzip/etc compression would be another dandy thing to build into the card. If they could fit several such functions onto a single PCI card for a decent price I'd probably add one to every computer I have. Even my dual PIII 800Mhz box soon bogs down under heavy compression or encryption tasks and the P100's just choke along painfully.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
I agree about the rack-case - they are expensive, but what I was originally thinking of was something the size/shape of the old USR Courier modems.
And that wall wart power supply has a mtbf measured in months.
Is this is US thing? I've never had a wall-wart die. The only thing near that I've had is the cable mangled beyond use by me carrying it around a lot (on my old CD walkman), and I have a few running continuously (hub, modem, scanner etc...). American AC outlets have always struck me as flimsy, especially when you hang heavy things from them. Or is it just generally crappy components? I assumed I get my 240VAC wall-wart from the same korean (or wherever) factory that you get your 110VAC one.
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
hmmm...
200mhz computer w/128mb and enet. - Onsale.com - $139
Netgear enet card - cdw.com - $18
OpenBSD 2.7 - OpenBSD.org - $free
Having the most secure open source based firewall. - Priceless.
Stop talking about who's to blame when all that counts is how to change --"Born of Frustration" - James
Livingstone Portmaster IRX Router:
25*5*38?cm (assuming my span is 20cm). Probably a single 68360 and about 2M RAM, 512K ROM, similar flash, and a couple of custom ASICS. Oh - and 4 rubber feet at the bottom. Yuppers, this aint no rackmount. And yes, it runs in a wardrobe.
i.e. there's about a quarter of the kit that we (where I work) shove on a single slot (2*15*25cm?) in out access multiplexer subracks. And we have no fans.
Trust me, they charge you for the software license and the name on the box more than the hardware.
It's the TV size principle. Big is good. Small is good. Anything in between can't be any good.
When I first got my Cisco 2501 (OK, 1U rackmount) I opened it up and just laughed. _cigarette packet_ is the correct size for one of those.
FP
Also FatPhil on SoylentNews, id 863
I did a beta test on the software portion of this product this summer, so I can verify that it's not all vapor anyways, and putting it on a card should be straighforward enough.
----
Remove the rocks from my head to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Well, again, I'd argue that you're not the target market. Gamers tend to use high-end gear and to really need hubs, since a LAN party with only one guy on-line would be pretty lame. Every LAN party I've ever been to has involved a well-wired house, or at least a temporarily well-wired house (hey boss, just evaluating one of the new gigabit switches and a couple NICs...).
Imagine for a moment if you only had one computer at your house, ever. (yes, pretend you're an average computer user.) Now see why it's useful? If you have to take that computer down for a hard reset, it doesn't matter if the firewall is down, seeing as nothing else connects to it.
--
"Don't trolls get tired?"
Jane looked at the integrated router/firewall/hub solutions, but she didn't like that. She already doesn't like that her cable modem has one ugly box next to her computer, and she doesn't want another ugly box there. The last thing she wants is more confusing cables to figure out
translation:
"Jane likes cute little toys and is easily confused. Math IS hard, Jane."
Your Jane could have been the knowledge hacker, but instead you made her the stupid user.
cpeterso
Usually hoax's are uncovered because they are too good to be true. That doesn't count here. Its not really that useful as anything that you can do on this you can do on the host (probably cheaper) and you also know where all the stuff has come from (use the source). However, it does have the advantage that if you want to, you can easily move your firewall to another host machine, if you want to use the other for something else...
In order to reduce noise, these soho firewall/router products are often made without fans, and without any kind of active cooling, the passive cooling(airspace) has to be rather good.
isomerica.net | Foonetic IRC
There's a couple reasons...first of all, anything that's gonna go in a rack needs to be 19" wide, and thick enough for some mounting brackets to be securely attatched. Then there's the ventilation aspect. The manufacturers can't count on Joe Schmoe to leave adequate spacing between devices and have the room properly air conditioned, so they compensate by having large airflow spaces within the device itself. Third, and possibly most important, a lot of stuff like this is really expensive...and stupid managers don't like to spend several grand on something that comes in a tiny box.
"That's Tron. He fights for the Users."
I think you fail to see the reason for using such large cases. Sure it would be nice to be smaller, something you can put on your desk... oh wait, they do have those :P
:P
On the other hand, the large cases seem suspiciously the right size for a 1u or 2u, etc etc rackmount.... You draw your own conclusions
I came, I conquered, I coredumped
I worked on one project in years past that made a firewall. There was one intended customer: a goverment site that I can't admit to knowing the name of that intended to buy a few thousand and seperately attach every comptuer. Top seceret military doesn't trust their co-workers, and doesn't want to take the chance that one compromised comptuer on the internal network can compromise anouther.
I'm sure there is more then one layer of security in the above scheme, I know the above details but I strongly suspect they have a strict policy that no one person is trusted to know or be able to find out all the details of their security.
But one per machine. HR running its own VPN Network inside on the company's. Cool.
Someone turned off the Pee Cee that had their firewall. It will come back up just as soon as they get to work this morning.
Friends don't help friends install M$ junk.
I had meant to make Joe a clueless user who simply follows his friend's instructions. Jane, on the other hand, was meant to be a non-technical, but intelligent person, who fully comprehended the technical benefits that the geek had explained, while finding additional, non-technical benefit to this particular solution, thus her reaction to the geek's suggestion.
You're right though, it would've been better if I had made the geek a character more like Bernie from Waiting For Bob
--
"Don't trolls get tired?"
I'll buy this arguement, but then why the multiple ports? Doesn't this just increase the price of a product intended for a single machine. It's the duality of that that makes me wonder about it. Like I said before, if this is substantially cheaper than the Linksys, then it makes sense, and people will buy it.
It just occured to me that more people would probably buy it if it accepted a phone cable and provided firewall services for users of AOL accounts, etc. I know an AOL user who is sick of the chat rooms because of random tear droppers, etc. This would help out there.
Just thinking out loud. n/m
-no broken link
No hoax. Do some research (like google 'merilus british columbia' returns Britich Columbia Internet Association. And, they list Merilus as a sponsor. It's a real company, so unless someone hacked their website and put some nicely convincing pages up... IT'S REAL!
... HIKE!
As for being worthless:
I have to presume you've never been a tech that deals with SOHOs. There are many small companies that use one server and one to five workstations. Accountants, flower shops, gas/service stations, etc... the list can go on and on... anyone with the need for more than one computer and internet access but doesn't wanna spend another grand or two on a seperate machine.
yes, you can build a sweet li'l firewall/router from an old P75, but the ppl they buy hardware from will sell them spankin' new 600MHz machines with CD/sound/the works... cause their greedy.
If this card sells for under 100 it will be worth it without a doubt. And I'll be informing my old boss at one of the local VAR/OEMs about it so he can save his customers some cash (and he can set his margin up on this PCI card to show them the hundreds of dollars they'll save while he still makes a pretty penny).
J.. hut! hut!
e.. Hut!
D42!!
mmm... beer *drool*
-JeD42- Let's take the SPAM outta email!
I don't think that's the case. Why the extra ports if it's intended to be a single box solution. Admittedly it's not targeting an Enterprise environment, but small business/networked home situations seem to be the actual target.
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
This whole trend reminds me of an old slogan used by Sun... "The network is the computer"
Remember the days when a computer was a CPU, a little RAM and a few peripherals hooked together by a PIC and a few other parts?
Now we have a motherboard that has a CPU. The CPU has an FPU that independantly does your math. You have a semi-intelligent power supply (ATX) than can turn itself on and off.
Your grapics card more than likely comes complete as an embedded computer of sorts to handle 3d. If your system is performance oriented then your SCSI card may have it's own CPU on it. This often handles tagged queues and elevator sorts requests and may even provide hardware buffering with it's own battery!
Now I see you can buy network cards with their own embedded TCP/IP stack to free up the CPU. Some of them even have high speed CPUs where they do SSL type encryption right on the network card.
So where is this going? Our desktop systems are becoming more and more like networks of small specialised computers. I think as performance demands increase we will see more and more stuff like this.
In an abstract sense the computer of the future may look like a microkernel where most of these peripherals are hooked up via a common bus. Oh damn, I had to reboot my sound card again, it keeps crashing. I can imagine it will be the flash bios hell of the future too.
-Michael
Because it's more trouble than it's worth. *sits behind his IPMASQ firewall smiling*
From a marketing manager's point of view, it doesn't look like a decent sollution to anything, it looks like cash. Personally, I don't see the point of such a product. You have 'firewall' software (BlackIce/Lockdown and other crap), which would perform the same function. The problem with these is, is that when you're on a LAN they're useless. This is another crappy idea that restricts infiltration protection to one machine, that is also dedicated to a user..A user who will always screw things up. I'm using a rebuilt 486 with an LRP disk. It's never shut down, never rebooted, and will still be able to route/protect my other workstation if this one goes down. If I had one of those IMHO useless cards in this machine, my other workstation would be as useless as this one in it's inoperative state. (Unless I wanted to do something offline..which isn't likely :P)
"Thank you for calling Merilus; our regular business hours are..."
---
The colour of the PCB is not going to affect the heat disapation in any significant way. If the colour did matter a red PCB would be better anyway. A green PCB asorbes red light and reflects green light. A red PCB reflects red light.
Celestica ram used to be on a red PCB. It was very distinctive. The reason most PCBs are green is more historical then anything. People expect PCBs to be green as in the past the most common epoxy used was green. Today most PCBs are brown with a green sealant coat.
I've seen these on the shelves at several small computer shops here in Ottawa, Canada (not sure about big-name stores though, I tend to avoid them and their inflated prices). They look awfully real for vapourware.
:-P
I suppose the boxes could actually be empty, in which case I'd have to wonder how they got these places to stock them.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
Has anyone else noticed that "Merilus" is an anagram for "Im Luser"
Just a thought....
Face it, the arguments in favour of this product are all flawed. A small business can't afford a firewall and a router? How cheap do they need it? And if they can afford a small server, they can afford a firewall.
A failsafe solution for any company? Bullshit, if a server crashes hard and you don't already have a failsafe, you're dead. If theoretically the server has crashed hard but still has a functional power supply, you have only bought yourself enough time to bring up a backup firewall box and router inline, so that the server with the card can be brought down and repaired. This is the same net effect as buying a dependable router and having a dedicated firewall box and synchronized backup ready to switch. Either way, you're going to have a few seconds to a few minutes of downtime, and one way you are going around your elbow to get to your nose.
Isolated from host PC software, therefore more secure? Two words: embedded Linux. So when some skriptkinder come up with the latest supersmurf, teardrop, raindrop, DoS or overflow vulnerability in Linux, do you have to ssh into the card, apply a patch, recompile and reboot? Will the company provide a flash utility with timely kernel updates? Why depend on them?
I'm not trying to prove that this is a hoax; that's an easy do. What I'm saying is that this is a stupid idea for a product, and shame on /. editors for biting on it.
Boy howdy i miss those days of playing Future Crew demos showing off my powerfull Oak OTI66 card with 512k ram and my Gravis Ultrasound pumping out 32 simulatenous tracks of S3M heaven hehe. (My gus had more memory then my video card at one point!)
Okay, two things I may have missed on the site are:
Details like this are what makes the difference for me when I try to catagorize these guys as 'legitmate' or 'fly-by-night'.
-Joe
Hey, don't delete duplicate stories! I was about to go read the comments to the second story but it has vanished in a puff of greasy black smoke... Couldn't you just move it off the front page, with a comment appended?
After quick-parsing some search results from the IBM AS/400 website, I think this is what you'll want to read: http://www.as400.ibm.com/sftsol/fir ewa ll.htm
Home Page
Yeah, there is such a device, it's called
a Netscreen NS5. 7Mb/s 3DES for $400 ain't bad.
The site is /.ed at the moment. Did anyone notice a price?
It seems that according to the Merilus page the Firewall card is independant of the PC, so as long sa you don't physically power the machine off the firewall should remain up even if you reboot your PC.
Sounds great if it works.
forge
Add this to a single board PCI computer, and a passive backplane, and you would have a product.
I'm thinking about a smart vending machine, or more in context, voting machines. Cluster them together, pop one of these cards into the "master", and connect the local network to the 'net.
Many small companies have a server system, which if it power cycles, they are basically down for the duration anyway. With a UPS and on a server, reboots shouldn't be a problem.
Great idea, but it would be so expensive you wouldn't want it. I work for a DSL company and our VLSI guys came up with a design very similar to what you said: DSL, Voice Modem, Fax, Answering Machine, etc... all in one. Hell our DSP could handle it, so they made a controller to handle it as well. Then our hardware guys got ahold of it and found out that it would be so freakin' difficult and expensive to add in all the necessary filtering and line-drivers that it would just be cheaper to buy everything separately. So they settled on just adding a port for a daughter-board, and letting our customers figure out what they wanted to do with it. It sounds great and works well from a chipset perspective, but there is more to a board than that (at least until analog VLSI catches up with digital VLSI design)
In this, the best parallel is with TVs. Today, there is a TV in the living room, the parents bedroom, the childrens room, and maybe the kitchen. Computers are, Surprise!, following the same paradigm. You had the big family console that cost $$$$ and was to "Further the Knowledge of the Family." That decomposed into: parents want one thing, children want another, and we can afford more than one. Now into this enters the FireWall on PCI. This goes into the parents computer cuz thier "WinME box for bills" never crashes, running lines out to the kids Kiwi-Raspberry iMac and the kitchens iPaq. When the parents want the kids to go to bed and not use the Net, they do, since the parents have direct control over the pipe.
In fact, I would not be surprise to see a similiar product for the cable. Parenting has moved from an "installing vital morals young *whack whack*" to the "judiciary adversarial system" where the parents and the children are out to foil one another's cases before a percieved 3rd party judge, be it: Timmy's mom lets him do it, this is wrong in the eye's of GOD, or if you do this you can do that.
USA-Democracy is 270 million YESes and NOes a day, not one every four years.
The biggest reason I can think to have multiple ports is that the chipset needed to make a hub is very inexpensive, thus giving them a feature while adding little expense. I can't actually think of any other reason...
--
"Don't trolls get tired?"
As I noted above, my only explanation for the extra ports is that the chipset neccessary to make a hub is dirt cheap, so why not?
--
"Don't trolls get tired?"
Just install it in a machine and have it perform triple-duty as hub, firewall and network card. No hub sitting around to worry about, a bit less cabling perhaps...
However, I do agree that this doesn't have much of a future in enterprise environments outside of maybe being used internally for firewalling off small groups of machines from the rest of the LAN/WAN.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
If we accpet for a moment that this is neither a hoax nor vapourware, the main question I have is how do you patch or replace the version of embedded Linux when a new security hole is found?
I looked reasonably hard, but given that the site's "Features" and "Specs" sections contained only broken links, and I wasn't able to read the PDF file, it's not clear if it uses flash ram, some of the hard disk, or whatever.
Being able to patch the OS when a new exploit is found is pretty fundamental for this kind of product, yet the site is broken, and none of the headings even suggest that you might need to do such a thing.
On the whole, I think this smells pretty bad, and wouldn't trust the thing at all.
-- "This is the Space Age, and we are Here To Go" - W.S.Burroughs
... the idea of a PC in a PCI card is not that bad (but it seems stupid to limit it to firewall stuff), and maybe it already exist...
Could be used as a Windows box while running under linux (with a special VNC driver, for instance).
(And sure, it could be used as a seti@home box...)
Would have a great hack value. I'd love one of them. (But I would prefer it in a PCMCIA slot...).
Cheers,
--fred
1 reply beneath your current threshold.
And most offices have spare old hardware gathering dust anyways, so there's plenty of products better suited, such as NetBSD/i386 Firewall Project
You might want to buy this card for the support (although I feel for small offices the firewall should just sit quietly in a corner simply always work), but in that case, why not spend money on a stand-alone box anyway?
This isn't for a business, or for a hardcore geek. It's meant as a security solution for your average Joe, who only has one computer, and wants to work from home on his broadband connection.
Joe currently has a few options, he can get some personal firewall software, but he was talking to a geek friend of his who told him that it would be pretty trivial to make a trojan that would disable the personal firewall software.
Jane looked at the integrated router/firewall/hub solutions, but she didn't like that. She already doesn't like that her cable modem has one ugly box next to her computer, and she doesn't want another ugly box there. The last thing she wants is more confusing cables to figure out, and besides, her power strip doesn't have any more space for the wall wart that invariably powers those things.
Joe and Jane talk to their geek friend, and he says 'hey, i've got a solution which is just as good as a seperate computer, but it goes right inside your current 'puter, but has it's own processor and everything, so it's not affected by trojans, viruses or anything'. Joe thinks 'great, i have no idea what that means, but what the hell, if my geek friend says it's the shit, then it's the shit'. Jane thinks 'Hmmm.... that sounds good, and it eliminates any number of security attacks, while reducing cable clutter, i'll buy one for myself.'
Then their geek friend helps them set it up, and goes home to the p75 that he converted into a firewall. On the way, he opens his mailbox and inside is an electric bill. He reads the bill, and does some calculations on the operating cost of the p75, and realizes that in addition to being a white-noise generator and an eye-sore, that p75 is costing him more money than it's saving. The geek goes out to the store, buys one of these firecards, installs it, and realizes that for a home solution, it's really not a bad idea.
--
"Don't trolls get tired?"
I doupt this will be marketed for enterprise users using CheckPoint or what not. The real market for this device is personal firewall market.
Here's the deal. You're a UNIX security Guru. You know `ipchains` like you know perl. You don't compile a kernels, you rewrite drivers. Your best buddie down the street just got that high bandwidth connection that makes you sick. It might be DSL, Cable, 10bt, or even Fiber. You know he needs a firewall. He knows he has to have one. There's no way around it. Buddy only know AIM, pr0n, mp3's, and types http://www before every url.
You're a good friend and you want to help him out. You have a few choices:
MarNuke
Or you can tell him to buy this card, which doesn't require that much effort, just as secure as the stand alone, and you can still have a life!!!
:-) Same reason that a lot of ADSL boxes are USB-based - least hassle for the end-user, least support for the vendor. Actually, a USB ethernet/packet-filter/firewall might be neat.
I don't trust my AIM-using friends with the inside of their PCs
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
Regardless of the negative reactions from many /. readers, I'm very impressed with the concept of a PCI based firewall solution. I presume they used the host computer not only for it's power but as the means to display "console" and configuration information. Im sure the PCI bus also lends well to the failover capability. But what I'm interested in is what clustering capabilities does this item present? Very good potential for something like this in the security industry.
Joel
When doing VPN the hardware responsible for connecting people also has firewall capabilties in most cases. That should be cheaper then a 2nd, third party, solution. But the real issue would be maintainance costs. If, for any reason, you need to change the firewall you got a heck of a problem with this piece of hardware while, when using conventionel methods, you should be able to operate it remotely OR send people updates which they can install (read; one mouseclick) themselves.
Personally I still prefer a solution which our company once implemented. We provided people with small 486 PC's with no harddisk but only a floppy disk, NIC and modem. They were used for running Linux (one disk based, check the router project) which worked perfectly. The moment that some major issues were spotted (security holes and such) we just sended people another diskette and told them to replace the original diskette and reboot (ctrl-alt-delete) the PC. IMHO nothing can beat that for costs. Cost of ownership as well as maintenance costs.
I didn't understand either, but apparently the Firecard ALSO behaves as an ethernet card for the local machine. So, the benefit is that it somewhat simplifies the setup of a home office workstation.
This product doesn't really excite me for my home network. I allready have several systems, so making an old P100 into a dedicated Linux firewall was a nobrainer. Plus, I get all the great experience of loading and configing another Linux system.
But for my parents, who are just considering getting DSL, this would be a dream. I drop by one afternoon, plug in another card, and boom, they have a firewall. They only have one system, and it would blow their minds to have a second machine just for a firewall, especially if it ran Linux. This would be a great solution to keep my Dad's Quicken files and my Mom's top secret Word docs contining her double chocolate-chip cookie recipie safe from prying hacker's eyes. Sometimes something that would be totally useless for me is exactly the right tool for someone less tech savy. If it were priced right (sub-$100) I'd definitly consider putting one in my parents stocking this Christmas.
Exactly! In addition LinkSys/NetGear router functions as a hub/switch for home LAN, which you'll need anyway, at a very reasonable price of ~$150 for 10/100 8-port version.
I don't like the idea of a software firewall or the networking needed on a small home system for a hardware one...
Face it, people are stupid, and the internet is the place where they all meet.
I'm not sure I understand the benefits of taking a small independent computer and making it dependent on another one, even if it is just for power... surely a box the same size as the card, with it's own PSU and a serial port for control is more reliable? Or a 1U case for a rackmount "enterprise" one.
:-) )
(the red PCBs look cool though
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
Is it just me, or is the promo video a little over the top?
Userfriendly hase more info... the card runs linux and uses the Transmeta Crusoe chip.
http://fsfeurope.org/
> [...] import shows like Friends or Seinfeld.
Er, they're here already.
> _That's_ comedy.
Nope. _That's_ subjective opinion. Some UKians find some US comedy amusing/funny and vice versa. S'all.
-~ ~- -~ ~-
__
Arse
Looking at the specs, I noticed that they said there was a crusoe chip inside it. Aha, I though, that'll appeal to the geek community.
However, if you only need the horsepower to firewall a cable connection even a 486 would spend most of its time idle, so I'd doubt if they'd spend so much money (and 16Mb of translation RAM) on the processor.
If I made one of these, I'd use a strongarm.
-- Don't believe everything you read, hear or think
What can you do with the extra slots on the same machine? Why, put in the WWW server card (whenever someone creates it). Before long, you get cards for all the basic Internet services. You might even find the cards in shrinkwrap packages at your local 7-Eleven or Toys R Us.
------------------
Of course, you can install Linux on that slimline system and get the same thing done. What? Don't have an old slimline system, well just buy one at a nearby flea market or yard sale, download your favorite Linux distro, throw in some cheap NICs, and continue with that. It's probably cheaper than the FireCard.
All it is is a box firewall without a PSU or a case, really. How much cheaper is that going to make it? And if you really want cheap, I imagine that with a little work a 486, a copy of Linux or BSD, and a couple of cheap ethernet cards is just as well. OK, that involves work, but if the end user is leery about that won't they be leery about poping the case? Non-techie end users like appliances. If I were working at home I think I'd prefer a stand-alone box. What if you have multiple machines? If you take the machine with the firewall down then bang goes everything else. Disclaimer: It occurs to me that technically my company now makes boxed firewalls, so you might think my arguments biased. On the other hand, if they really were biased, I'd have described how building a BSD+Ethernet+oldPC solution can cause testicular cancer. So thats all right then.
~~~~~ BigLig2? You mean there's another one of me?
AIUI the thing also has massive remote administration capabilities - I cant check for myself at the moment because at least from here the site is comprehensively slashdotted. And I was envisaging this thing *being* the VPN'er - an OS independant jobbie that will work with our MACheads, our UltraSparcers and our i86ers on a completely uniform platform sounds dreamy. As long is it appears on a PCI slot as an ethernet card all is gutt. ;)
You wouldnt believe how badly people can screw their home PC's, and the grief a software solution that absolutely must run interuptted to provide secure connectivity can have. Equally, you wouldnt believe the grief you'd have trying to convince 15000 techno luddites who just want their market data/portfolio/email/real broadcast/etc that they should be using linux.
Or the tecno ubergeeks who are damned if they're developing ona linux box instead of their sparc.
etc.
*shrug*. One mans pain is anothers gain, an all that...
Yes, I have a few boxes in my basement that I could eventually work up into firewalls. However, that means that I have to:
- Pick an OS
- Ensure the hardware is compatible with said OS (if not, goto 1)
- Pick a firewall
- Learn how to configure both firewall and OS as to be secure
- Find more precious space on my desk for ANOTHER full computer box
OTOH, I could shell out a few bucks, plunk this wonderful device into my computer, merrily surf on my way, and use those extra boxes for web servers or mail servers or something more fun. (Anybody ever OC a 386?)Besides, there are TONS of folks out there who don't know the difference between a URL and an e-mail address that this is prefect for. They know they need security, so they can have their local computer store install one, and be a HELLUVA lot more secure than they would be otherwise.
"There's a party," she said,
"We'll sing and we'll dance,
It's come as you are."
I believe this product is targeted at paranoid, cost conscious, @Home users who don't have technical expertise. They save a few bucks by not having as much cabling and by using a PCI card doesn't require a power supply. This should drop the price when compared to the much better (but more expensive) externally boxed solutions.
Any real power user won't want their hub/firewall tied to their computer. Nor will a small business. The whole network would go down every time someone wants to upgrade their RAM or some foolish person in the office wants to save on the power bill by turning your computer off after you've gone home.
I personally use a 486/BSD solution. You're absolutely right, it's the way to go for those who know how to do it!!
Willy
Oh, nevermind. :)
"There's a party," she said,
"We'll sing and we'll dance,
It's come as you are."
Gee dad, can I run seti@home on it too???
Jeeze... Why not just tell him to get Zone Alarm. It''s free, reliable, easy to configure and use...
DAILY ROTATION
Lawsy lawsy, this is 80% of what we need, maybe 90%. I've got cases and P/S and old PCI boards coming out my ass. They'd make perfect passive backplanes for banks of dedicated Linux processors that I could leave up 100% of the time without worrying about the rest of the system going belly-up. Load 'em via DHCP as needed. Let 'em nfs-mount a server if needed. Jerk out one of those enet ports and put in a USB, a serial, and a phone jack (you can fit all four in a single PCI end). Better yet, you can make a DSP-controlled soft-switchable RJ-45 jack that could be used as enet, serial, phone, etc. You could make X10 controllers, high-quality telephone answering machines, and yes, even a firewall, all off of a single hardware design (which means big volume which means cheap). Excuse me, I gotta go drop a bug in these guys' ear.....
This is at best about as useful as putting a firewall in a DSL modem / router (which is not that bad an idea), but with the added disadvantage that it can't be as flexibly located since it's "in" one of the PCs on the network. I guess it's nice that you can get power from the host PC, except that if the host PC crashes and you have to reboot it then you'll have to reboot your "firewall" ase well. And really, ethernet isn't so slow that you need to be able to DMA directly from your firewall to the PC over the PCI bus.
Totally pointless product. On the scale at which this thing is designed to operate, the LinkSys and NetGear DSL/Cable/modem routers already do this sort of thing quite well and without the above mentioned disadvantages. For a single user, all of this stuff can easily be done in software using e.g. ipchains or one of the many Windows-based personal firewalls, and for any kind of office or enterprise you'll really want the flexibility and expandability of a full sized computer to serve as a firewall.
This would be a nice piece of equipment for a small business. It could be deployed in an existing machine and serve two important functions. Small business owners usually dont have the kind of capital to buy routers and a firewall and this can serve both funcs. The same thing is easily done with a linux box and two nic's, but this is a hardware solution, and most 'consumers' would choose a cheap piece of hardware w/ support over a free piece of software w/o support. Hasta
In a way this is good, because it enables broadband users who know nothing about security to secure their systems. However, there is great potential for abuse should someone find a backdoor or hole in the 'FireCard'.
The card makes no sense in an enterprise environ, however. This is a simply silly use of it. Why not opt for a bit of extra configurability and peace of mind and roll your own firewall configuration, as I have?
The card would be beneficial to small time home users, but it makes no sense to the enterprise network admin.
isomerica.net | Foonetic IRC
You should:
(a) Seek professional mental-health treatment
(b) Set up a [*uniquely* British] humor website
(c) Both.
Upon some consideration, I'd suggest option (c).
I doubt the "average user" would find it worth buying but any small to enterprise sized business should definitely take a look at it and/or the GB-1000 Firewall Appliance. If you want to just test it out or see what it looks like there's a free, 5 node version called GNAT Box Lite you can get, too.
---
--
If I actually could spell I'd have spelled it right in the first place.
Two years ago I did the embedded programming on a firewall PCI card. They had a proprietory TCP/IP stack (though I'm sure it was based on some BSD code) which they wanted ip forwarding and packet filtering from. It was a REALLY easy job. I essentially cross compiled the code and used the example code that came with the ethernet chips (there was two, which BTW, if you don't have on that card, it aint a firewall) with 10/100 UTP ports, one for the Internet side of the firewall and the other to plug into your hub. I think they eventually abandoned the product as stupid and developed it into a sealed box firewall about the size of a matchbook. Last time I talked to them they still hadn't shipped.
How we know is more important than what we know.
This must be a joke (but a good one). I must admire the amount of work that has been done. The time it must have taken to create the pdf-manual and the presentations in various bandwith-friendly-versions is almost as much as it would take to actually create this silly product. /. people...I'm slightly flattered by the effort to fool us.
What would be the reason to do such a product as a PCI-card? If it has it's own processor and runs linux, then it doesn't really use the rest of the pc for anything else but power. I might believe this product if it was a self-contained unit.
The catch-phrases "linux" and "transmeta" only tells me that this was made especially for all the
This is great stuff, but completely off-topic... Surely you could find some other space for it. Aren't there other forums (probably not in /.) in which you could have dumped it?
But where's the advantage? If the OS could affect your firewall otherwise you can be sure that the software running on the OS also sustains the proxy server. Since the proxy and any routing capabilities are gone after your OS crashes I also don't see anyone being able to do nasty things from the Internet.
If the OS can't effect your proxy but still is in some form of "protection control" you're probably using a router of some kind. But most routers also have firewalling capabilities nowadays, so why settle for a PCI card when you can in fact stop the burglar way sooner? Now that I'm focusing on security; take this situation and lets assume one uses this card.... Its 5pm and the people go home. The PC on which the PC card runs is turned off (by accident perhaps?) and now what ? This is a very nice and big security hole, if I ever seen one. Too big to be true IMHO.