Slashdot Mirror
Firewall On A PCI card
robags writes: "The people at Merilus have grabbed a PCI card, embedded Linux, added some Ethernet ports and come up with the FireCard. The OS on the host system can crash out, without affecting your firewall. 'Once installed, the FireCard provides firewalling, routing, bandwidth management, virtual private networking, redundant failover, intrusion detection and much more.'" This sounds like a smart product, especially for telecommuters; I sure hope it's not a pointless hoax or vaporware.
Since this seems to be a single board computer without a disk, couldn't one plug a bunch of these into a passive backplane to create a pile of independent firewalls (not very useful for the home user, but useful for those in the ISP business)? These backplanes would also eliminate the concern over power dependency. Along these lines, the home user could grab a 2 or 3 slot backplane and a power supply and have a pc-power-independent solution.
Along these lines, can one take an SBC and plug it into an ISA or PCI slot on a regular MB to power a second PC from the first, inthe same case?
The issue is that when you connect to a cable modem, you immediately have a perhaps-24x7 connection that someone can attack. Hooking up a Windows box to this is nigh unto suicidal.
The thought I had had was to have a little "shoebox" system; no screen; only two Ethernet ports, one to go towards the outside world, and one to provide services "inside."
The "FireCard" is a quite clever idea; it cuts down on the requirements by one Ethernet port by itself replacing the usual Ethernet card that gets put in the PC.
With luck, they have some scheme for remote management whereby it knows just enough SSL (or some other cryptographic protocol) that it can be possible for folks at the ISP to log into it to help out if there are problems.
This isn't a "B1 System" for people who thought Multics wasn't tough enough to crack; it's a "C1 system" for the people running "D1 secure" PCs...
If you're not part of the solution, you're part of the precipitate.
You're right.. it is rusty :) .. NP.
Corrected EigerStein LRP link here
--
Delphis
since I'm going to a presentation on the Merilus card at my local Linux user's group on Monday.
:)
www.vanlug.bc.ca
I'll keep you all updated
The PCI slots only lose power on a power cycle (or maybe a hard reset on older power supplies). With this thing being completely self-contained it will continue to function during normal reboots, resets (on ATX power) or even total OS failure.
Though it does beg the question of why it couldn't just be a seperate device... space, maybe? With those 3 ports it can perform the duties of a 4-port hub with less hardware and cabling.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
Dave Chalk? "Yes Dave, but wait... there is more. If you buy our Firecard before the end of the /. effect you'll get a screwdriver for free so you can easily screw it into your computer. Please allow 28 days for deliviry, and remember... If your network somehow does get totally r00ted and fucked beyond repair you are can use our money back guarantee. Yes Dave, thats right... If you get h4x0r3d within the first 6 weeks of your purchase we will refund you the entire amount spend on our card and whats more... You can keep the card for free as a token of our good faith!." Now where did I hear that before?
And whoever moderated this up should have all moderator rights removed completly.
I took the lid off my Livingstone firewall, 90% air. I took the lid off my 2501, 90% air. Why do Cisco/Lucent/etc. think that comms equiptment has to be big to be any good. I't just like the old shitty Amstrad hifis of yonder. 90% Air.
OK, the 'housed inside one computer' aspect may not be brilliant, but the simple fact that thye've proven that this kind of technology can be miniturised. Shame on the big companies for lagging.
FP
Also FatPhil on SoylentNews, id 863
If it takes you 20 to 40 hours to set up a linux firewall box, you have a serious problem. As far as a simple LRP box goes, I can set one up in 30 minutes. Try coyote LRP at http://www.coyotelinux.com, download the free Linux version, run the makefloppy.sh script, and you're ready to go.
Have to give them credit the red board looks cool!
AF-Design, web development.
Didn't I hear something like this before, about some Seti card...?
Companies do change their name sometimes.
Well the case on that small independent computer costs as much as the circut board (populated). And that wall wart power supply has a mtbf measured in months. Hopefully it dies in a way that doesn't take the machine with it. If you want a 1u case and ps, figure it will be $200 extra at retail. (rule of thumb for consumer electronics: the whole is 6 times the cost of the parts)
Having said all that, I set my father up with one of the Linksys boxes. (middle brother is in the computer surplus biz, I could get a fine mini desktop case p75 that was easily the master of the job, for free, some assembly required)
The dedicated box was cheap, and a lot less work than putting together, and more importantly keeping running, a linux box 40 miles from home. I promised the father-in-law the same when he is ready to get a cable connect. (he is 300 miles away. They get software maintence and consumer electronics repair for christmas each year)
Junkyard Wars Marathon TLC Nov 24 noon->3 AM
MIT Junkyard Wars sneak preview Nov 20. Email for an invatation.
Its also silent, so I don't have to worry about it getting shut off (wasting electricity) with the computer, and him having to wait while fsck grovels the disk before he could use it.
Organizer:New England Rubbish Deconstruction Society;The NERDS,first US team in the UK Scrapheap Challenge/Junkyard Wars
I'd rather have a Linux-based firewall built into my cable modem or whatever other means my network is connecting the the Net. It'd just simplify the number of devices chained together for me.
:)
What I'd really like as a PCI card capable of doing encryption for standard things like SSL and PGP (GPG for me actually) so it wouldn't hit my CPU so hard serving https pages etc. gzip/bzip/etc compression would be another dandy thing to build into the card. If they could fit several such functions onto a single PCI card for a decent price I'd probably add one to every computer I have. Even my dual PIII 800Mhz box soon bogs down under heavy compression or encryption tasks and the P100's just choke along painfully.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
I did a beta test on the software portion of this product this summer, so I can verify that it's not all vapor anyways, and putting it on a card should be straighforward enough.
----
Remove the rocks from my head to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Jane looked at the integrated router/firewall/hub solutions, but she didn't like that. She already doesn't like that her cable modem has one ugly box next to her computer, and she doesn't want another ugly box there. The last thing she wants is more confusing cables to figure out
translation:
"Jane likes cute little toys and is easily confused. Math IS hard, Jane."
Your Jane could have been the knowledge hacker, but instead you made her the stupid user.
cpeterso
Usually hoax's are uncovered because they are too good to be true. That doesn't count here. Its not really that useful as anything that you can do on this you can do on the host (probably cheaper) and you also know where all the stuff has come from (use the source). However, it does have the advantage that if you want to, you can easily move your firewall to another host machine, if you want to use the other for something else...
They just got bought by Golden Soil.
And here's a press release or two from no less an authority than yahoo re: "embedded security devices" and transmeta.
There's a couple reasons...first of all, anything that's gonna go in a rack needs to be 19" wide, and thick enough for some mounting brackets to be securely attatched. Then there's the ventilation aspect. The manufacturers can't count on Joe Schmoe to leave adequate spacing between devices and have the room properly air conditioned, so they compensate by having large airflow spaces within the device itself. Third, and possibly most important, a lot of stuff like this is really expensive...and stupid managers don't like to spend several grand on something that comes in a tiny box.
"That's Tron. He fights for the Users."
I worked on one project in years past that made a firewall. There was one intended customer: a goverment site that I can't admit to knowing the name of that intended to buy a few thousand and seperately attach every comptuer. Top seceret military doesn't trust their co-workers, and doesn't want to take the chance that one compromised comptuer on the internal network can compromise anouther.
I'm sure there is more then one layer of security in the above scheme, I know the above details but I strongly suspect they have a strict policy that no one person is trusted to know or be able to find out all the details of their security.
But one per machine. HR running its own VPN Network inside on the company's. Cool.
Someone turned off the Pee Cee that had their firewall. It will come back up just as soon as they get to work this morning.
Friends don't help friends install M$ junk.
I had meant to make Joe a clueless user who simply follows his friend's instructions. Jane, on the other hand, was meant to be a non-technical, but intelligent person, who fully comprehended the technical benefits that the geek had explained, while finding additional, non-technical benefit to this particular solution, thus her reaction to the geek's suggestion.
You're right though, it would've been better if I had made the geek a character more like Bernie from Waiting For Bob
--
"Don't trolls get tired?"
I'll buy this arguement, but then why the multiple ports? Doesn't this just increase the price of a product intended for a single machine. It's the duality of that that makes me wonder about it. Like I said before, if this is substantially cheaper than the Linksys, then it makes sense, and people will buy it.
It just occured to me that more people would probably buy it if it accepted a phone cable and provided firewall services for users of AOL accounts, etc. I know an AOL user who is sick of the chat rooms because of random tear droppers, etc. This would help out there.
Just thinking out loud. n/m
-no broken link
From a marketing manager's point of view, it doesn't look like a decent sollution to anything, it looks like cash. Personally, I don't see the point of such a product. You have 'firewall' software (BlackIce/Lockdown and other crap), which would perform the same function. The problem with these is, is that when you're on a LAN they're useless. This is another crappy idea that restricts infiltration protection to one machine, that is also dedicated to a user..A user who will always screw things up. I'm using a rebuilt 486 with an LRP disk. It's never shut down, never rebooted, and will still be able to route/protect my other workstation if this one goes down. If I had one of those IMHO useless cards in this machine, my other workstation would be as useless as this one in it's inoperative state. (Unless I wanted to do something offline..which isn't likely :P)
Boy howdy i miss those days of playing Future Crew demos showing off my powerfull Oak OTI66 card with 512k ram and my Gravis Ultrasound pumping out 32 simulatenous tracks of S3M heaven hehe. (My gus had more memory then my video card at one point!)
Hey, don't delete duplicate stories! I was about to go read the comments to the second story but it has vanished in a puff of greasy black smoke... Couldn't you just move it off the front page, with a comment appended?
The site is /.ed at the moment. Did anyone notice a price?
Add this to a single board PCI computer, and a passive backplane, and you would have a product.
I'm thinking about a smart vending machine, or more in context, voting machines. Cluster them together, pop one of these cards into the "master", and connect the local network to the 'net.
Many small companies have a server system, which if it power cycles, they are basically down for the duration anyway. With a UPS and on a server, reboots shouldn't be a problem.
The biggest reason I can think to have multiple ports is that the chipset needed to make a hub is very inexpensive, thus giving them a feature while adding little expense. I can't actually think of any other reason...
--
"Don't trolls get tired?"
... the idea of a PC in a PCI card is not that bad (but it seems stupid to limit it to firewall stuff), and maybe it already exist...
Could be used as a Windows box while running under linux (with a special VNC driver, for instance).
(And sure, it could be used as a seti@home box...)
Would have a great hack value. I'd love one of them. (But I would prefer it in a PCMCIA slot...).
Cheers,
--fred
1 reply beneath your current threshold.
And most offices have spare old hardware gathering dust anyways, so there's plenty of products better suited, such as NetBSD/i386 Firewall Project
You might want to buy this card for the support (although I feel for small offices the firewall should just sit quietly in a corner simply always work), but in that case, why not spend money on a stand-alone box anyway?
This isn't for a business, or for a hardcore geek. It's meant as a security solution for your average Joe, who only has one computer, and wants to work from home on his broadband connection.
Joe currently has a few options, he can get some personal firewall software, but he was talking to a geek friend of his who told him that it would be pretty trivial to make a trojan that would disable the personal firewall software.
Jane looked at the integrated router/firewall/hub solutions, but she didn't like that. She already doesn't like that her cable modem has one ugly box next to her computer, and she doesn't want another ugly box there. The last thing she wants is more confusing cables to figure out, and besides, her power strip doesn't have any more space for the wall wart that invariably powers those things.
Joe and Jane talk to their geek friend, and he says 'hey, i've got a solution which is just as good as a seperate computer, but it goes right inside your current 'puter, but has it's own processor and everything, so it's not affected by trojans, viruses or anything'. Joe thinks 'great, i have no idea what that means, but what the hell, if my geek friend says it's the shit, then it's the shit'. Jane thinks 'Hmmm.... that sounds good, and it eliminates any number of security attacks, while reducing cable clutter, i'll buy one for myself.'
Then their geek friend helps them set it up, and goes home to the p75 that he converted into a firewall. On the way, he opens his mailbox and inside is an electric bill. He reads the bill, and does some calculations on the operating cost of the p75, and realizes that in addition to being a white-noise generator and an eye-sore, that p75 is costing him more money than it's saving. The geek goes out to the store, buys one of these firecards, installs it, and realizes that for a home solution, it's really not a bad idea.
--
"Don't trolls get tired?"
I doupt this will be marketed for enterprise users using CheckPoint or what not. The real market for this device is personal firewall market.
Here's the deal. You're a UNIX security Guru. You know `ipchains` like you know perl. You don't compile a kernels, you rewrite drivers. Your best buddie down the street just got that high bandwidth connection that makes you sick. It might be DSL, Cable, 10bt, or even Fiber. You know he needs a firewall. He knows he has to have one. There's no way around it. Buddy only know AIM, pr0n, mp3's, and types http://www before every url.
You're a good friend and you want to help him out. You have a few choices:
MarNuke
I didn't understand either, but apparently the Firecard ALSO behaves as an ethernet card for the local machine. So, the benefit is that it somewhat simplifies the setup of a home office workstation.
I'm not sure I understand the benefits of taking a small independent computer and making it dependent on another one, even if it is just for power... surely a box the same size as the card, with it's own PSU and a serial port for control is more reliable? Or a 1U case for a rackmount "enterprise" one.
:-) )
(the red PCBs look cool though
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
This is at best about as useful as putting a firewall in a DSL modem / router (which is not that bad an idea), but with the added disadvantage that it can't be as flexibly located since it's "in" one of the PCs on the network. I guess it's nice that you can get power from the host PC, except that if the host PC crashes and you have to reboot it then you'll have to reboot your "firewall" ase well. And really, ethernet isn't so slow that you need to be able to DMA directly from your firewall to the PC over the PCI bus.
Totally pointless product. On the scale at which this thing is designed to operate, the LinkSys and NetGear DSL/Cable/modem routers already do this sort of thing quite well and without the above mentioned disadvantages. For a single user, all of this stuff can easily be done in software using e.g. ipchains or one of the many Windows-based personal firewalls, and for any kind of office or enterprise you'll really want the flexibility and expandability of a full sized computer to serve as a firewall.
In a way this is good, because it enables broadband users who know nothing about security to secure their systems. However, there is great potential for abuse should someone find a backdoor or hole in the 'FireCard'.
The card makes no sense in an enterprise environ, however. This is a simply silly use of it. Why not opt for a bit of extra configurability and peace of mind and roll your own firewall configuration, as I have?
The card would be beneficial to small time home users, but it makes no sense to the enterprise network admin.
isomerica.net | Foonetic IRC
Two years ago I did the embedded programming on a firewall PCI card. They had a proprietory TCP/IP stack (though I'm sure it was based on some BSD code) which they wanted ip forwarding and packet filtering from. It was a REALLY easy job. I essentially cross compiled the code and used the example code that came with the ethernet chips (there was two, which BTW, if you don't have on that card, it aint a firewall) with 10/100 UTP ports, one for the Internet side of the firewall and the other to plug into your hub. I think they eventually abandoned the product as stupid and developed it into a sealed box firewall about the size of a matchbook. Last time I talked to them they still hadn't shipped.
How we know is more important than what we know.
This is great stuff, but completely off-topic... Surely you could find some other space for it. Aren't there other forums (probably not in /.) in which you could have dumped it?
But where's the advantage? If the OS could affect your firewall otherwise you can be sure that the software running on the OS also sustains the proxy server. Since the proxy and any routing capabilities are gone after your OS crashes I also don't see anyone being able to do nasty things from the Internet.
If the OS can't effect your proxy but still is in some form of "protection control" you're probably using a router of some kind. But most routers also have firewalling capabilities nowadays, so why settle for a PCI card when you can in fact stop the burglar way sooner? Now that I'm focusing on security; take this situation and lets assume one uses this card.... Its 5pm and the people go home. The PC on which the PC card runs is turned off (by accident perhaps?) and now what ? This is a very nice and big security hole, if I ever seen one. Too big to be true IMHO.