Slashdot Mirror
Firewall On A PCI card
robags writes: "The people at Merilus have grabbed a PCI card, embedded Linux, added some Ethernet ports and come up with the FireCard. The OS on the host system can crash out, without affecting your firewall. 'Once installed, the FireCard provides firewalling, routing, bandwidth management, virtual private networking, redundant failover, intrusion detection and much more.'" This sounds like a smart product, especially for telecommuters; I sure hope it's not a pointless hoax or vaporware.
Since this seems to be a single board computer without a disk, couldn't one plug a bunch of these into a passive backplane to create a pile of independent firewalls (not very useful for the home user, but useful for those in the ISP business)? These backplanes would also eliminate the concern over power dependency. Along these lines, the home user could grab a 2 or 3 slot backplane and a power supply and have a pc-power-independent solution.
Along these lines, can one take an SBC and plug it into an ISA or PCI slot on a regular MB to power a second PC from the first, inthe same case?
since I'm going to a presentation on the Merilus card at my local Linux user's group on Monday.
:)
www.vanlug.bc.ca
I'll keep you all updated
The PCI slots only lose power on a power cycle (or maybe a hard reset on older power supplies). With this thing being completely self-contained it will continue to function during normal reboots, resets (on ATX power) or even total OS failure.
Though it does beg the question of why it couldn't just be a seperate device... space, maybe? With those 3 ports it can perform the duties of a 4-port hub with less hardware and cabling.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
Dave Chalk? "Yes Dave, but wait... there is more. If you buy our Firecard before the end of the /. effect you'll get a screwdriver for free so you can easily screw it into your computer. Please allow 28 days for deliviry, and remember... If your network somehow does get totally r00ted and fucked beyond repair you are can use our money back guarantee. Yes Dave, thats right... If you get h4x0r3d within the first 6 weeks of your purchase we will refund you the entire amount spend on our card and whats more... You can keep the card for free as a token of our good faith!." Now where did I hear that before?
Usually hoax's are uncovered because they are too good to be true. That doesn't count here. Its not really that useful as anything that you can do on this you can do on the host (probably cheaper) and you also know where all the stuff has come from (use the source). However, it does have the advantage that if you want to, you can easily move your firewall to another host machine, if you want to use the other for something else...
They just got bought by Golden Soil.
And here's a press release or two from no less an authority than yahoo re: "embedded security devices" and transmeta.
This isn't for a business, or for a hardcore geek. It's meant as a security solution for your average Joe, who only has one computer, and wants to work from home on his broadband connection.
Joe currently has a few options, he can get some personal firewall software, but he was talking to a geek friend of his who told him that it would be pretty trivial to make a trojan that would disable the personal firewall software.
Jane looked at the integrated router/firewall/hub solutions, but she didn't like that. She already doesn't like that her cable modem has one ugly box next to her computer, and she doesn't want another ugly box there. The last thing she wants is more confusing cables to figure out, and besides, her power strip doesn't have any more space for the wall wart that invariably powers those things.
Joe and Jane talk to their geek friend, and he says 'hey, i've got a solution which is just as good as a seperate computer, but it goes right inside your current 'puter, but has it's own processor and everything, so it's not affected by trojans, viruses or anything'. Joe thinks 'great, i have no idea what that means, but what the hell, if my geek friend says it's the shit, then it's the shit'. Jane thinks 'Hmmm.... that sounds good, and it eliminates any number of security attacks, while reducing cable clutter, i'll buy one for myself.'
Then their geek friend helps them set it up, and goes home to the p75 that he converted into a firewall. On the way, he opens his mailbox and inside is an electric bill. He reads the bill, and does some calculations on the operating cost of the p75, and realizes that in addition to being a white-noise generator and an eye-sore, that p75 is costing him more money than it's saving. The geek goes out to the store, buys one of these firecards, installs it, and realizes that for a home solution, it's really not a bad idea.
--
"Don't trolls get tired?"
I doupt this will be marketed for enterprise users using CheckPoint or what not. The real market for this device is personal firewall market.
Here's the deal. You're a UNIX security Guru. You know `ipchains` like you know perl. You don't compile a kernels, you rewrite drivers. Your best buddie down the street just got that high bandwidth connection that makes you sick. It might be DSL, Cable, 10bt, or even Fiber. You know he needs a firewall. He knows he has to have one. There's no way around it. Buddy only know AIM, pr0n, mp3's, and types http://www before every url.
You're a good friend and you want to help him out. You have a few choices:
MarNuke
I'm not sure I understand the benefits of taking a small independent computer and making it dependent on another one, even if it is just for power... surely a box the same size as the card, with it's own PSU and a serial port for control is more reliable? Or a 1U case for a rackmount "enterprise" one.
:-) )
(the red PCBs look cool though
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
This is at best about as useful as putting a firewall in a DSL modem / router (which is not that bad an idea), but with the added disadvantage that it can't be as flexibly located since it's "in" one of the PCs on the network. I guess it's nice that you can get power from the host PC, except that if the host PC crashes and you have to reboot it then you'll have to reboot your "firewall" ase well. And really, ethernet isn't so slow that you need to be able to DMA directly from your firewall to the PC over the PCI bus.
Totally pointless product. On the scale at which this thing is designed to operate, the LinkSys and NetGear DSL/Cable/modem routers already do this sort of thing quite well and without the above mentioned disadvantages. For a single user, all of this stuff can easily be done in software using e.g. ipchains or one of the many Windows-based personal firewalls, and for any kind of office or enterprise you'll really want the flexibility and expandability of a full sized computer to serve as a firewall.
Two years ago I did the embedded programming on a firewall PCI card. They had a proprietory TCP/IP stack (though I'm sure it was based on some BSD code) which they wanted ip forwarding and packet filtering from. It was a REALLY easy job. I essentially cross compiled the code and used the example code that came with the ethernet chips (there was two, which BTW, if you don't have on that card, it aint a firewall) with 10/100 UTP ports, one for the Internet side of the firewall and the other to plug into your hub. I think they eventually abandoned the product as stupid and developed it into a sealed box firewall about the size of a matchbook. Last time I talked to them they still hadn't shipped.
How we know is more important than what we know.