Slashdot Mirror
Firewall On A PCI card
robags writes: "The people at Merilus have grabbed a PCI card, embedded Linux, added some Ethernet ports and come up with the FireCard. The OS on the host system can crash out, without affecting your firewall. 'Once installed, the FireCard provides firewalling, routing, bandwidth management, virtual private networking, redundant failover, intrusion detection and much more.'" This sounds like a smart product, especially for telecommuters; I sure hope it's not a pointless hoax or vaporware.
Since this seems to be a single board computer without a disk, couldn't one plug a bunch of these into a passive backplane to create a pile of independent firewalls (not very useful for the home user, but useful for those in the ISP business)? These backplanes would also eliminate the concern over power dependency. Along these lines, the home user could grab a 2 or 3 slot backplane and a power supply and have a pc-power-independent solution.
Along these lines, can one take an SBC and plug it into an ISA or PCI slot on a regular MB to power a second PC from the first, inthe same case?
This isn't for a business, or for a hardcore geek. It's meant as a security solution for your average Joe, who only has one computer, and wants to work from home on his broadband connection.
Joe currently has a few options, he can get some personal firewall software, but he was talking to a geek friend of his who told him that it would be pretty trivial to make a trojan that would disable the personal firewall software.
Jane looked at the integrated router/firewall/hub solutions, but she didn't like that. She already doesn't like that her cable modem has one ugly box next to her computer, and she doesn't want another ugly box there. The last thing she wants is more confusing cables to figure out, and besides, her power strip doesn't have any more space for the wall wart that invariably powers those things.
Joe and Jane talk to their geek friend, and he says 'hey, i've got a solution which is just as good as a seperate computer, but it goes right inside your current 'puter, but has it's own processor and everything, so it's not affected by trojans, viruses or anything'. Joe thinks 'great, i have no idea what that means, but what the hell, if my geek friend says it's the shit, then it's the shit'. Jane thinks 'Hmmm.... that sounds good, and it eliminates any number of security attacks, while reducing cable clutter, i'll buy one for myself.'
Then their geek friend helps them set it up, and goes home to the p75 that he converted into a firewall. On the way, he opens his mailbox and inside is an electric bill. He reads the bill, and does some calculations on the operating cost of the p75, and realizes that in addition to being a white-noise generator and an eye-sore, that p75 is costing him more money than it's saving. The geek goes out to the store, buys one of these firecards, installs it, and realizes that for a home solution, it's really not a bad idea.
--
"Don't trolls get tired?"
I doupt this will be marketed for enterprise users using CheckPoint or what not. The real market for this device is personal firewall market.
Here's the deal. You're a UNIX security Guru. You know `ipchains` like you know perl. You don't compile a kernels, you rewrite drivers. Your best buddie down the street just got that high bandwidth connection that makes you sick. It might be DSL, Cable, 10bt, or even Fiber. You know he needs a firewall. He knows he has to have one. There's no way around it. Buddy only know AIM, pr0n, mp3's, and types http://www before every url.
You're a good friend and you want to help him out. You have a few choices:
MarNuke
I'm not sure I understand the benefits of taking a small independent computer and making it dependent on another one, even if it is just for power... surely a box the same size as the card, with it's own PSU and a serial port for control is more reliable? Or a 1U case for a rackmount "enterprise" one.
:-) )
(the red PCBs look cool though
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
This is at best about as useful as putting a firewall in a DSL modem / router (which is not that bad an idea), but with the added disadvantage that it can't be as flexibly located since it's "in" one of the PCs on the network. I guess it's nice that you can get power from the host PC, except that if the host PC crashes and you have to reboot it then you'll have to reboot your "firewall" ase well. And really, ethernet isn't so slow that you need to be able to DMA directly from your firewall to the PC over the PCI bus.
Totally pointless product. On the scale at which this thing is designed to operate, the LinkSys and NetGear DSL/Cable/modem routers already do this sort of thing quite well and without the above mentioned disadvantages. For a single user, all of this stuff can easily be done in software using e.g. ipchains or one of the many Windows-based personal firewalls, and for any kind of office or enterprise you'll really want the flexibility and expandability of a full sized computer to serve as a firewall.
Two years ago I did the embedded programming on a firewall PCI card. They had a proprietory TCP/IP stack (though I'm sure it was based on some BSD code) which they wanted ip forwarding and packet filtering from. It was a REALLY easy job. I essentially cross compiled the code and used the example code that came with the ethernet chips (there was two, which BTW, if you don't have on that card, it aint a firewall) with 10/100 UTP ports, one for the Internet side of the firewall and the other to plug into your hub. I think they eventually abandoned the product as stupid and developed it into a sealed box firewall about the size of a matchbook. Last time I talked to them they still hadn't shipped.
How we know is more important than what we know.