Slashdot Mirror
3Com to Sell Firewall-in-a-NIC
Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers."
Interesting idea, although it'll be interesting to see if the idea catches on.
← Back to Stories (view on slashdot.org)
Now firewalls area available to the masses who don't know what they are!
I can only imagine the long line of emotionally shattered English teachers that Taco left in his wake.
If you're THAT concerned about security or engaging in online activity that is THAT high risk, then get a real firewall. Aside from that if you're connected to the net through a NIC, then you're probably protected by a firewall anyway, which renders the technology even more pointless.
if every service listening to ports was secure to start with.
Sounds like it's using some proprietry protocols. Also, the network card will not work if plugged into a different switch. You'd better trust 3com a lot if you use this stuff.
A $170 NIC? I don't think we'll see this in consumer systems anytime soon but it's the right idea.
It sounds like a good idea, but It seems to me like just a fancy way to sell you another server to have to manage. A central server for your NIC cards? Thats the last thing that I want to have to deal with. I would be curious to see benchmarks against something like this and a traditional firewall.
Sigs are out of style, so I'm not going to use one...oh wait..
- Interesting idea, although it'll be interesting to see if the idea catches on.
Shouldn't there a preview button when submitting stories, and a sarcastic remark if you don't use it?Full Packaged Product $1,079 US
Version Upgrade $549 US Now I usually troll for Microsoft, but even I have to laugh at that!
Can I get that in a 10Mb ISA version?
Seriously, they should start with the gigabit
version.
I can see the advantage of putting that in hardware (firmware?).
.. if the OS is good then nobody without proper permissions can change the firewall rules anyway!
But I don't believe it can be useful in filtering outgoing packets; how can it tell what program or user is sending it.
Because of that I think that software based solutions are better.
And besides
nuff said
If all this should have a reason, we would be the last to know.
I'm getting rather tired of these stripped down firewall implementations. I've used several (linksys and dlink DSL routers, and lrp), but I've always found them either
a) buggy, or
b) very inflexible
For the life of me, I couldn't get the linksys box to track an incoming FTP session. The D-link router would crash if you tried to pump too much traffic through it (I was running UDP netperf tests). lrp just didn't have the features I wanted. Eventually I just scrapped it all and installed RH 7.2 on a p166, and turned off everything except iptables, roaring penguin, and ssh. It tracks all my connections just fine, forwards ports appropriately, and I've got scripts set up to restart my IPSec tunnel and re-register my IP with a dynamic DNS server every time my IP changes. I get the same throughput and latency I got through the other solutions, too. Sure, I'm doing more complicated things than most users, but even when I wasn't, the 'firewall in a box' gizmos still gave me headaches. I have a feeling a 'firewall on a NIC' would be even less flexible...
We don't have a state-run media we have a media-run state.
Firewall is the next buzzword. Remember "MultiMedia"? LOL. Glad my computer is a "MultiMedia" computer. Haha! Too bad I don't have a Pentium 4 though... according to intel its required to experience the Internet properly.
My favorite quote from IRC 6 years ago: "Quick! Can someone send me a firewall? Someone is trying to nuke me."
*sigh. I wish I had the marketing talent to exploit the clueless and become rich...
--pingu
In a corporate environment, wouldn't all your computers be talking to the internet through a router, anyway? Wouldn't it make sense to have the "firewall" on the borders of your network, rather than in the middle? Isn't that what the term "firewall" means?
Or is this to implement security against other clients on the same local network?
I'm confused.
-Mark
The only people who are going to buy these are people who are fairly security-conscious anyway.
In related news, I hear that Sonicwall will have a VPN/Firewall in a PCMCIA card later this year.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This sounds a lot like the Merilus FireCard. It does firewall, VPN, etc. It's been out for quite a while, but it costs quite a bit more.
Interesting idea, although it'll be interesting to see if the idea catches on.
That's interestingly a very interesting comment that piqued by interest in this interesting subject of interest. What I'm more interested in knowing is if any other interesting people are interested in this interesting idea? Because if there are interesting people interested in this interesting idea, well, I almost hesitate to say it, I'd be interested!
Who needs a firewall nic that needs a central policy server? Anyone who can connect to the central policy server is probably already behind the firewall.
Remote users? They all use laptops.
What's that leave?
Yes, CmdrTaco, although it is interesting, nevertheless, it will be interesting to see what happens with it.
Karma: Good (despite my invention of the Karma: sig)
Does sound interesting, but, If you have even modest connections, you can pick up an old pentium for around 20 bucks. Plenty of preconfigured linux packages with firewalling options, right?
Considering you can make a firewall/router for so little.. 120 bucks for a nick card seems a little pricey. Although, if it works well and isn't a hassle to set up, I suppose its a good solution. Also good if you don't have the know-how or desire to set up a whole system.
Ansi's and stupid tricks!
What is especially interesting is what is loaded: Secure Computing's Gauntlet firewall product (yes, it is originally derived from the old TIS stuff, but has been commercially, er... hydrogenized :) ). This would seem to indicate that the card can support applications that weren't written for it, e.g., it can use software whose platform has been retargeted in compilation (well, at least it implies that).
I wonder what other derived applications could be loaded into that space? Hmmm... the mind wanders...
You thought I was going to mention a Beowulf cluster, didn't you? Shame on you. No cookie for you.
...but then I remembered I'm filthy rich, have a beautiful fiancee who loves me, and get to edit Slashdot for a living. See ya in the funny pages, loser.
-Rob Malda
suXor my diXor
I know they were working on policy based systems like this for quite a while.
Of course, different such ads, such as s/Kats Book/Slashdot subscription/ could be suggested -- I welcome all your feedback, simply reply to this message!
Anyone who uses multiple DMZ's in their network. With a lot of servers. I'm thinking hosting companies that want to ensure their clients only get the services they pay for.
Yay me!
For those complain about Taco's comment, give him a break. He was in a rush to post the advertisement of the day.
Ensuring everybody in their cubicles are only running the software they are meant to. No IM clients, no P2P, only their proprietary little enterbrise database querying tool. And Outlook. [This is a corporate office]
Yay me!
Although the concept sounds cool. I am a little weary of moving out away from a centrally based firewall that sits in front of the servers.
However the concept has extreme merit if used in conjunction with contempory firewall solutions already in place. It would definitely add an extra layer of security to the network if properly managed. That then brings the only bad point I can think of right off the top of my head which would be the headache involved in managing so many different firewall configurations. It might turn out to be more of a headache than it is really worth for the Sys. admins in charge of a given network.
"Help me Obi-/.-Kenobi,your my only hope!" -$
Shit man, you just don't stop! I mean it, DON'T STOP.
3 45 495
Assuming you are the AC that's been posting things to do today consistently for some time now (see, nobody can know because you're an AC), i want to ask - have you NEVER considered logging in though, so that others might track your genius? My esteemed colleague YourMissionForToday has had a discussion about this very topic for a while, and I'd even recommended that he take over. But, being a troll/crapflooder of the utmost caliber often requires dedication to other matters beyond our means, so I haven't seen many things to do today from him in recent days.
whatever man, I am likewise too busy to deal extensively with such distractions, since i have things to do today:
1. Elevate my mind
2. Go higher
http://slashdot.org/comments.pl?sid=31130&cid=3
_________________
EBAY SAFETY TIPZ!
Then he pulls out a container.
Nuts and Gum: Together at last!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Merilus already has a FireCard.
It isn't quite the same, but it exists.
I can't say that I don't give a fuck. I've just run out of fuck to give.
3Com
I do see this as having some use. While a firewall can be usefull for protecting from attack from outside, what about attacks from inside. What happens if a user brings in a worm on a floppy that goes after all the machines on the network. The best configured firewall on the between your network and the internet wont help you. Having a firewall protecting each PC could help prevent infection through out the whole lan. Just my $.02
"It's like netbios except different!"
A card like this should be required for anyone connecting a Windows box (or even a novice connecting a Linux box) with a high-speed link to the Internet.
Don't get me wrong, I'm sure there are a few people here who know how to configure a proper firewall, but most people with cable modems, DSL connections, or other high-speed access at home have no idea how to harden their desktop machines. What's worse, they run dangerously vulnerable email programs such as Outlook and use web browsers such as Internet Explorer. This opens them up to a wide variety of very vicious viruses, worms, and other nice programs which can be used to gain access to their computers and turn them into little more than bandwidth machine-guns.
With a network card such as this shipping in a relatively locked-down state, it would be easier to detect and block attacks originating from a compromised computer. Unfortunately, I can't smack every clueless computer user on the Internet upside the head with one of these things. Because of this, I'm sure things will only get worse before they get better.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Interesting -- I wonder if they wrote their own policy server, or are OEM'ing someone else's stuff? There are several vendors who have products in this space: Zone Labs Integrity, Sygate Secure Enterprise, Symantec Enterprise Security Manager, F-Secure Policy Manager, and probably some others I've forgotten.
The tricky thing is writing a server that integrates well with existing back-end security and authentication infrastructure: having a bunch of standalone systems really sucks from a management point of view. Depending on how the client/agent/firewall (in software or firmware, as on a NIC) is structured, it may be possible to mix and match vendors in the future. (For example, another vendor's server monitoring these 3com NICs.)
The protocols themselves don't really need to be proprietary to the point of precluding interoperability: most are based on good solid Internet/IETF standards like IPSec, SSL, TCP, XML, etc. (Full disclosure: I was the system architect for Zone Labs Integrity.) If the protocols could be standardized, I could easily see ZLI serving policy to the various firewall-enabled gadgets out there, as the server is easily extensible.
I guess I just want to see things interoperate, but that's probably just because I'm an old Unix hacker....
Firewall in a NIC??? Nothing new here. We've been using them for a few months now. A company called Merilus has been making them for awhile. It runs an embedded form of Linux. It has tons of features for a Firewall on a PCI card and best of all, it's made in Chilliwack, BC, Canada. Gotta love the name. Check it out... www.merilus.com
I received a mailer from 3com recently advertising this very card, offering one of them to institutions as a freebie if the institution qualified. The mailer itself was a piece of work: You had to unfold it to find out what it was, and on each of the folds was the word "ping". When you got to the center of it, it had something about being hacked, and then the rest of the ad talked about getting this piece of equipment for your protection, etc.
Argh, I forgot my login, damn it!
I've got one sitting on my desk. it's a 3c90x card. Works as a regular nic, the firewall functions only run under Wnt,2k,xp (Linux drivers planned, so I'm told). It needs to contact a Rules server (again, Win* based). That server does not need to be on the same subnet, just accesible over the network.
We looked at them for home users with corporate PCs. Control who they connect to with company property, etc. No verdict yet. maX_
Obviously a card of this nature will have to have some flexibility to it. If you wish to configure the card, say to deny an address, does it flash some form of memory on the chip or would the settings be put into the driver - software based? If its done through the driver, I'd rather just run some form of personal firewall software and use a $5 dollar NIC from pricewatch. Cool concept though.
As for the guy above who remarked about how silly it was to require these things to be configured by a central console, he obviously hasn't been the firewall management staff at a large company. A central console is the _only_ way to fly if you have a large number of firewall policy engines to manage. Otherwise, the flagpoles in front of most buildings would be draped with suicidal firewall admins wanting to end it all. :>
(Besides, it's not like there isn't a central console for iptables/ipchains that works pretty well -- a firewall need not be a standalone unit with a custom policy all its own to be secure. Sometimes, it's more secure to provide an administrator with an easy way to avoid screwups.)
I beta tested this for 3Com and Secure Computing a year ago--guess the cat is out of the bag now so I'll talk a bit about this nifty product.
The NICS have onboard 3DES crypto accelerators and talk via an encrypted channel to policy servers that in turn are all then handled by a centralized management console. So from one place, you can distribute NIC firewall policies to the policy servers on different networks who then distribute the firewall policies to the cards. The onboard accelerators and manual keying basically enable you to create a corporate VPN that allows ONLY these keyed cards to operate on the network--theoretically.
There is a server version and a client version of the card. The client can handle 16 rules, the server 32 rules. At the time of the beta test, the onboard firewalls were not stateful, but that was to be implemented.
Now the cool stuff: The user can't tamper with the card or its firewall ruleset--it's centrally managed. Should the user try, the card "breaks" and denies all traffic--with the exception of traffic from the policy server. And policies can be applied remotely to the client controlling OUTBOUND communication. For example, if users ONLY get to browse the web, then you ONLY allow outbound port 80. No audiogalaxy for you. Additionally, these cards remotely log policy violations to the centralized server. And you can remotely TURN OFF the card from the centralized server. Suspect a machine is compromised? Remotely disconnect it from the network by telling the card to disallow all traffic (except from the policy server of course).
The bad stuff: Windows only at the time of beta testing, although Linux and Solaris support was planned. Control software runs on Windows only. And the cards can only be configured via the management software--which was a completely different beast you had to purchase, and the cost depends on the scale of your EFW deployment.
This info may have changed since last year as well, so take it all in stride.
Overall, I think the cards are great to deploy for select critical Windows servers or public lab resources you want to lock down a bit. It would be nice to have the ability to buy a server card, stick it in a Linux box, and use some floppy util to configure some basic rules that get burned to firmware. Disregarding OS compatibility, these cards seriously rock, and should be added to any "defense in depth" arsenal, IMO.
wow.
"The NIC costs $120 list price, and the embedded firewall is another $50 for each client. The policy server costs $1000."
For fifty dollars per client I would be happy to configure a firewall through remote access using free software and a $15 NIC.
I hate to admit it, but I'm getting envious. While I'm having difficulties finding a job as a Linux admin - probably because companies here in Germany fear to employ me with my 57 years, the big companies are charging $50 per client for some crypto-interface software.
Obviously hardware sells better than humans.
Get more of those SSN's from here.
A consumer version of this,(with a dumbed up ui) would probably do well with home broadband providers. A lot of them will provide NICs anyway. Offer Joe consumer the (added value, of course) option of *hardware firewalling* and badda bing.
You can deposit my check with Pay-Pal, Time Warner...
-= jester =-
The eternal war. Given enough time, you can secure 1000 boxes (turn off all un-needed services for the application(s) that this box needs to run, apply all the patches to those apps, tune the OS tightly...) Takes quite a while.
Or (says the 3com salesperson) you can just spend some money. Central server says this box can only talk on this (short) port|protocol list. Everything else is droped at the interface, doesn't even get to the kernel.
Sure, there are things you can do on a large scale to make securing boxes much easier (jumpstart, kickstart, whatever NT calls it, to get a secure base install, etc), but you still have to deal with patching individual boxes.
If I have to deploy a lot of computers in an activly hostile environment, something like this would be very nice.
Zapman
sounds like an excellent idea to me. add to this a cable/DSL modem, all in one card.
maybe the next thing we see will be a little UPS-in-a-power-supply combo thingy.
that would cut down on a lot of clutter for me, lose a couple more boxes under the desk, and three or four cables.
- Entertaining Bits from the Ancient Kernel Tree
... I suggest everyone get a few of these :P
presumably Gauntlet since it's their only firewall product
Wrong. It's only their latest firewall. Their Sidewinder product has been around since 1994 or so.
Spiritus ex Machina
"The universe is not only stranger than we imagine, it's stranger than we CAN imagine."
I just hope they include the ability to disable this feature. I can see numerous connectivity problems and difficult troubleshooting ahead...
Does this mean you will be unable to ping the loopback address???
Will you have to swap the card out to see whether the firewall on the card is playing up?
Jeeezus
99.997% of the problems with Open Nap,Gnutella and the likes are people not opening their firewalls to allow sharing of the files they SAY they are sharing. You try to download from them and you never connect, the push happens over and over.... you'll never get the file because the firewall is closed.... your request never get's there.
I personally think the OpenNAP servers and Gnutella apps need to self terminate the connections if such a condition is found with a "Open your firewall on Port XXXX and YYYY and this program will start to operate again."
Do not look at laser with remaining good eye.
Now if they could put 10/100/1000 + Firewall + NIDS on a NIC (with say 64MB flash for logging purposes) that'd be interesting, albeit expensive. But in that case I'd just wait for it to come down to a reasonable price and be integrated into the chipset of the latest & greatest motherboards.
Here's a link:
7 4
http://www.securecomputing.com/index.cfm?skey=7
to more marketing "collateral" about the 3com Embedded Firewall than most of us would ever want to see. But it does provide a corporate-world view of the "why' of embedded firewalls. (Merilus, 3com, or whoever may come along next)
Spiritus ex Machina
"The universe is not only stranger than we imagine, it's stranger than we CAN imagine."
My, what an outpouring of emotion! What's the matter, Did I strike a nerve, jealous boy?
Let's Review:
Me: Rich
My Life: Great
My Job: Cushy
You: Loser
Here's hoping you lose your virginity soon, it might help you with your anger problems. Bye now. - Rob
Not all firewalls just pass port 80 and don't examine the packets.
:)
I know Secure Computing's Sidewinder analyzes the packets, and some application level ones may as well. I also think even Checkpoint has an addon that gives this facility.
So what now? Stories half to be "well-aged" before they are posted?
Maybe this site should be called: "Slashdot: news for procrastinators. Stuff that's ancient.
Seriously. What's the point of us hunting down stories to post if they're gonna do this? Go ahead and mod me down, but you know I'm right.
"A plan fiendishly clever in its intricacies"- Homer Simpson
been doing the firewall on a card for a long time.
http://merilus.com/products/
I'm seeing this debated on here a lot. The problem is that you're ASSUMING that the "bad guys" are on the other side of your network.
What some of you don't realize is that some of the worst offenders of "hacking" or "people being where they shouldn't" (sorry, couldn't think of a better way to say it) are INSIDE your network. There are a lot of users that might be "just looking around" on the network, but they can cause problems unintentionally.
This example might be harsh but everyone here remembers the TV commercial where the users say "I'm off to crash the server" or "I'm about to take user error to the next lever".
Bad things can happen on the inside, too!
"A plan fiendishly clever in its intricacies"- Homer Simpson
Why was this modded up as funny? I thought it was interesting.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I'm waiting for distributed.net to release a client for it...
Most security conscious people don't like to run services on their firewall and are VERY judicious as to what they will run on machines behind the firewall.
By integrating the firewall into the network card you can effectively save the cost of an entirely separate firewall server, since, in effect, the network card itself is the firewall server and the machine its plugged into is simply a client.
This card is useless for anyone with a reasonably sized network (obviously). It is great for people with a minimal (one likely) amount of machines who want a firewall but don't want to shell out the $$$ for another machine (the people this will be targetted to won't be people smart enough to buy a 486 and repair it into shape for a firewall).
What if its a perfectly secure service but you want to limit it to an internal netblock anyways? If the service doesn't have that feature built into it (because they traded features for security) then you have no choice but to use a firewall.
A firewall is a concept not a (single) hardware device. And in the case of 3Com the so called firewall NICs are actually intended to be used in a centralized security concept, not as autonomous systems. These cards turn your whole enterprise network into "The Firewall", which is a good idea IMHO. Desktop systems I use long have their own packet filter, though they are, what an unsuspecting person would call it, "behind" the firewall.
Hi
policy server hehe that controls eveything
hack 1 hack all ?
3Com's Switch in the Wall
It's a pretty neat idea to use a single drop from your wiring closet out to each cubicle. Unfortunately, I would still need about 3 or 4 of these jacks since I had 12 or so servers and workstations all cancer-clustering around me.
Trespassing: people being where they shouldn't