Slashdot Mirror

← Back to Stories (view on slashdot.org)

3Com to Sell Firewall-in-a-NIC

Posted by CmdrTaco on from the better-make-sure-they're-secure dept.

Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers." Interesting idea, although it'll be interesting to see if the idea catches on.

16 of 205 comments (clear)

  1. Re:Great.. by Cosmos_7 · · Score: 1, Informative

    Hardly. If you read the article you'd see that its a $120 NIC, plus $50 for the firewall software, and requires a $1000 policy server.

    The Masses, as you put it, are not the intended audience of this.

  2. Re:Technology for its own sake by ergo98 · · Score: 2, Informative

    It isn't aimed at home users at all (though every home user should be protected by a firewall).

    To quote the article "The product is aimed at enterprises, to provide centralised control over security."

  3. I certainly won't be standing in line... by meta-monkey · · Score: 4, Informative

    I'm getting rather tired of these stripped down firewall implementations. I've used several (linksys and dlink DSL routers, and lrp), but I've always found them either

    a) buggy, or
    b) very inflexible

    For the life of me, I couldn't get the linksys box to track an incoming FTP session. The D-link router would crash if you tried to pump too much traffic through it (I was running UDP netperf tests). lrp just didn't have the features I wanted. Eventually I just scrapped it all and installed RH 7.2 on a p166, and turned off everything except iptables, roaring penguin, and ssh. It tracks all my connections just fine, forwards ports appropriately, and I've got scripts set up to restart my IPSec tunnel and re-register my IP with a dynamic DNS server every time my IP changes. I get the same throughput and latency I got through the other solutions, too. Sure, I'm doing more complicated things than most users, but even when I wasn't, the 'firewall in a box' gizmos still gave me headaches. I have a feeling a 'firewall on a NIC' would be even less flexible...

    --
    We don't have a state-run media we have a media-run state.
  4. Re:Great.. by magicslax · · Score: 2, Informative

    Now firewalls area available to the masses who don't know what they are!

    No news threre. Windows XP has a bundled software firewall and many consumer routers toute built in firewalls as well. The main significange is the NIC taking the (nominal) load off the rest of the system and allowing greater control of user terminals, I believe. Now, the article :-) says a selling point of this dealy is that computers with it installed can only connect to trusted adresses /on the hardware level/. "The device also makes it harder to misuse corporate equipment by plugging it in in the wrong place" or CONTROL, you be the judge. Somebody correct me if [when] I'm wrong.

  5. Hmmm. Interesting reutilization. by irregular_hero · · Score: 5, Informative
    The article indicates that the NIC in question is the 3CR990, which, up until this point, has been the "encryption offload" high-performance NIC. The firewall simply replaces the onboard encryption "soft"-ware with something that handles packets a little differently. I find it fascinating that the NIC is simply "reloaded" with appropriate software that can directly alter its core function. It would be really intruiging to figure out just how this is done on the card.

    What is especially interesting is what is loaded: Secure Computing's Gauntlet firewall product (yes, it is originally derived from the old TIS stuff, but has been commercially, er... hydrogenized :) ). This would seem to indicate that the card can support applications that weren't written for it, e.g., it can use software whose platform has been retargeted in compilation (well, at least it implies that).

    I wonder what other derived applications could be loaded into that space? Hmmm... the mind wanders...

    You thought I was going to mention a Beowulf cluster, didn't you? Shame on you. No cookie for you.

    1. Re:Hmmm. Interesting reutilization. by mlyle · · Score: 2, Informative
      These cards are actually based on Broadcom's 5703 MAC, aka "Tigon III". The Tigon chipset is really rather cool, in that it includes dual MIPS cores running at high speed. This enables all of their "value-added" features, like encryption assist, firewalling, and TCP segmentation acceleration.

      If you can write MIPS assembly, you can run anything that you can fit into 64k on this card.

    2. Re:Hmmm. Interesting reutilization. by MoreBeer · · Score: 3, Informative

      Got an email asking if I wanted to beta one. Replied sure (duh, more geek-toys), and a rep called me. Currently, only Win2K drivers are out (again, duh... Who needs an embedded firewall more than a Windoze box?) but Linux drivers are right behind. So far, there are 2 NICs, a 'server' class NIC and a 'workstation' class NIC. The differences aren't throughput; it's the capacity for 'rulebases'. Forthcoming are PCMCIA NICS (great for end users who VPN in and are exposed to the 'Net), and potentially a combo 56K/NIC in the next year.

      All in all, should be pretty cool for people like me stuck in the corporate world.

  6. Re:"Central Policy Server"... by Anonymous Coward · · Score: 1, Informative

    3 Policy Servers can be in a load balancing and redundant configuration. If one policy server goes down, the other two pick up the slack. The whole network doesn't go "haywire" if all 3 of them go down... each NIC that was up and running will continue to run with it's established policies.

    Should all 3 policy servers be down, then the nics will go into a pre-defined fallback policy until the policy servers come back up. You can fail open, closed, and in the near future, to the last policy you had.

  7. The target is probably... by Hecatonchires · · Score: 2, Informative

    Anyone who uses multiple DMZ's in their network. With a lot of servers. I'm thinking hosting companies that want to ensure their clients only get the services they pay for.

    --

    Yay me!

  8. Already happened by aridhol · · Score: 5, Informative

    Merilus already has a FireCard.
    It isn't quite the same, but it exists.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  9. Re:Doesn't make any sense by 56ker · · Score: 3, Informative

    In answer to your questions the answer is: 1) Yes 2)Yes - but not in all cases. 3) No. 4) Well if one computer gets infected - say through an employee getting an infected e-mail it means it doesn't spread to the rest of the network (a good thing).

    --


    Video Game cheats, hints a
  10. Re:Doesn't make any sense by Anonymous Coward · · Score: 1, Informative

    It could be used as a second layer of defence when combined with a perimeter firewall. (Good security practice, don't rely on one single device to provide security).

    It can be used as access control, only allowing client devices to go to certain places on your network. (ie: kiosk in the lobby only needs to surf through proxy server 1.1.1.1:8080, all else is denied).

    Protect desktops w/ confidential information (Human Resources, Finance, etc.)

    It can be used to harden servers. Many companies take the "tootsie pop" approach to security. Hard shell, gooshey center. This way, you open a couple of ports on a server, potentially not allow it to initiate connections to other boxen, etc.

    Maybe the server is co-located at an ISP. You still control the rules.

    Even if the server is owned, the machine itself has no control over it's security policy. That only happens from a central management station.

    There are lots of uses for these NICs - just depends on where your security need is.

  11. Re:Doesn't make any sense by driftwood · · Score: 2, Informative
    Wouldn't it make sense to have the "firewall" on the borders of your network, rather than in the middle?

    The most common implimentation is to use a single firewall to protect a network. This configuration also provides a single point of failure. If a cracker can get past the single firewall, he can mount attacks on any internal systems.

    With a firewall on every machine and a general network firewall, you have a layered defense that is exponentially harder to subvert. It will also help stop internal attacks by employees, which are much more likely to succeed than external attacks.

    The main reason that per machine firewalls are not a common practice is the administration overhead for a heterogenous network. Putting the firewall in an OS independant and inexpensive hardware implimentation might change this.

    --
    Where are we going? And why am I in this handbasket?
  12. Re:Interesting Idea by Anonymous Coward · · Score: 1, Informative

    Software firewalls... HAHAHA. That's funny. You can't rely on software to protect an OS that has holes in it already. If code can circumvent the OS, it has complete control over the software running on that OS, including software firewalls or antivirus.

    You can't rely upon a software firewall when readily-available, freely-downloadable, simple programs can take it completely out? These trojans and viruses can take out software firewalls today:

    OptixPro
    OptixLite
    OptixKiller
    Buschtrommel
    Y3kRAT
    Pentagoner

    Plus more. Embedded Firewall is hardware-based. Because all of the firewalling functions happen in hardware, they are completely independent of the host operating system. Even if you circumvent the host OS, you will never be able to change your own security policy.

  13. Re:"Central Policy Server"... by jandrese · · Score: 4, Informative

    That's not the way these cards work. I've been testing the cards for some time now and you don't need any fancy network equiptment (other than the cards themselves) to set this up. The Policy Server here is a Windows applications (downside: no automation ability in the beta I had, not even a simple scripting engine). Configuration is sent over the network as special UDP (I think) packet.

    The card has a few oddities nonetheless. First, when you install these cards, you need to build an "install image" on the policy manager. You then have to run that after you put the card in the machine to flash it's firmware (the cards send heartbeats back to the Policy Server, so they have to know where to send them). In effect, your users always have to download an install from your network to set up their cards, they can't just go out to the web and grab one. Fortunatly the card works as a regular NIC before you flash it.

    This card also includes IPSEC offload for people running VPNs and the like. I never actually got it to work, but it's supposed to do the encryption in hardware. Apparently the firewall sits OUTSIDE of the ipsec traffic though, so all it sees are the encrypted packets, which limits its usefulness considerably.

    All in all the cards are OK, not supurb yet (that management console is very click intensive to use), and reasonably cheap for their target market. I think they stand a good chance of taking off, especially as corporate security folks notice that these are the perfect replacment for the ubiquitious software firewalls in use today.

    One more thing I thought would be amusing. If someone were to steal your machine and turn it on elsewhere without noticing what card you have, the security folks would immediatly know where their machine went.

    --

    I read the internet for the articles.
  14. Re:Who's the target? by demaria · · Score: 3, Informative

    Internal attackers.

    Disgruntled employees. Fired employees. Untrustworthy people on the inside trying to access payroll systems.

    (avoiding debate between hardware vs software firewalls here)