Slashdot Mirror

← Back to Stories (view on slashdot.org)

3Com to Sell Firewall-in-a-NIC

Posted by CmdrTaco on from the better-make-sure-they're-secure dept.

Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers." Interesting idea, although it'll be interesting to see if the idea catches on.

12 of 205 comments (clear)

  1. Re:Technology for its own sake by ergo98 · · Score: 2, Informative

    It isn't aimed at home users at all (though every home user should be protected by a firewall).

    To quote the article "The product is aimed at enterprises, to provide centralised control over security."

  2. I certainly won't be standing in line... by meta-monkey · · Score: 4, Informative

    I'm getting rather tired of these stripped down firewall implementations. I've used several (linksys and dlink DSL routers, and lrp), but I've always found them either

    a) buggy, or
    b) very inflexible

    For the life of me, I couldn't get the linksys box to track an incoming FTP session. The D-link router would crash if you tried to pump too much traffic through it (I was running UDP netperf tests). lrp just didn't have the features I wanted. Eventually I just scrapped it all and installed RH 7.2 on a p166, and turned off everything except iptables, roaring penguin, and ssh. It tracks all my connections just fine, forwards ports appropriately, and I've got scripts set up to restart my IPSec tunnel and re-register my IP with a dynamic DNS server every time my IP changes. I get the same throughput and latency I got through the other solutions, too. Sure, I'm doing more complicated things than most users, but even when I wasn't, the 'firewall in a box' gizmos still gave me headaches. I have a feeling a 'firewall on a NIC' would be even less flexible...

    --
    We don't have a state-run media we have a media-run state.
  3. Re:Great.. by magicslax · · Score: 2, Informative

    Now firewalls area available to the masses who don't know what they are!

    No news threre. Windows XP has a bundled software firewall and many consumer routers toute built in firewalls as well. The main significange is the NIC taking the (nominal) load off the rest of the system and allowing greater control of user terminals, I believe. Now, the article :-) says a selling point of this dealy is that computers with it installed can only connect to trusted adresses /on the hardware level/. "The device also makes it harder to misuse corporate equipment by plugging it in in the wrong place" or CONTROL, you be the judge. Somebody correct me if [when] I'm wrong.

  4. Hmmm. Interesting reutilization. by irregular_hero · · Score: 5, Informative
    The article indicates that the NIC in question is the 3CR990, which, up until this point, has been the "encryption offload" high-performance NIC. The firewall simply replaces the onboard encryption "soft"-ware with something that handles packets a little differently. I find it fascinating that the NIC is simply "reloaded" with appropriate software that can directly alter its core function. It would be really intruiging to figure out just how this is done on the card.

    What is especially interesting is what is loaded: Secure Computing's Gauntlet firewall product (yes, it is originally derived from the old TIS stuff, but has been commercially, er... hydrogenized :) ). This would seem to indicate that the card can support applications that weren't written for it, e.g., it can use software whose platform has been retargeted in compilation (well, at least it implies that).

    I wonder what other derived applications could be loaded into that space? Hmmm... the mind wanders...

    You thought I was going to mention a Beowulf cluster, didn't you? Shame on you. No cookie for you.

    1. Re:Hmmm. Interesting reutilization. by mlyle · · Score: 2, Informative
      These cards are actually based on Broadcom's 5703 MAC, aka "Tigon III". The Tigon chipset is really rather cool, in that it includes dual MIPS cores running at high speed. This enables all of their "value-added" features, like encryption assist, firewalling, and TCP segmentation acceleration.

      If you can write MIPS assembly, you can run anything that you can fit into 64k on this card.

    2. Re:Hmmm. Interesting reutilization. by MoreBeer · · Score: 3, Informative

      Got an email asking if I wanted to beta one. Replied sure (duh, more geek-toys), and a rep called me. Currently, only Win2K drivers are out (again, duh... Who needs an embedded firewall more than a Windoze box?) but Linux drivers are right behind. So far, there are 2 NICs, a 'server' class NIC and a 'workstation' class NIC. The differences aren't throughput; it's the capacity for 'rulebases'. Forthcoming are PCMCIA NICS (great for end users who VPN in and are exposed to the 'Net), and potentially a combo 56K/NIC in the next year.

      All in all, should be pretty cool for people like me stuck in the corporate world.

  5. The target is probably... by Hecatonchires · · Score: 2, Informative

    Anyone who uses multiple DMZ's in their network. With a lot of servers. I'm thinking hosting companies that want to ensure their clients only get the services they pay for.

    --

    Yay me!

  6. Already happened by aridhol · · Score: 5, Informative

    Merilus already has a FireCard.
    It isn't quite the same, but it exists.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  7. Re:Doesn't make any sense by 56ker · · Score: 3, Informative

    In answer to your questions the answer is: 1) Yes 2)Yes - but not in all cases. 3) No. 4) Well if one computer gets infected - say through an employee getting an infected e-mail it means it doesn't spread to the rest of the network (a good thing).

    --


    Video Game cheats, hints a
  8. Re:Doesn't make any sense by driftwood · · Score: 2, Informative
    Wouldn't it make sense to have the "firewall" on the borders of your network, rather than in the middle?

    The most common implimentation is to use a single firewall to protect a network. This configuration also provides a single point of failure. If a cracker can get past the single firewall, he can mount attacks on any internal systems.

    With a firewall on every machine and a general network firewall, you have a layered defense that is exponentially harder to subvert. It will also help stop internal attacks by employees, which are much more likely to succeed than external attacks.

    The main reason that per machine firewalls are not a common practice is the administration overhead for a heterogenous network. Putting the firewall in an OS independant and inexpensive hardware implimentation might change this.

    --
    Where are we going? And why am I in this handbasket?
  9. Re:"Central Policy Server"... by jandrese · · Score: 4, Informative

    That's not the way these cards work. I've been testing the cards for some time now and you don't need any fancy network equiptment (other than the cards themselves) to set this up. The Policy Server here is a Windows applications (downside: no automation ability in the beta I had, not even a simple scripting engine). Configuration is sent over the network as special UDP (I think) packet.

    The card has a few oddities nonetheless. First, when you install these cards, you need to build an "install image" on the policy manager. You then have to run that after you put the card in the machine to flash it's firmware (the cards send heartbeats back to the Policy Server, so they have to know where to send them). In effect, your users always have to download an install from your network to set up their cards, they can't just go out to the web and grab one. Fortunatly the card works as a regular NIC before you flash it.

    This card also includes IPSEC offload for people running VPNs and the like. I never actually got it to work, but it's supposed to do the encryption in hardware. Apparently the firewall sits OUTSIDE of the ipsec traffic though, so all it sees are the encrypted packets, which limits its usefulness considerably.

    All in all the cards are OK, not supurb yet (that management console is very click intensive to use), and reasonably cheap for their target market. I think they stand a good chance of taking off, especially as corporate security folks notice that these are the perfect replacment for the ubiquitious software firewalls in use today.

    One more thing I thought would be amusing. If someone were to steal your machine and turn it on elsewhere without noticing what card you have, the security folks would immediatly know where their machine went.

    --

    I read the internet for the articles.
  10. Re:Who's the target? by demaria · · Score: 3, Informative

    Internal attackers.

    Disgruntled employees. Fired employees. Untrustworthy people on the inside trying to access payroll systems.

    (avoiding debate between hardware vs software firewalls here)