Slashdot Mirror

← Back to Stories (view on slashdot.org)

3Com to Sell Firewall-in-a-NIC

Posted by CmdrTaco on from the better-make-sure-they're-secure dept.

Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers." Interesting idea, although it'll be interesting to see if the idea catches on.

7 of 205 comments (clear)

  1. I certainly won't be standing in line... by meta-monkey · · Score: 4, Informative

    I'm getting rather tired of these stripped down firewall implementations. I've used several (linksys and dlink DSL routers, and lrp), but I've always found them either

    a) buggy, or
    b) very inflexible

    For the life of me, I couldn't get the linksys box to track an incoming FTP session. The D-link router would crash if you tried to pump too much traffic through it (I was running UDP netperf tests). lrp just didn't have the features I wanted. Eventually I just scrapped it all and installed RH 7.2 on a p166, and turned off everything except iptables, roaring penguin, and ssh. It tracks all my connections just fine, forwards ports appropriately, and I've got scripts set up to restart my IPSec tunnel and re-register my IP with a dynamic DNS server every time my IP changes. I get the same throughput and latency I got through the other solutions, too. Sure, I'm doing more complicated things than most users, but even when I wasn't, the 'firewall in a box' gizmos still gave me headaches. I have a feeling a 'firewall on a NIC' would be even less flexible...

    --
    We don't have a state-run media we have a media-run state.
  2. Hmmm. Interesting reutilization. by irregular_hero · · Score: 5, Informative
    The article indicates that the NIC in question is the 3CR990, which, up until this point, has been the "encryption offload" high-performance NIC. The firewall simply replaces the onboard encryption "soft"-ware with something that handles packets a little differently. I find it fascinating that the NIC is simply "reloaded" with appropriate software that can directly alter its core function. It would be really intruiging to figure out just how this is done on the card.

    What is especially interesting is what is loaded: Secure Computing's Gauntlet firewall product (yes, it is originally derived from the old TIS stuff, but has been commercially, er... hydrogenized :) ). This would seem to indicate that the card can support applications that weren't written for it, e.g., it can use software whose platform has been retargeted in compilation (well, at least it implies that).

    I wonder what other derived applications could be loaded into that space? Hmmm... the mind wanders...

    You thought I was going to mention a Beowulf cluster, didn't you? Shame on you. No cookie for you.

    1. Re:Hmmm. Interesting reutilization. by MoreBeer · · Score: 3, Informative

      Got an email asking if I wanted to beta one. Replied sure (duh, more geek-toys), and a rep called me. Currently, only Win2K drivers are out (again, duh... Who needs an embedded firewall more than a Windoze box?) but Linux drivers are right behind. So far, there are 2 NICs, a 'server' class NIC and a 'workstation' class NIC. The differences aren't throughput; it's the capacity for 'rulebases'. Forthcoming are PCMCIA NICS (great for end users who VPN in and are exposed to the 'Net), and potentially a combo 56K/NIC in the next year.

      All in all, should be pretty cool for people like me stuck in the corporate world.

  3. Already happened by aridhol · · Score: 5, Informative

    Merilus already has a FireCard.
    It isn't quite the same, but it exists.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  4. Re:Doesn't make any sense by 56ker · · Score: 3, Informative

    In answer to your questions the answer is: 1) Yes 2)Yes - but not in all cases. 3) No. 4) Well if one computer gets infected - say through an employee getting an infected e-mail it means it doesn't spread to the rest of the network (a good thing).

    --


    Video Game cheats, hints a
  5. Re:"Central Policy Server"... by jandrese · · Score: 4, Informative

    That's not the way these cards work. I've been testing the cards for some time now and you don't need any fancy network equiptment (other than the cards themselves) to set this up. The Policy Server here is a Windows applications (downside: no automation ability in the beta I had, not even a simple scripting engine). Configuration is sent over the network as special UDP (I think) packet.

    The card has a few oddities nonetheless. First, when you install these cards, you need to build an "install image" on the policy manager. You then have to run that after you put the card in the machine to flash it's firmware (the cards send heartbeats back to the Policy Server, so they have to know where to send them). In effect, your users always have to download an install from your network to set up their cards, they can't just go out to the web and grab one. Fortunatly the card works as a regular NIC before you flash it.

    This card also includes IPSEC offload for people running VPNs and the like. I never actually got it to work, but it's supposed to do the encryption in hardware. Apparently the firewall sits OUTSIDE of the ipsec traffic though, so all it sees are the encrypted packets, which limits its usefulness considerably.

    All in all the cards are OK, not supurb yet (that management console is very click intensive to use), and reasonably cheap for their target market. I think they stand a good chance of taking off, especially as corporate security folks notice that these are the perfect replacment for the ubiquitious software firewalls in use today.

    One more thing I thought would be amusing. If someone were to steal your machine and turn it on elsewhere without noticing what card you have, the security folks would immediatly know where their machine went.

    --

    I read the internet for the articles.
  6. Re:Who's the target? by demaria · · Score: 3, Informative

    Internal attackers.

    Disgruntled employees. Fired employees. Untrustworthy people on the inside trying to access payroll systems.

    (avoiding debate between hardware vs software firewalls here)