3Com to Sell Firewall-in-a-NIC

Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers." Interesting idea, although it'll be interesting to see if the idea catches on.

"Central Policy Server"...

[kinko]

The product is aimed at enterprises, to provide centralised control over security. All the secure NICs in a company are managed by a central policy server, which configures them and sets up access rights. Communication with the policy server is encrypted. One policy server supports up to 1000 NICs.

Sounds like it's using some proprietry protocols. Also, the network card will not work if plugged into a different switch. You'd better trust 3com a lot if you use this stuff.

Re:Technology for its own sake

[ergo98]

Huh? Firstly, even "choke point" (such as used at most corporate configurations) firewalls are of little use: When Jimmy opens up port 80 incoming so that he can demonstrate a website to his friends, and his PC gets infected by code red, or any of dozens of other trojans, it then has unrestricted access to every other PC inside the firewall. Secondly, what do you mean by engaging in activity that is "THAT high risk"? Are you being serious? Being connected is high risk, and I see hundreds, or rather THOUSANDS of trojans and port scans hitting me daily. And additionally most people with ADSL or cable modems connect to their modem via a NIC, so I'm not sure what your point regarding the NIC means.

And in any case what makes this not a "real" firewall? I haven't even looked at the product, but if your simplistic idea of a firewall is that it has to have an impressive box, then you're woefully mistaken: The job of a firewall is a very simple one, and in most "hardware" solutions is just a couple of chips to fulfill the task.

Interesting Idea

[FrostedWheat]

I can see the advantage of putting that in hardware (firmware?).
But I don't believe it can be useful in filtering outgoing packets; how can it tell what program or user is sending it.

Because of that I think that software based solutions are better.

And besides .. if the OS is good then nobody without proper permissions can change the firewall rules anyway!

Re:Interesting Idea

[FrostedWheat]

Embedded Firewall is hardware-based. Because all of the firewalling functions happen in hardware, they are completely independent of the host operating system. Even if you circumvent the host OS, you will never be able to change your own security policy.

Now I'm sure 3Com don't expect users to have to flash each and every NIC. They will include some sort of software based setup tool. If a trojan has control of the OS, then it simply needs to emulate that tool. It's then 'just another firewall' to the trojan, software based or not.

It wouldn't even have to go that far, what's stopping the trojan from sending anyway? A firewall that is OS independent cannot filter outgoing packets based on who or what sent it.

Who's the target?

[Telastyn]

Who needs a firewall nic that needs a central policy server? Anyone who can connect to the central policy server is probably already behind the firewall.

Remote users? They all use laptops.

What's that leave?

Re:Good idea?

[NerveGas]

Well, the $20 Pentium firewall isn't quite the same - while it can seperate one part of the LAN from another (or different networks), the advantage of the card is that it protects your machine from *everything* else, at least theoretically.

Having a principle firewall on the border of your network isn't challenged, but in a setting with many computers which can't be closely individually monitored (libraries, college campuses, etc.), these will at least help to prevent one person from attacking/abusing other machines on the same network.

steve

Uses

[Frying+Ferret]

I do see this as having some use. While a firewall can be usefull for protecting from attack from outside, what about attacks from inside. What happens if a user brings in a worm on a floppy that goes after all the machines on the network. The best configured firewall on the between your network and the internet wont help you. Having a firewall protecting each PC could help prevent infection through out the whole lan. Just my $.02

Re:Hmmm. Interesting reutilization.

[irregular_hero]

You're missing the point, as if there was one being stressed that was worth refuting.

The processor is an offload processor. This doesn't mean a lot to the average user, but to a business user, it's gangbusters.

The "point" is that the NIC is essentially like putting a small server box in front of each of your real servers at a much lower cost. It's also platform independent: With a Linux implementation on the card, you could get a Linux firewall protecting every Linux, OS/X, or Windows server that you own. And those servers wouldn't expend any CPU just processing packets in order to reject them.

Put it this way: If you ran a business that made money on CPU cycles dedicated to a particular application, you'd want that processor dedicated full-time to the task at hand. You'd take great leaps to turn off all non-essential services, tweak the bus speeds, optimize block sizes on the filesystems, nice the process to the max, rob Peter and pay Paul -- just to get the extra 5%. In business, time is money, regardless of whether it's personnel or CPU. That's why an offload NIC is so damned attractive -- because some of us work in companies that care about the bottom line as opposed to dicking with ways to make our 1st-person shooter faster.

Time vs security

[Zapman]

The eternal war. Given enough time, you can secure 1000 boxes (turn off all un-needed services for the application(s) that this box needs to run, apply all the patches to those apps, tune the OS tightly...) Takes quite a while.

Or (says the 3com salesperson) you can just spend some money. Central server says this box can only talk on this (short) port|protocol list. Everything else is droped at the interface, doesn't even get to the kernel.

Sure, there are things you can do on a large scale to make securing boxes much easier (jumpstart, kickstart, whatever NT calls it, to get a secure base install, etc), but you still have to deal with patching individual boxes.

If I have to deploy a lot of computers in an activly hostile environment, something like this would be very nice.

64MB on a NIC

[athlon02]

Now if they could put 10/100/1000 + Firewall + NIDS on a NIC (with say 64MB flash for logging purposes) that'd be interesting, albeit expensive. But in that case I'd just wait for it to come down to a reasonable price and be integrated into the chipset of the latest & greatest motherboards.

Firewall NIC is not overkill

[acoustix]

I'm seeing this debated on here a lot. The problem is that you're ASSUMING that the "bad guys" are on the other side of your network.

What some of you don't realize is that some of the worst offenders of "hacking" or "people being where they shouldn't" (sorry, couldn't think of a better way to say it) are INSIDE your network. There are a lot of users that might be "just looking around" on the network, but they can cause problems unintentionally.

This example might be harsh but everyone here remembers the TV commercial where the users say "I'm off to crash the server" or "I'm about to take user error to the next lever".

Bad things can happen on the inside, too!

Re:Doesn't make any sense

[espo812]

With a firewall on every machine and a general network firewall, you have a layered defense that is exponentially harder to subvert.

Maybe. Or, the attacker breaks the first firewall, and then exploits the server that configures the NICs. Thus, attack complexity is greatly reduced, as he can now disable all the firewalls in the network.

I'm with you on layered defense. However, it breaks down when you trust other systems.