Slashdot Mirror
3Com to Sell Firewall-in-a-NIC
Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers."
Interesting idea, although it'll be interesting to see if the idea catches on.
← Back to Stories (view on slashdot.org)
It sounds like a good idea, but It seems to me like just a fancy way to sell you another server to have to manage. A central server for your NIC cards? Thats the last thing that I want to have to deal with. I would be curious to see benchmarks against something like this and a traditional firewall.
Sigs are out of style, so I'm not going to use one...oh wait..
That's not necessarily a bad thing. How many surf-email-chat people do you know that are concerned about computer security? Not many, because they look at their computer as an appliance moreso than something that can be 'hax00red' and used as a proxy for criminal activity. It's these types of people that will benefit a lot from this NIC.
In related news, I hear that Sonicwall will have a VPN/Firewall in a PCMCIA card later this year.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
I received a mailer from 3com recently advertising this very card, offering one of them to institutions as a freebie if the institution qualified. The mailer itself was a piece of work: You had to unfold it to find out what it was, and on each of the folds was the word "ping". When you got to the center of it, it had something about being hacked, and then the rest of the ad talked about getting this piece of equipment for your protection, etc.
The purpose of firewalls is to isolate a machine from the bad guys who might exploit security holes you want to leave open for the local good guys. That is, you have the open network, then the firewall, then a network where you're more lax about security. That way you can use insecure protocols in places where you trust the network.
If you're putting a firewall on the machine, the only area where you don't have to care about security is within your machine. But within your machine, you have other methods: IPC, shared memory, or even net 127.
But what this really does is it talks to a server which tells the NIC what to ignore, overriding what your machine wants to do (if there are any security holes on your machine, your OS will presumably configure the firewall to expose them, if it can; if it weren't going to, it would filter at the OS level). This essentially prevents your machine from listening on any ports that the central server doesn't want you listening on or making connections the central server doesn't want you to make.
There are two functional differences between this and a traditional firewall. The policy machine doesn't have to look at the packets, because it tells the machines which have to look at the packets anyway what to do; therefore, it's harder for an outsider to overwhelm the policy machine. Also, this setup will allow the firewall to stop you from talking to other machines on the network. This could stop a worm from spreading within a company over services which aren't supposed to be enabled.
So the policy server and the set of cards together make what amounts to a firewall. If you buy one of these, you don't get your own firewall.
I beta tested this for 3Com and Secure Computing a year ago--guess the cat is out of the bag now so I'll talk a bit about this nifty product.
The NICS have onboard 3DES crypto accelerators and talk via an encrypted channel to policy servers that in turn are all then handled by a centralized management console. So from one place, you can distribute NIC firewall policies to the policy servers on different networks who then distribute the firewall policies to the cards. The onboard accelerators and manual keying basically enable you to create a corporate VPN that allows ONLY these keyed cards to operate on the network--theoretically.
There is a server version and a client version of the card. The client can handle 16 rules, the server 32 rules. At the time of the beta test, the onboard firewalls were not stateful, but that was to be implemented.
Now the cool stuff: The user can't tamper with the card or its firewall ruleset--it's centrally managed. Should the user try, the card "breaks" and denies all traffic--with the exception of traffic from the policy server. And policies can be applied remotely to the client controlling OUTBOUND communication. For example, if users ONLY get to browse the web, then you ONLY allow outbound port 80. No audiogalaxy for you. Additionally, these cards remotely log policy violations to the centralized server. And you can remotely TURN OFF the card from the centralized server. Suspect a machine is compromised? Remotely disconnect it from the network by telling the card to disallow all traffic (except from the policy server of course).
The bad stuff: Windows only at the time of beta testing, although Linux and Solaris support was planned. Control software runs on Windows only. And the cards can only be configured via the management software--which was a completely different beast you had to purchase, and the cost depends on the scale of your EFW deployment.
This info may have changed since last year as well, so take it all in stride.
Overall, I think the cards are great to deploy for select critical Windows servers or public lab resources you want to lock down a bit. It would be nice to have the ability to buy a server card, stick it in a Linux box, and use some floppy util to configure some basic rules that get burned to firmware. Disregarding OS compatibility, these cards seriously rock, and should be added to any "defense in depth" arsenal, IMO.
I just hope they include the ability to disable this feature. I can see numerous connectivity problems and difficult troubleshooting ahead...
Does this mean you will be unable to ping the loopback address???
Will you have to swap the card out to see whether the firewall on the card is playing up?
Jeeezus