Slashdot Mirror
3Com to Sell Firewall-in-a-NIC
Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers."
Interesting idea, although it'll be interesting to see if the idea catches on.
← Back to Stories (view on slashdot.org)
I can only imagine the long line of emotionally shattered English teachers that Taco left in his wake.
Sounds like it's using some proprietry protocols. Also, the network card will not work if plugged into a different switch. You'd better trust 3com a lot if you use this stuff.
It sounds like a good idea, but It seems to me like just a fancy way to sell you another server to have to manage. A central server for your NIC cards? Thats the last thing that I want to have to deal with. I would be curious to see benchmarks against something like this and a traditional firewall.
Sigs are out of style, so I'm not going to use one...oh wait..
What's a "real firewall" that this isn't? I can imagine numerous situations where people connect their NIC directly to an untrusted network where this could be useful - college dorm networks, cable modem users etc.
"Prefiero morir de pie que vivir siempre arrodillado!"
Huh? Firstly, even "choke point" (such as used at most corporate configurations) firewalls are of little use: When Jimmy opens up port 80 incoming so that he can demonstrate a website to his friends, and his PC gets infected by code red, or any of dozens of other trojans, it then has unrestricted access to every other PC inside the firewall. Secondly, what do you mean by engaging in activity that is "THAT high risk"? Are you being serious? Being connected is high risk, and I see hundreds, or rather THOUSANDS of trojans and port scans hitting me daily. And additionally most people with ADSL or cable modems connect to their modem via a NIC, so I'm not sure what your point regarding the NIC means.
And in any case what makes this not a "real" firewall? I haven't even looked at the product, but if your simplistic idea of a firewall is that it has to have an impressive box, then you're woefully mistaken: The job of a firewall is a very simple one, and in most "hardware" solutions is just a couple of chips to fulfill the task.
I can see the advantage of putting that in hardware (firmware?).
.. if the OS is good then nobody without proper permissions can change the firewall rules anyway!
But I don't believe it can be useful in filtering outgoing packets; how can it tell what program or user is sending it.
Because of that I think that software based solutions are better.
And besides
If all this should have a reason, we would be the last to know.
It isn't aimed at home users at all (though every home user should be protected by a firewall).
To quote the article "The product is aimed at enterprises, to provide centralised control over security."
I'm getting rather tired of these stripped down firewall implementations. I've used several (linksys and dlink DSL routers, and lrp), but I've always found them either
a) buggy, or
b) very inflexible
For the life of me, I couldn't get the linksys box to track an incoming FTP session. The D-link router would crash if you tried to pump too much traffic through it (I was running UDP netperf tests). lrp just didn't have the features I wanted. Eventually I just scrapped it all and installed RH 7.2 on a p166, and turned off everything except iptables, roaring penguin, and ssh. It tracks all my connections just fine, forwards ports appropriately, and I've got scripts set up to restart my IPSec tunnel and re-register my IP with a dynamic DNS server every time my IP changes. I get the same throughput and latency I got through the other solutions, too. Sure, I'm doing more complicated things than most users, but even when I wasn't, the 'firewall in a box' gizmos still gave me headaches. I have a feeling a 'firewall on a NIC' would be even less flexible...
We don't have a state-run media we have a media-run state.
If all this should have a reason, we would be the last to know.
In a corporate environment, wouldn't all your computers be talking to the internet through a router, anyway? Wouldn't it make sense to have the "firewall" on the borders of your network, rather than in the middle? Isn't that what the term "firewall" means?
Or is this to implement security against other clients on the same local network?
I'm confused.
-Mark
In related news, I hear that Sonicwall will have a VPN/Firewall in a PCMCIA card later this year.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Now firewalls area available to the masses who don't know what they are!
No news threre. Windows XP has a bundled software firewall and many consumer routers toute built in firewalls as well. The main significange is the NIC taking the (nominal) load off the rest of the system and allowing greater control of user terminals, I believe. Now, the article :-) says a selling point of this dealy is that computers with it installed can only connect to trusted adresses /on the hardware level/. "The device also makes it harder to misuse corporate equipment by plugging it in in the wrong place" or CONTROL, you be the judge. Somebody correct me if [when] I'm wrong.
Interesting idea, although it'll be interesting to see if the idea catches on.
That's interestingly a very interesting comment that piqued by interest in this interesting subject of interest. What I'm more interested in knowing is if any other interesting people are interested in this interesting idea? Because if there are interesting people interested in this interesting idea, well, I almost hesitate to say it, I'd be interested!
This is so that when some sales drone brings his virus-laden laptop in, and plugs it into the network, it can't hose the desktops securely nuzzled in behind your corporate firewalls.
Vintage computer games and RPG books available. Email me if you're interested.
Who needs a firewall nic that needs a central policy server? Anyone who can connect to the central policy server is probably already behind the firewall.
Remote users? They all use laptops.
What's that leave?
What is especially interesting is what is loaded: Secure Computing's Gauntlet firewall product (yes, it is originally derived from the old TIS stuff, but has been commercially, er... hydrogenized :) ). This would seem to indicate that the card can support applications that weren't written for it, e.g., it can use software whose platform has been retargeted in compilation (well, at least it implies that).
I wonder what other derived applications could be loaded into that space? Hmmm... the mind wanders...
You thought I was going to mention a Beowulf cluster, didn't you? Shame on you. No cookie for you.
Anyone who uses multiple DMZ's in their network. With a lot of servers. I'm thinking hosting companies that want to ensure their clients only get the services they pay for.
Yay me!
Well, the $20 Pentium firewall isn't quite the same - while it can seperate one part of the LAN from another (or different networks), the advantage of the card is that it protects your machine from *everything* else, at least theoretically.
Having a principle firewall on the border of your network isn't challenged, but in a setting with many computers which can't be closely individually monitored (libraries, college campuses, etc.), these will at least help to prevent one person from attacking/abusing other machines on the same network.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Merilus already has a FireCard.
It isn't quite the same, but it exists.
I can't say that I don't give a fuck. I've just run out of fuck to give.
I do see this as having some use. While a firewall can be usefull for protecting from attack from outside, what about attacks from inside. What happens if a user brings in a worm on a floppy that goes after all the machines on the network. The best configured firewall on the between your network and the internet wont help you. Having a firewall protecting each PC could help prevent infection through out the whole lan. Just my $.02
"It's like netbios except different!"
A card like this should be required for anyone connecting a Windows box (or even a novice connecting a Linux box) with a high-speed link to the Internet.
Don't get me wrong, I'm sure there are a few people here who know how to configure a proper firewall, but most people with cable modems, DSL connections, or other high-speed access at home have no idea how to harden their desktop machines. What's worse, they run dangerously vulnerable email programs such as Outlook and use web browsers such as Internet Explorer. This opens them up to a wide variety of very vicious viruses, worms, and other nice programs which can be used to gain access to their computers and turn them into little more than bandwidth machine-guns.
With a network card such as this shipping in a relatively locked-down state, it would be easier to detect and block attacks originating from a compromised computer. Unfortunately, I can't smack every clueless computer user on the Internet upside the head with one of these things. Because of this, I'm sure things will only get worse before they get better.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I received a mailer from 3com recently advertising this very card, offering one of them to institutions as a freebie if the institution qualified. The mailer itself was a piece of work: You had to unfold it to find out what it was, and on each of the folds was the word "ping". When you got to the center of it, it had something about being hacked, and then the rest of the ad talked about getting this piece of equipment for your protection, etc.
hmm...
:)
$120 for the NIC card, $50 for the firmware/software, and $1000 for a license server...
Where's those grandparents who need/afford that? and for what reason?
Hetz (Heunique)
The purpose of firewalls is to isolate a machine from the bad guys who might exploit security holes you want to leave open for the local good guys. That is, you have the open network, then the firewall, then a network where you're more lax about security. That way you can use insecure protocols in places where you trust the network.
If you're putting a firewall on the machine, the only area where you don't have to care about security is within your machine. But within your machine, you have other methods: IPC, shared memory, or even net 127.
But what this really does is it talks to a server which tells the NIC what to ignore, overriding what your machine wants to do (if there are any security holes on your machine, your OS will presumably configure the firewall to expose them, if it can; if it weren't going to, it would filter at the OS level). This essentially prevents your machine from listening on any ports that the central server doesn't want you listening on or making connections the central server doesn't want you to make.
There are two functional differences between this and a traditional firewall. The policy machine doesn't have to look at the packets, because it tells the machines which have to look at the packets anyway what to do; therefore, it's harder for an outsider to overwhelm the policy machine. Also, this setup will allow the firewall to stop you from talking to other machines on the network. This could stop a worm from spreading within a company over services which aren't supposed to be enabled.
So the policy server and the set of cards together make what amounts to a firewall. If you buy one of these, you don't get your own firewall.
As for the guy above who remarked about how silly it was to require these things to be configured by a central console, he obviously hasn't been the firewall management staff at a large company. A central console is the _only_ way to fly if you have a large number of firewall policy engines to manage. Otherwise, the flagpoles in front of most buildings would be draped with suicidal firewall admins wanting to end it all. :>
(Besides, it's not like there isn't a central console for iptables/ipchains that works pretty well -- a firewall need not be a standalone unit with a custom policy all its own to be secure. Sometimes, it's more secure to provide an administrator with an easy way to avoid screwups.)
The eternal war. Given enough time, you can secure 1000 boxes (turn off all un-needed services for the application(s) that this box needs to run, apply all the patches to those apps, tune the OS tightly...) Takes quite a while.
Or (says the 3com salesperson) you can just spend some money. Central server says this box can only talk on this (short) port|protocol list. Everything else is droped at the interface, doesn't even get to the kernel.
Sure, there are things you can do on a large scale to make securing boxes much easier (jumpstart, kickstart, whatever NT calls it, to get a secure base install, etc), but you still have to deal with patching individual boxes.
If I have to deploy a lot of computers in an activly hostile environment, something like this would be very nice.
Zapman
I just hope they include the ability to disable this feature. I can see numerous connectivity problems and difficult troubleshooting ahead...
Does this mean you will be unable to ping the loopback address???
Will you have to swap the card out to see whether the firewall on the card is playing up?
Jeeezus
99.997% of the problems with Open Nap,Gnutella and the likes are people not opening their firewalls to allow sharing of the files they SAY they are sharing. You try to download from them and you never connect, the push happens over and over.... you'll never get the file because the firewall is closed.... your request never get's there.
I personally think the OpenNAP servers and Gnutella apps need to self terminate the connections if such a condition is found with a "Open your firewall on Port XXXX and YYYY and this program will start to operate again."
Do not look at laser with remaining good eye.
Now if they could put 10/100/1000 + Firewall + NIDS on a NIC (with say 64MB flash for logging purposes) that'd be interesting, albeit expensive. But in that case I'd just wait for it to come down to a reasonable price and be integrated into the chipset of the latest & greatest motherboards.
I'm seeing this debated on here a lot. The problem is that you're ASSUMING that the "bad guys" are on the other side of your network.
What some of you don't realize is that some of the worst offenders of "hacking" or "people being where they shouldn't" (sorry, couldn't think of a better way to say it) are INSIDE your network. There are a lot of users that might be "just looking around" on the network, but they can cause problems unintentionally.
This example might be harsh but everyone here remembers the TV commercial where the users say "I'm off to crash the server" or "I'm about to take user error to the next lever".
Bad things can happen on the inside, too!
"A plan fiendishly clever in its intricacies"- Homer Simpson
Why was this modded up as funny? I thought it was interesting.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
On the subject of XP, I had been using the free (as in the way beer isn't) Zone Alarm on my Win98 machine, but on upgrading to XP I discovered that when I tried to disconnect from the internet, my connection would crash and have to be shutdown using 'end task', and I'd have to reboot before I could reconnect.
Strangely enough, using XP's own firewalling system this does not happen...
Odd that, isn't it?
"Information wants to be paid"