Slashdot Mirror
3Com to Sell Firewall-in-a-NIC
Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers."
Interesting idea, although it'll be interesting to see if the idea catches on.
← Back to Stories (view on slashdot.org)
Sounds like it's using some proprietry protocols. Also, the network card will not work if plugged into a different switch. You'd better trust 3com a lot if you use this stuff.
It sounds like a good idea, but It seems to me like just a fancy way to sell you another server to have to manage. A central server for your NIC cards? Thats the last thing that I want to have to deal with. I would be curious to see benchmarks against something like this and a traditional firewall.
Sigs are out of style, so I'm not going to use one...oh wait..
Huh? Firstly, even "choke point" (such as used at most corporate configurations) firewalls are of little use: When Jimmy opens up port 80 incoming so that he can demonstrate a website to his friends, and his PC gets infected by code red, or any of dozens of other trojans, it then has unrestricted access to every other PC inside the firewall. Secondly, what do you mean by engaging in activity that is "THAT high risk"? Are you being serious? Being connected is high risk, and I see hundreds, or rather THOUSANDS of trojans and port scans hitting me daily. And additionally most people with ADSL or cable modems connect to their modem via a NIC, so I'm not sure what your point regarding the NIC means.
And in any case what makes this not a "real" firewall? I haven't even looked at the product, but if your simplistic idea of a firewall is that it has to have an impressive box, then you're woefully mistaken: The job of a firewall is a very simple one, and in most "hardware" solutions is just a couple of chips to fulfill the task.
I'm getting rather tired of these stripped down firewall implementations. I've used several (linksys and dlink DSL routers, and lrp), but I've always found them either
a) buggy, or
b) very inflexible
For the life of me, I couldn't get the linksys box to track an incoming FTP session. The D-link router would crash if you tried to pump too much traffic through it (I was running UDP netperf tests). lrp just didn't have the features I wanted. Eventually I just scrapped it all and installed RH 7.2 on a p166, and turned off everything except iptables, roaring penguin, and ssh. It tracks all my connections just fine, forwards ports appropriately, and I've got scripts set up to restart my IPSec tunnel and re-register my IP with a dynamic DNS server every time my IP changes. I get the same throughput and latency I got through the other solutions, too. Sure, I'm doing more complicated things than most users, but even when I wasn't, the 'firewall in a box' gizmos still gave me headaches. I have a feeling a 'firewall on a NIC' would be even less flexible...
We don't have a state-run media we have a media-run state.
In related news, I hear that Sonicwall will have a VPN/Firewall in a PCMCIA card later this year.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Interesting idea, although it'll be interesting to see if the idea catches on.
That's interestingly a very interesting comment that piqued by interest in this interesting subject of interest. What I'm more interested in knowing is if any other interesting people are interested in this interesting idea? Because if there are interesting people interested in this interesting idea, well, I almost hesitate to say it, I'd be interested!
Who needs a firewall nic that needs a central policy server? Anyone who can connect to the central policy server is probably already behind the firewall.
Remote users? They all use laptops.
What's that leave?
What is especially interesting is what is loaded: Secure Computing's Gauntlet firewall product (yes, it is originally derived from the old TIS stuff, but has been commercially, er... hydrogenized :) ). This would seem to indicate that the card can support applications that weren't written for it, e.g., it can use software whose platform has been retargeted in compilation (well, at least it implies that).
I wonder what other derived applications could be loaded into that space? Hmmm... the mind wanders...
You thought I was going to mention a Beowulf cluster, didn't you? Shame on you. No cookie for you.
Well, the $20 Pentium firewall isn't quite the same - while it can seperate one part of the LAN from another (or different networks), the advantage of the card is that it protects your machine from *everything* else, at least theoretically.
Having a principle firewall on the border of your network isn't challenged, but in a setting with many computers which can't be closely individually monitored (libraries, college campuses, etc.), these will at least help to prevent one person from attacking/abusing other machines on the same network.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Merilus already has a FireCard.
It isn't quite the same, but it exists.
I can't say that I don't give a fuck. I've just run out of fuck to give.
In answer to your questions the answer is: 1) Yes 2)Yes - but not in all cases. 3) No. 4) Well if one computer gets infected - say through an employee getting an infected e-mail it means it doesn't spread to the rest of the network (a good thing).
Video Game cheats, hints a
I do see this as having some use. While a firewall can be usefull for protecting from attack from outside, what about attacks from inside. What happens if a user brings in a worm on a floppy that goes after all the machines on the network. The best configured firewall on the between your network and the internet wont help you. Having a firewall protecting each PC could help prevent infection through out the whole lan. Just my $.02
I received a mailer from 3com recently advertising this very card, offering one of them to institutions as a freebie if the institution qualified. The mailer itself was a piece of work: You had to unfold it to find out what it was, and on each of the folds was the word "ping". When you got to the center of it, it had something about being hacked, and then the rest of the ad talked about getting this piece of equipment for your protection, etc.
The purpose of firewalls is to isolate a machine from the bad guys who might exploit security holes you want to leave open for the local good guys. That is, you have the open network, then the firewall, then a network where you're more lax about security. That way you can use insecure protocols in places where you trust the network.
If you're putting a firewall on the machine, the only area where you don't have to care about security is within your machine. But within your machine, you have other methods: IPC, shared memory, or even net 127.
But what this really does is it talks to a server which tells the NIC what to ignore, overriding what your machine wants to do (if there are any security holes on your machine, your OS will presumably configure the firewall to expose them, if it can; if it weren't going to, it would filter at the OS level). This essentially prevents your machine from listening on any ports that the central server doesn't want you listening on or making connections the central server doesn't want you to make.
There are two functional differences between this and a traditional firewall. The policy machine doesn't have to look at the packets, because it tells the machines which have to look at the packets anyway what to do; therefore, it's harder for an outsider to overwhelm the policy machine. Also, this setup will allow the firewall to stop you from talking to other machines on the network. This could stop a worm from spreading within a company over services which aren't supposed to be enabled.
So the policy server and the set of cards together make what amounts to a firewall. If you buy one of these, you don't get your own firewall.
The eternal war. Given enough time, you can secure 1000 boxes (turn off all un-needed services for the application(s) that this box needs to run, apply all the patches to those apps, tune the OS tightly...) Takes quite a while.
Or (says the 3com salesperson) you can just spend some money. Central server says this box can only talk on this (short) port|protocol list. Everything else is droped at the interface, doesn't even get to the kernel.
Sure, there are things you can do on a large scale to make securing boxes much easier (jumpstart, kickstart, whatever NT calls it, to get a secure base install, etc), but you still have to deal with patching individual boxes.
If I have to deploy a lot of computers in an activly hostile environment, something like this would be very nice.
Zapman
I'm seeing this debated on here a lot. The problem is that you're ASSUMING that the "bad guys" are on the other side of your network.
What some of you don't realize is that some of the worst offenders of "hacking" or "people being where they shouldn't" (sorry, couldn't think of a better way to say it) are INSIDE your network. There are a lot of users that might be "just looking around" on the network, but they can cause problems unintentionally.
This example might be harsh but everyone here remembers the TV commercial where the users say "I'm off to crash the server" or "I'm about to take user error to the next lever".
Bad things can happen on the inside, too!
"A plan fiendishly clever in its intricacies"- Homer Simpson
Why was this modded up as funny? I thought it was interesting.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.