Slashdot Mirror
3Com to Sell Firewall-in-a-NIC
Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers."
Interesting idea, although it'll be interesting to see if the idea catches on.
← Back to Stories (view on slashdot.org)
I'm getting rather tired of these stripped down firewall implementations. I've used several (linksys and dlink DSL routers, and lrp), but I've always found them either
a) buggy, or
b) very inflexible
For the life of me, I couldn't get the linksys box to track an incoming FTP session. The D-link router would crash if you tried to pump too much traffic through it (I was running UDP netperf tests). lrp just didn't have the features I wanted. Eventually I just scrapped it all and installed RH 7.2 on a p166, and turned off everything except iptables, roaring penguin, and ssh. It tracks all my connections just fine, forwards ports appropriately, and I've got scripts set up to restart my IPSec tunnel and re-register my IP with a dynamic DNS server every time my IP changes. I get the same throughput and latency I got through the other solutions, too. Sure, I'm doing more complicated things than most users, but even when I wasn't, the 'firewall in a box' gizmos still gave me headaches. I have a feeling a 'firewall on a NIC' would be even less flexible...
We don't have a state-run media we have a media-run state.
Interesting idea, although it'll be interesting to see if the idea catches on.
That's interestingly a very interesting comment that piqued by interest in this interesting subject of interest. What I'm more interested in knowing is if any other interesting people are interested in this interesting idea? Because if there are interesting people interested in this interesting idea, well, I almost hesitate to say it, I'd be interested!
What is especially interesting is what is loaded: Secure Computing's Gauntlet firewall product (yes, it is originally derived from the old TIS stuff, but has been commercially, er... hydrogenized :) ). This would seem to indicate that the card can support applications that weren't written for it, e.g., it can use software whose platform has been retargeted in compilation (well, at least it implies that).
I wonder what other derived applications could be loaded into that space? Hmmm... the mind wanders...
You thought I was going to mention a Beowulf cluster, didn't you? Shame on you. No cookie for you.
Well, the $20 Pentium firewall isn't quite the same - while it can seperate one part of the LAN from another (or different networks), the advantage of the card is that it protects your machine from *everything* else, at least theoretically.
Having a principle firewall on the border of your network isn't challenged, but in a setting with many computers which can't be closely individually monitored (libraries, college campuses, etc.), these will at least help to prevent one person from attacking/abusing other machines on the same network.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Merilus already has a FireCard.
It isn't quite the same, but it exists.
I can't say that I don't give a fuck. I've just run out of fuck to give.
I do see this as having some use. While a firewall can be usefull for protecting from attack from outside, what about attacks from inside. What happens if a user brings in a worm on a floppy that goes after all the machines on the network. The best configured firewall on the between your network and the internet wont help you. Having a firewall protecting each PC could help prevent infection through out the whole lan. Just my $.02
That's not the way these cards work. I've been testing the cards for some time now and you don't need any fancy network equiptment (other than the cards themselves) to set this up. The Policy Server here is a Windows applications (downside: no automation ability in the beta I had, not even a simple scripting engine). Configuration is sent over the network as special UDP (I think) packet.
The card has a few oddities nonetheless. First, when you install these cards, you need to build an "install image" on the policy manager. You then have to run that after you put the card in the machine to flash it's firmware (the cards send heartbeats back to the Policy Server, so they have to know where to send them). In effect, your users always have to download an install from your network to set up their cards, they can't just go out to the web and grab one. Fortunatly the card works as a regular NIC before you flash it.
This card also includes IPSEC offload for people running VPNs and the like. I never actually got it to work, but it's supposed to do the encryption in hardware. Apparently the firewall sits OUTSIDE of the ipsec traffic though, so all it sees are the encrypted packets, which limits its usefulness considerably.
All in all the cards are OK, not supurb yet (that management console is very click intensive to use), and reasonably cheap for their target market. I think they stand a good chance of taking off, especially as corporate security folks notice that these are the perfect replacment for the ubiquitious software firewalls in use today.
One more thing I thought would be amusing. If someone were to steal your machine and turn it on elsewhere without noticing what card you have, the security folks would immediatly know where their machine went.
I read the internet for the articles.
I'm seeing this debated on here a lot. The problem is that you're ASSUMING that the "bad guys" are on the other side of your network.
What some of you don't realize is that some of the worst offenders of "hacking" or "people being where they shouldn't" (sorry, couldn't think of a better way to say it) are INSIDE your network. There are a lot of users that might be "just looking around" on the network, but they can cause problems unintentionally.
This example might be harsh but everyone here remembers the TV commercial where the users say "I'm off to crash the server" or "I'm about to take user error to the next lever".
Bad things can happen on the inside, too!
"A plan fiendishly clever in its intricacies"- Homer Simpson
Why was this modded up as funny? I thought it was interesting.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.