Slashdot Mirror
Hardware Firewall On a USB Key
An anonymous reader writes "An Israeli startup has squeezed a complete hardware firewall into a USB key. The 'Yoggie Pico' from Yoggie Systems runs Linux 2.6 along with 13 security applications on a 520MHz PXA270, an Intel processor typically used in high-end smartphones. The Pico works in conjunction with Windows XP or Vista drivers that hijack traffic at network layers 2-3, below the TCP/IP stack, and route it to USB, where the Yoggie analyzes and filters traffic at close-to-100Mbps wireline speeds. The device will hit big-box retailers in the US this month at a price of $180." Linux and Mac drivers are planned, according to the article.
A true hardware firewall wouldn't have to hijack traffic via a driver. It would have it's own ethernet port and would inspect data before it even touches the network stack on the host OS.
A bit hyped up if you ask me.
As another poster has suggested, this isn't truly a hardware firewall - it hijacks the network traffic from the host OS, after all. Since the network traffic is already in the network stack, how is this any better than a software firewall? Software firewalls are hardly performance hogs.
From the brief I have no idea what this is talking about. How am I supposed to know if I even want to RTFA?
Did anyone else find it odd that it runs linux, but doesn't actually work with a linux box, but only with a windows one?
In a world of acronyms, the words are the real victims.
I mean, increasingly, firewalls are being combined into multipurpose devices that provide NAT, Web serving, DMZ, VPN, media streaming, wireless access, etc. I mean even the lowly Linksys WRT54G, available for ~$50 USD almost anywhere, supports VPN, provides NAT, DMZ, UPnP capabilities, rudimentary web filtering, and has a built-in wireless access point. I mean, this thing doesn't even support wireless, which would make it useful for laptops, etc.
IOW, someone tell me why I should care?
My blog
My favorite is the "Layer-8" security engine (Patent pending).
That's where all of my clients' problems come from.
-Nick
I keep wondering how they put such a fast processor on a usb stick and then squirt bidirectional 100Mbps over the USB port. Sounds a lot like my former boss trying to convince me that our building would give us 100Mbps internet for only $50/month. I dislike misleading articles and I dislike misleading product descriptions even more.
It seems much more likely that there's an app on the USB stick tht is run by the windows machine making the USB stick just a different delivery mechanism than a CD/DVD. Probably way cheaper to produce, update and ship.
It's a marketing gimmick. At the very best it's a software firewall with a (not really needed) co-processor to do packet inspection.
Personally it looks like a waste of money to me.
so basically this means allowing a black box to hijack completely my IP stack, a black box which phones home every 5 minute and arbitrarily downloads software updates... just think if this company's server was compromised even for an hour, given that all of the devices update every 5 minutes you could compromise pretty much all of them at the same time.
Not to mention that if this device can insert a 'low level driver' that hijacks the IP stack, I'm sure a virus will come up sooner or later that will re-hijack this and compromise it. The only really 'safe' hardware firewall is, guess what, a completely separate hardware firewall (like my custom LEAF install on my old p3-500), this sounds like those 'one time pad, guaranteed!' crypto products we often lambast here on
-- the cake is a lie
It's a hyped up device that nobody really needs. We're posting in a Slashvertisment thread after all.
It is just another type of a software firewall. A hardware firewall has at least one input and one output jack (unless it is some weird VLAN firewall). The firewall then checks the packets *before* they get to the hardware that processes them.
Here we have a software layers shunting packets for filtering to another "device" and then they are probably reinjected. The software layer that does this shunting and re-injecting of packets makes this not a hardware firewall.
Or are we saying that iptables is a hardware firewall as well?
I read (here on /. IIRC) a few years ago about a gumstick sized machine that had 2 ethernet ports on it. Possible to use Linux on it (or other embedded OS), have a dhcp client on one port and a dhcp server (or just static addy on "real" machine) with gateway/NAT/etc. on the other port. Would allow you to plug into any ethernet connection and then provide NAT, etc. (and some degree of protection and trust) to your laptop, etc.
Anyone remember this, maybe have a link?
Don't blame me, I voted for Kodos
Intel sold the XScale line to Marvell Technology Group in June 2006. It was only a year ago, so it probably counts as news by Slashdot standards, but can we try to keep the summaries slightly accurate please?
I am TheRaven on Soylent News
But does it run Li... oh, sweet.
Compare this USB device to a software firewall such as Zonealarm. It costs $180 whereas you can get free versions of Zonealarm. It routes your network traffic via USB, which makes me shudder. That would be a nightmare on older pre-USB2.0 machines. It requires software drivers in order for network traffic to be directed through it. That's more "moving parts" than should be necessary. Because, of course, the more moving parts there are, the more there is that can break.
Now if this were a dongle that attached to the end of a network cable, then plugged into the PC's NIC, we might have something.
/* No Comment */
Um, why not just run the apps directly on your Linux box instead of strangling network throughput with a USB dongle running Linux...
Eh, could someone please define the term "hardware firewall"?
somebody tried to pwn our picinic basket...
Not really a true hardware firewall, since it requires drivers to make it work. Still pretty neat though.
The Technonaut
Uhh, USB2 runs at 480Mbps and in practice can push 40MBps (320Mbps) for bulk transfer (ie USB Hard drives).
So for them to claim that this device can push 100Mbps really isn't that surprising. So long as the little processor can burn through the logic checks fast enough, the bus can definitely handle the load.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
else its NOT a hardware firewall. ..no matter what the slash-vertisement tries to say.
now, take that neat usb form factor, put 2 rj45 jacks on it and THEN we'll talk.
--
"It is now safe to switch off your computer."
Funny, a good friend of mine almost worked there.... Anyway, I thought this device would only be any good if: 1) it had a wifi chip in the device and 2) connected via ethernet port as a mini and compact external network element that 3) would do encryption for SMB non-VPN customers 4) in unencrypted hotspots. 5) to prevent snort wifi sniffer attacks But it doesn't. Still, from what I understood they're trialling at some large enterprise IT departments who think it's super, so maybe I missed something. Nice to see that their All-in-one security includes "Parental Content Control" - I'm sure that's a killer feature for all those pre-pubescent road warriors.
29 mpg. YMMV.
They are like you in every way, except for one thing: They remember to actually click "Post Anonymously"
Living With a Nerd
pwnd!
Pretty gheyz. A pass-thru hardware firewall that has incoming/outgoing ethernet ports would be way better..yano, something that is completely OS independent.
that would be better and it will have less system cpu over head.
also some chipsets like the nvidia ones have build in firewalls
What would love to see on this is a bit more storage, and just plain old linux. Kindof like project BlackDog Linux project.
Man is the lowest-cost, 150-pound, nonlinear, all-purpose computer system which can be mass-produced by unskilled labor.
Uhm... USB 2.0 bandwidth is 54 mbps. In order to filter traffic going through it, you'd have to use the bus twice - once to send a packet to it, and once to get the packet (provided it was permitted) back from it.
I'm sure *internally* it'd handle it at wirespeed, but... otherwise, I can't see how even 50% of wirespeed is possible. Possibly closer to 20%, which, incidentally, is still faster than most home user's bandwidth.
And yes, this gadget's a total gimmick.
-AutoNiN
firewall schmirewall, I can't wait to see what "wrong" things people do with this.. a Linux machine on a USB stick? For 180$? Awesome.
it will take more than that to keep out the Palestinians.
---- "XML is like violence. If it doesn't fix the problem, you aren't using enough."
I think I could buy an 802.11n router w/firewall for less to protect all my home systems. Since I'm not using a portable system on the road, it would seem like a better buy.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
There is a niche for this thing... a very small one, but it is there.
/. does not mean it is supposed to save the world.
I, for one, might look into owning one of these. After all, I spend a shitload of time working on client machines trying to isolate and diagnose problems. Being able to plug in a USB key to emulate the hardware firewall the client *should* have would be helpful. Notice, I said emulate, not duplicate.
Just because it is on the front page of
Regards.
that is really quite cool but it is clearly not a 'complete hardware firewall' as it lacks the key component of a hardware firewall.... physically separate hardware.
Because if we had, then we might have noticed that this little device incorporates anti-virus software. Why do you care? I'll tell you why: because that eliminates one of the biggest annoyances for windows users since Clippy.
Anti-virus software always slows down your PC. No matter what. It has to because it scans each and every file as its accessed (assuming resident scanner operations).
This little gem allows me to not bother with installing any anti-virus software and just offload that function to a little firewall thingy that plugs into my laptop.
To me, this is huge.
They just basically just invented the USB equivalent of the Killer.NIC :
a small embed router + a driver that directly taps into the WinXP TCP/IP stack (instead of having the packets go through the whole stack then over a short "virtual" network link to the router then up to TCP/IP again, then routing, then back to Ethernet then on the "actual" cable).
My only though : Is it programmable ? Could it be reflashed to function as something else more creative and be powered from a wall-socket USB 5v power brick ?
Could be a nice source of Gum-Stick-PC grade board for building fun gadgets.
(I, for one, welcome our USB-thumb-drive-sized newest electronic gizmo).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I'd rather see a device like this that is a tap based IDS or IPS system.
You can buy taps and redirect copies of network traffic into a snort or other IDS, but I'd rather have a small all encompassing device I could take on the road.
Wouldn't work for wireless, but I'd rather hop on a wired connection at a hotel anyways. Half the time wireless is shotty or the signal is weak.
If I just plug the ethernet into one port and then plug my laptop into the other that would be great. It could then block traffic on non standard ports, and look for signatures and block that traffic and/or the orginating IP all together.
Yoggie already make the Yoggie Gatekeeper, a full hardware firewall with two ethernet ports, just as you suggest. This also has a USB port for power. Using ethernet means this is completely OS-neutral, and can be used with Linux or OS X.
The Yoggie Gatekeeper can also be used like the Yoggie Pico in USB-only connection mode, with a Windows driver. You might want to do this to connect with built-in laptop wireless hardware, or with USB ADSL "modems".
Andrew Yeomans
People have USB Ethernet for some time now whats new about this ? It just seems even more expensive.
I will just insert the virus in 1 of the following ways
a) before its used
b) fresh exploit
c) though IE
d) though a bug in its driver straight into kernel mode
I wish people would stop trying to fight security like they try to fight big fires with water when what you really need todo is remove all the oxygen.
If you sit in the OS and the OS gets exploited this little bit of hardware is really useless and i can think of even getting better hardware for £180 that would perform the same function but actually function !
Meanwhile i have though about getting 1 of these and modifying it to use it as a remote boot manager for dedicated servers in data centers. Now that would be a useful utility
I think the real question is ask is why is there so many ameatures in the security profession ?
After all nobody seems to have actually "fixed" any of the serious issues for at least 5 years now. I think its time to swap some high paid idiots out of the job
If anyone is looking for a free (as in beer) software firewall for Windows with a very small footprint, Ghostwall is a great choice for the not-afraid-of-configuration.
Not quite as small of a footprint as Ghostwall, but ZoneAlarm's free-for-personal-use version is excellent, and a very well-respected Winblows software firewall. It's one of the first things I installed on my new laptop (XP partition, I don't need no steenking extra firewall software for the OpenSuSE 10.2 dual-boot partition) before taking it online, and ZA has found and stopped several nasty malwares I otherwise would've picked up just by visiting some websites with IE that tried to install crap to my laptop.
Only a windows user would have any need for a stable secure firewall (based on linux) where ironically, it depends upon a windows driver to properly function.
Democracy Now! - uncensored, anti-establishment news
(*eyeroll*)
The point of the article (if anyone bothered to read it) was the miniaturization feat... 12 LAYER PCB!
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
It runs content scanners, checks attachments (including peeking inside ZIP files), blocks phishing sites, blocks viruses and malware, and so on. It automatically downloads updates every few minutes, and comes with a year of support. That's pretty comprehensive for the price.
Or you could just read the article.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Why even use the USB port at all??? That still ties it to an OS by drivers!!!
Want to make a hardware firewall that will impress me? Simple. Make a hardware firewall that has an ethernet on BOTH ends. One end goes to the wall, the other end goes to my ethernet port. Think of it as a 1 port ROUTER! You can get POWER fro the USB port, but I would leave it at that.
Oh want a hardware firewall for your wifi? No Problem! Make a WiFi version that is powered off of the USB port. Give the little box 2 wifi transcivers. One is the WAN transciver that connects to the internet, the other one is a LAN transciver that connects to your laptop!
With either of the above solutions you KNOW you are secure because it is OUTSIDE of whatever OS you choose! The above solutions would work with ALL Operating Systems! And only the WIFI one would need to really be configured.
Yes, what I described is basucally a 1 port router. But it would WORK and would be SECURE!
Dear All, Yes, I am from Yoggie and its a pleasure and honor for me to provide some "internal" information: Some of you mentioned that you need 2 network ports to make a "real" Firewall. True, please refer to our web site: www.yoggie.com and find the Yoggie Gatekeeper. This product released few months ago comes with two network ports running same processor, same memory, OS and 13 application. Some of you, view Yoggie as a Firewall and compare it to Routers and access points: Please note that Yoggie is by far more than just a Firewall and in fact its like a set of enterprise security appliances packed in a miniature computer. Lets see what's in there: 1. FireWall, NAT, DHCP Server and client 2. Full snort implementation including IPS on top. VRT updates will come soon. 3. 4 transparent proxies: 2 for web: HTTP, FTP and 2 for email: SMTP and POP3 4. True File-Type detection agent so file type are detected by content analysis and not based on MIME or file extension! Compressed file - are uncompressed in real time before scanning!!! 5. Anti Virus agent - Kasperski! 6. Anti Spyware agent - both signature based and behavior based! 7. Anti Phishing - since it sees the web and email traffic - it can "close the phissing loop" and verify content/url. 8. anti SPAM - based on Mailshell engine. 9. URL CAT and parental control - based on SurfControl. 10. Layer 8 agent - performs content scanning to "above layer 7" applications, AJAX, VBS, JS, etc. to detect new and unknown virus (not based on signature). 11. MLA - Multi Layer Security agent - a new invention - event correlation in REAL TIME for all event from all other modules - to drastically reduce false positive of IPS and Layer 8 agent. 12. VPN Client. These applications take 35% - 45% of PC Windows CPU. More, one cannot find a commercial implementation of all these applications in one security appliance, even when it comes to a 1U, 2U or 4U appliance. Simply, no one yet managed to integrate layer 2/3 security with layer 7 and above layer 7 content analysis. Yoggie is a unique combination of 7-8 commercial different security appliances. Why did we come with the Yoggie PICO? and why after Gatekeeper: First, we wanted to provide the experts with a 2 network ports solution: we launched the Yoggie Gatekeeper. After we came with this great invention that one can implement an *almost* identical solution using *s-route driver* at the lowest level that still NAT (yes, this is the first NAT and DHCP service inside a protected driver and in between network layers) IP address so external IP address is different from IP addresses Windows application gets. This unique implementation is the only one capable stopping attacks such as "ARP cache poisoning" - something only hardware based firewalls can do. (will go via software firewalls). We absolutely agree that Yoggie Gatekeeper using two network interfaces provides the ultimate separation and isolation but we also know that Yoggie PICO unique "S-Route driver" is by far better than software firewall. Why we didn't add network port to PICO ? - we let this choice with the Gatekeeper (for people that absolutely requires two ports) and made an alternative with almost same security level but with a much smaller form factor (easy to carry)and using the existing network port in the laptop. Your comments and suggestions are welcome. SST.
I think I could buy an 802.11n router w/firewall for less to protect all my home systems. Since I'm not using a portable system on the road, it would seem like a better buy.
You don't say! Duh!
This is a product for mobile professionals. The IT department can stick this cheap (for a multinational) dongle into their laptops and guarantee that the professional person, who probably isn't too bright in terms of IT, won't get owned on their round the world trips with their various different types of connectivity that they will employ. I'm only surprised that it isn't also available in ExpressCard and PCMCIA formats.
I find it astonishing that we have a tiny Linux based computer running at 520MHz with 128MB RAM fitting into a miniature hardware device, and everyone on Slashdot it dissing it. Didn't anyone read the article (all the people complaining about the device not having ethernet ports clearly didn't read the article or they would have seen the companion product that has them)?
Think of the future possibilities - hijack the file system stack and implement hardware security on the filesystem. If the laptop is stolen (as if that would happen, why, if it did we'd see stories about it... wait) then the data is safe.
A real hardware firewall doesn't rely on the system it is protecting.
In this case, since the processing of the packets is done on the computer itself, the "hardware firewall" is just an illusion.
If the software doing the processing has been compromised, you're screwed, thus this design obliterates the philosophy behind a hardware firewall.
Plus you have more cross-platform and deployment issues.
This is really stupid. An ideal solution would have been a hardware firewall performing inline filtering by a microcontroller/FPGA/whatever embedded system with just two ethernet jacks.
Don't fall for this marketing gimmick. These guys just want to make some dough and you can get Norton for free after a mail-in rebate from Fry's.
>> An Israeli startup has squeezed a complete hardware firewall into a USB key.
Oh my God! With only 16 GIGABYTES of space how could they possibly ever SQUEEZE a customized version of Linux onto a USB key!
As if any full blown Linux distro would take anywhere near that much space with a basic install, let alone a stripped down custom install.
Hello,
What I would like to know is how Yoggie's devices compare to Zyxel's ZyWALL P1. Zyxel's device is larger at about 5×3×0.75" (assuming I'm doing the metric conversion properly) but it is a standalone device with two 10/100 Ethernet ports. Zyxel's web site says anti-virus, IDP and anti-spam will be available in the future, but since that was two years ago with no update to the web site since then, I'm guessing they will never be added, so the device only acts as a firewall with SPI and DDoS protection and VPN client. Still, at around $70.00 or so, it is half the cost of the Yoggie and you can always run anti-virus and anti-spam on your client PC.
I have not used either device, so I am wondering how their respective firewall and VPN feature sets compare.
Regards,
Aryeh Goretsky
Dexter is a good dog.
"Honey, have you seen my firewall? Where'd I put that dang firewall...I know it's around here somewhere...oh geez, it was in my pocket the whole time."
I do this now with keys, wallets and cell phones. Do I really need to do it with my firewall?
Don't buy it, it's a waste of money for $180. I have used many Mikrotik routers for ISP routers and they work great and cost less or the same depending on performance. They can also do more than the USB router or even a Cisco.
There's alot of assumptions being made here fellas. For one, although the diagram suggests it, it doesn't HAVE to send data over the usb port twice. If the driver that's intercepting the stack is properly designed, it only needs to send the packet once, and then get a binary response: accept or deny. Remember, the USB port isn't a network device, so it doesn't have to work like one. However, we don't know if it works this way, or if it really does send it twice.
You can't be so short on material to keep crud around for long.
Thanks for listening.
It's true that this gizmo is nothing more than a hardware assisted software firewall, but let's not miss the irony: it's a lunix device... but it only has Windows drivers.
Even people creating linux devices know where the real market is at. But I'm guessing they only used Lunix because it was free.
will add an empty line to the
The first few versions of ZoneAlarm were great, however I've had a lot of problems with
the newer versions (ver 5+), esp with memory usage and the entire network stack becoming inoperable until I rebooted.
I now rely on a nice router (DLink dgl-4300) with a proven track record for reliability, speed, etc., and has a built in firewall,
and as a last line of defense, the MS Windows firewall, which I agree is a joke, and AWFUL to configure, but has been very stable for me.
$7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.
sounds delicious!!
I patented screwing your mom. But it got revoked for "prior art."
Reading this slashvertisement has left me wondering what the hell these Israelis were trying to solve in the first place.
It's a USB device (not a USB key, dammit!) that merely houses an embedded processor, with funky drivers that mess with the network stack in order to route traffic through the gadget. You're piping your 100mbit line both ways over USB, which is such a dumb idea. It offloads the firewall process from your main CPU, but then ties it up waiting on USB I/O. It also raises the same issue as VM firewalls, where attackers are still connecting directly to your PC, you're just blindly hoping that the "raw" hop between the interface itself and the firewall won't be compromised.
This is hardly any different from running a pure software firewall like Zone Alarm or whatever's big these days. Adding a puny little embedded processor doesn't do all that much. If you worry about your idle CPU cycles so much that you'd throw $180 at a silly gadget like this, then I can think of several other options that are less hackish and platform-agnostic.
1. Spend that $180 to get a faster CPU, mitigating the performance hit of a software firewall
2. Buy/find an old Pentium-133 for ten bucks and install a Linux firewall (even a prebuilt one like SmoothWall)
3. Go to Worst Buy, Jerkit City or Mallwart and buy a $30 broadband router
4. Unplug your computer, bury it in 6 feet of concrete, post an armed guard nearby and find yourself a less stressful hobby
-Billco, Fnarg.com
why not build a hardware firewall right into the laptop/desktop itself? Really why not?
"When the president does it, that means it's not illegal." - Richard M. Nixon
Well, let's check the technical facts. On the OSI 7 layers model, layer 7 stands for the "application layer". Noted that this is the *network application* not the end user application. Also noted that this layer 7 or the Network Application layer (in specific HTTP, FTP, etc.) is really used by *end user Applications* as the transport layer. What are these applications: JavaScript, JavaApplet, ActiveX, VBScript, etc. These are end user productivity apps that travel over HTTP, SMTP etc. So, Yoggie developers like to name it "Layer 8". Eventually there is no Layer 8 in the OSI Model (this is why we use "") - but you know us developers and inventors, we like to come with our names. So, what is Layer 8 Security Agent? It is an agent that is doing behavior analysis to end user applications (=Layer 8). I am sure you heard of the term Behavior Analysis, it means we scan the content of the CODE, using heuristics to determine is this code is an attack (doing malicious acts) or just a friendly end user application that allowed to enter. Why do we do this? Well - this is a good technique to stop a Virus that still is not recognized by the Anti Virus (no signature was delivered yet) and otherwise - would infect the protected computer. I really suggest you keep reading, the depth in Yoggie PICO is by far more than what it seems in the first look
Well, I don't exactly see the unique benefit of this device (not enough coffee this A.M., I guess). But let's give 'em credit for something:
Marketing Marketing Marketing!
So how do you configure it? The article mentions a public site but there is nothing about this on the yoggie website.