Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardware Firewall On a USB Key

Posted by kdawson on from the bad-packets-stop-here dept.

An anonymous reader writes "An Israeli startup has squeezed a complete hardware firewall into a USB key. The 'Yoggie Pico' from Yoggie Systems runs Linux 2.6 along with 13 security applications on a 520MHz PXA270, an Intel processor typically used in high-end smartphones. The Pico works in conjunction with Windows XP or Vista drivers that hijack traffic at network layers 2-3, below the TCP/IP stack, and route it to USB, where the Yoggie analyzes and filters traffic at close-to-100Mbps wireline speeds. The device will hit big-box retailers in the US this month at a price of $180." Linux and Mac drivers are planned, according to the article.

11 of 203 comments (clear)

  1. Not really a hardware firewall by dreamchaser · · Score: 5, Insightful

    A true hardware firewall wouldn't have to hijack traffic via a driver. It would have it's own ethernet port and would inspect data before it even touches the network stack on the host OS.

    A bit hyped up if you ask me.

    1. Re:Not really a hardware firewall by larkost · · Score: 5, Interesting

      Except that all of your traffic is now going over your USB port twice... and the USB port is your most processor-intensive I/O. I have no idea how the numbers will work out... but there is a good chance that this will eat a lot of processor time.

    2. Re:Not really a hardware firewall by kasperd · · Score: 5, Informative

      Why not just put an ethernet controller into it, and use it as a USB network adaptor?
      I think that is exactly the point the grandparent was trying to make. If it had an actual ethernet interface you would only have to transfer the packets over the USB interface once, thus you'd reduce the load on the machine. You'd also get better security since the machine would no longer be connected to the network without going through the firewall. You'd avoid hacking the network stack, and the result would be something working on more systems without the need for special drivers. And you'd free up the ethernet port on the machine, so it could also be used in situations where the machine did not have exactly as many ethernet connections as you'd want. Basically adding a real ethernet interface to this gadget would have increased its value by at least a factor of two.
      --

      Do you care about the security of your wireless mouse?
  2. Not too bad by NickisGod.com · · Score: 5, Funny

    My favorite is the "Layer-8" security engine (Patent pending).

    That's where all of my clients' problems come from.

    -Nick

  3. Marketing Gimmick by dreamchaser · · Score: 5, Insightful

    It's a marketing gimmick. At the very best it's a software firewall with a (not really needed) co-processor to do packet inspection.

    Personally it looks like a waste of money to me.

  4. from the article by MarcoAtWork · · Score: 5, Insightful

    Once running, the Pico establishes an SSL (secure sockets layer) http connection to Yoggie's central servers, where it checks for updated firewall policies and rule sets, Touboul said. It subsequently checks every every five minutes, by default.


    so basically this means allowing a black box to hijack completely my IP stack, a black box which phones home every 5 minute and arbitrarily downloads software updates... just think if this company's server was compromised even for an hour, given that all of the devices update every 5 minutes you could compromise pretty much all of them at the same time.

    Not to mention that if this device can insert a 'low level driver' that hijacks the IP stack, I'm sure a virus will come up sooner or later that will re-hijack this and compromise it. The only really 'safe' hardware firewall is, guess what, a completely separate hardware firewall (like my custom LEAF install on my old p3-500), this sounds like those 'one time pad, guaranteed!' crypto products we often lambast here on /.

    --
    -- the cake is a lie
  5. Re:Why? by rickkas7 · · Score: 5, Insightful
    Software firewalls are hardly performance hogs.

    You've obviously never used Norton Internet Security 2007 or McAfee Internet Security Suite 2007.

  6. Re:Why would I want this? by richardtallent · · Score: 5, Informative

    Just like software firewalls, this is just snake oil for feeble-minded people who don't realize that firewalls are for blocking access *between* networks, not for closing ports that shouldn't be open in the first place on individual machines.

  7. Re:Why would I want this? by fishybell · · Score: 5, Informative
    According to their nifty flowchart it supports whatever windows supports. It takes the inbound traffic after the hardware receives it, but before the TCP/IP stack. It sits in the same place as a software firewall, but offloads the calculations and filtering to the dongle's cpu.

    Why would anyone want this? Well, a router that combines firewall, nat, vpn, etc. is fine for home use, but what about the coffee shop? For a mobile computer having a on-computer firewall is a must. As far as why anybody would choose to use this over any software firewall... I can only assume it's for people who don't want yet another piece of software hogging their cpu. Most software firewalls aren't that intensive, but if you're looking to free up that 3-5% of your resources, hardware is the way to do it. Of course, without a benchmark showing a difference, the actual performance increase is lost in the market speak.

    --
    ><));>
  8. Re:Troll! by Pojut · · Score: 5, Funny

    They are like you in every way, except for one thing: They remember to actually click "Post Anonymously"

    --
    Living With a Nerd
  9. Re:Why would I want this? by Kam+Solusar · · Score: 5, Funny

    Heck, for half that price you could buy a little router and carry it with you! And in many parts of the world you could even get a little guy to carry it for you too!
    --
    The Angels have the Phone Box