Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Technology

3Com to Sell Firewall-in-a-NIC 209

Broue Master writes "According to a UK ZDNet article, 3Com is commercializing a firewall into a NIC aimed at desktop and servers." Interesting idea, although it'll be interesting to see if the idea catches on.
This discussion has been archived. No new comments can be posted.

3Com to Sell Firewall-in-a-NIC

Comments Filter:
  • Now firewalls area available to the masses who don't know what they are!
    • Re:Great.. (Score:1, Interesting)

      by Anonymous Coward
      That's not necessarily a bad thing. How many surf-email-chat people do you know that are concerned about computer security? Not many, because they look at their computer as an appliance moreso than something that can be 'hax00red' and used as a proxy for criminal activity. It's these types of people that will benefit a lot from this NIC.
    • Re:Great.. (Score:1, Informative)

      by Cosmos_7 ( 128549 )
      Hardly. If you read the article you'd see that its a $120 NIC, plus $50 for the firewall software, and requires a $1000 policy server.

      The Masses, as you put it, are not the intended audience of this.
    • Re:Great.. (Score:2, Informative)

      by magicslax ( 532351 )

      Now firewalls area available to the masses who don't know what they are!

      No news threre. Windows XP has a bundled software firewall and many consumer routers toute built in firewalls as well. The main significange is the NIC taking the (nominal) load off the rest of the system and allowing greater control of user terminals, I believe. Now, the article :-) says a selling point of this dealy is that computers with it installed can only connect to trusted adresses /on the hardware level/. "The device also makes it harder to misuse corporate equipment by plugging it in in the wrong place" or CONTROL, you be the judge. Somebody correct me if [when] I'm wrong.

      • On the subject of XP, I had been using the free (as in the way beer isn't) Zone Alarm on my Win98 machine, but on upgrading to XP I discovered that when I tried to disconnect from the internet, my connection would crash and have to be shutdown using 'end task', and I'd have to reboot before I could reconnect.

        Strangely enough, using XP's own firewalling system this does not happen...

        Odd that, isn't it?
  • Awkward (Score:2, Funny)

    by Anonymous Coward
    Interesting idea, although it'll be interesting to see if the idea catches on.
    I don't think I could come up with a more awkward sentence even if I tried...

    I can only imagine the long line of emotionally shattered English teachers that Taco left in his wake.

    • Huh? What in the world is 'weird' about that sentance? I was able to parase it the first time through.

      Mabye your eyes are crossed? ^_^
      • The parsing difficulties of the original sentence are the incorrect use of the word "although" and the two uses of the word "interesting" in close proximity. Of course, you and I may be able to parse the sentence, but that just indicates we're used to awkward and incorrect sentence structure (especially on slashdot).

        BTW, I had difficulty parsing your use of the word "parase". ;)

      • The problem stems from the repetition of both "interesting" and "idea."
  • If you're THAT concerned about security or engaging in online activity that is THAT high risk, then get a real firewall. Aside from that if you're connected to the net through a NIC, then you're probably protected by a firewall anyway, which renders the technology even more pointless.
    • What's a "real firewall" that this isn't? I can imagine numerous situations where people connect their NIC directly to an untrusted network where this could be useful - college dorm networks, cable modem users etc.

      • The purpose of firewalls is to isolate a machine from the bad guys who might exploit security holes you want to leave open for the local good guys. That is, you have the open network, then the firewall, then a network where you're more lax about security. That way you can use insecure protocols in places where you trust the network.

        If you're putting a firewall on the machine, the only area where you don't have to care about security is within your machine. But within your machine, you have other methods: IPC, shared memory, or even net 127.

        But what this really does is it talks to a server which tells the NIC what to ignore, overriding what your machine wants to do (if there are any security holes on your machine, your OS will presumably configure the firewall to expose them, if it can; if it weren't going to, it would filter at the OS level). This essentially prevents your machine from listening on any ports that the central server doesn't want you listening on or making connections the central server doesn't want you to make.

        There are two functional differences between this and a traditional firewall. The policy machine doesn't have to look at the packets, because it tells the machines which have to look at the packets anyway what to do; therefore, it's harder for an outsider to overwhelm the policy machine. Also, this setup will allow the firewall to stop you from talking to other machines on the network. This could stop a worm from spreading within a company over services which aren't supposed to be enabled.

        So the policy server and the set of cards together make what amounts to a firewall. If you buy one of these, you don't get your own firewall.
    • Huh? Firstly, even "choke point" (such as used at most corporate configurations) firewalls are of little use: When Jimmy opens up port 80 incoming so that he can demonstrate a website to his friends, and his PC gets infected by code red, or any of dozens of other trojans, it then has unrestricted access to every other PC inside the firewall. Secondly, what do you mean by engaging in activity that is "THAT high risk"? Are you being serious? Being connected is high risk, and I see hundreds, or rather THOUSANDS of trojans and port scans hitting me daily. And additionally most people with ADSL or cable modems connect to their modem via a NIC, so I'm not sure what your point regarding the NIC means.

      And in any case what makes this not a "real" firewall? I haven't even looked at the product, but if your simplistic idea of a firewall is that it has to have an impressive box, then you're woefully mistaken: The job of a firewall is a very simple one, and in most "hardware" solutions is just a couple of chips to fulfill the task.
  • by kinko ( 82040 ) on Thursday April 25, 2002 @05:32PM (#3412410)

    The product is aimed at enterprises, to provide centralised control over security. All the secure NICs in a company are managed by a central policy server, which configures them and sets up access rights. Communication with the policy server is encrypted. One policy server supports up to 1000 NICs.

    Sounds like it's using some proprietry protocols. Also, the network card will not work if plugged into a different switch. You'd better trust 3com a lot if you use this stuff.

    • 3Com strikes me as no less trustworthy than other companies which are routinely entrusted with power or important information. Microsoft, for instance.
    • In a corporate environment, wouldn't all your computers be talking to the internet through a router, anyway? Wouldn't it make sense to have the "firewall" on the borders of your network, rather than in the middle? Isn't that what the term "firewall" means?

      Or is this to implement security against other clients on the same local network?

      I'm confused.

      -Mark
      • In a corporate environment, wouldn't all your computers be talking to the internet through a router, anyway? Wouldn't it make sense to have the "firewall" on the borders of your network, rather than in the middle? Isn't that what the term "firewall" means?

        Or is this to implement security against other clients on the same local network?

        It's for use against other clients on the same network. I think the intended use is to keep employess/keyboard wielding monkeys/schoolchildren from hax0ring each other.

      • In answer to your questions the answer is: 1) Yes 2)Yes - but not in all cases. 3) No. 4) Well if one computer gets infected - say through an employee getting an infected e-mail it means it doesn't spread to the rest of the network (a good thing).
      • by Anonymous Coward
        It could be used as a second layer of defence when combined with a perimeter firewall. (Good security practice, don't rely on one single device to provide security).

        It can be used as access control, only allowing client devices to go to certain places on your network. (ie: kiosk in the lobby only needs to surf through proxy server 1.1.1.1:8080, all else is denied).

        Protect desktops w/ confidential information (Human Resources, Finance, etc.)

        It can be used to harden servers. Many companies take the "tootsie pop" approach to security. Hard shell, gooshey center. This way, you open a couple of ports on a server, potentially not allow it to initiate connections to other boxen, etc.

        Maybe the server is co-located at an ISP. You still control the rules.

        Even if the server is owned, the machine itself has no control over it's security policy. That only happens from a central management station.

        There are lots of uses for these NICs - just depends on where your security need is.
      • Wouldn't it make sense to have the "firewall" on the borders of your network, rather than in the middle?

        The most common implimentation is to use a single firewall to protect a network. This configuration also provides a single point of failure. If a cracker can get past the single firewall, he can mount attacks on any internal systems.

        With a firewall on every machine and a general network firewall, you have a layered defense that is exponentially harder to subvert. It will also help stop internal attacks by employees, which are much more likely to succeed than external attacks.

        The main reason that per machine firewalls are not a common practice is the administration overhead for a heterogenous network. Putting the firewall in an OS independant and inexpensive hardware implimentation might change this.

        • With a firewall on every machine and a general network firewall, you have a layered defense that is exponentially harder to subvert. It will also help stop internal attacks by employees, which are much more likely to succeed than external attacks.

          All true, but how effective would this be? Don't forget that just about every enterprise desktop is windows using netbios. Open the firewall on the NIC enough to let the netbios ports through, and you've pretty much opened the machine up to 90% of potential attacks anyway.

          It could have a use in stopping certain groups of machines being able to talk to each other at all though.

          I know W2K and later don't need netbios, but they can also have centrally managed IPSec group policies to achieve pretty much the same thing as this firewall.

          This card doesn't seem worth the extra expense to me - upgrading the OS to W2K would probably be comparable in cost to upgrading the NIC.
        • With a firewall on every machine and a general network firewall, you have a layered defense that is exponentially harder to subvert.
          Maybe. Or, the attacker breaks the first firewall, and then exploits the server that configures the NICs. Thus, attack complexity is greatly reduced, as he can now disable all the firewalls in the network.

          I'm with you on layered defense. However, it breaks down when you trust other systems.
      • Firewalls are about limiting access. It doesn't matter where it's placed, it's where you want to limit traffic that matters. That means internal/external and internal/internal.

        Putting a firewall at the edge is fine and a good idea, but the bigger threat is internal attackers. Don't want a disgruntled employee accessing the HR records.
    • No. You use the 'central policy server' to set up the firewall firmware. The CPS then shoots that config out to the various NICs. Or do you want to wander from desktop to desktop with a floppy or a printout every freaking time your policies change?
    • To me this seems a bit awkward.... At least when using whole systems and network segments for firewalling, its kept at a simple and low level.

      For this, though it (theoretically) should support much finer firewalling rules based per client and be easier to do such, I'd really have to look at the implementation of the server software to determine if i would like it or not...

      For example, what happens if the policy manager server goes down? does the software support redundancy? Will the entire network end up a mess without the server to command each cards filtering and packet routing? or do the cards hold that information until next updated?

      Id like to read some deeper information on this system.
      • by Anonymous Coward
        3 Policy Servers can be in a load balancing and redundant configuration. If one policy server goes down, the other two pick up the slack. The whole network doesn't go "haywire" if all 3 of them go down... each NIC that was up and running will continue to run with it's established policies.

        Should all 3 policy servers be down, then the nics will go into a pre-defined fallback policy until the policy servers come back up. You can fail open, closed, and in the near future, to the last policy you had.
    • Interesting -- I wonder if they wrote their own policy server, or are OEM'ing someone else's stuff? There are several vendors who have products in this space: Zone Labs Integrity [zonelabs.com], Sygate Secure Enterprise [sygate.com], Symantec Enterprise Security Manager [symantec.com], F-Secure Policy Manager [f-secure.com], and probably some others I've forgotten.

      The tricky thing is writing a server that integrates well with existing back-end security and authentication infrastructure: having a bunch of standalone systems really sucks from a management point of view. Depending on how the client/agent/firewall (in software or firmware, as on a NIC) is structured, it may be possible to mix and match vendors in the future. (For example, another vendor's server monitoring these 3com NICs.)

      The protocols themselves don't really need to be proprietary to the point of precluding interoperability: most are based on good solid Internet/IETF standards like IPSec, SSL, TCP, XML, etc. (Full disclosure: I was the system architect for Zone Labs Integrity [zonelabs.com].) If the protocols could be standardized, I could easily see ZLI serving policy to the various firewall-enabled gadgets out there, as the server is easily extensible.

      I guess I just want to see things interoperate, but that's probably just because I'm an old Unix hacker....

      • The article indicates that the loaded software is Secure Computing's stuff, presumably Gauntlet since it's their only firewall product. I would imagine that the console is the Gauntlet console.

        As for the guy above who remarked about how silly it was to require these things to be configured by a central console, he obviously hasn't been the firewall management staff at a large company. A central console is the _only_ way to fly if you have a large number of firewall policy engines to manage. Otherwise, the flagpoles in front of most buildings would be draped with suicidal firewall admins wanting to end it all. :>

        (Besides, it's not like there isn't a central console for iptables/ipchains that works pretty well [fwbuilder.org] -- a firewall need not be a standalone unit with a custom policy all its own to be secure. Sometimes, it's more secure to provide an administrator with an easy way to avoid screwups.)

    • by jandrese ( 485 ) <kensama@vt.edu> on Thursday April 25, 2002 @06:28PM (#3412806) Homepage Journal
      That's not the way these cards work. I've been testing the cards for some time now and you don't need any fancy network equiptment (other than the cards themselves) to set this up. The Policy Server here is a Windows applications (downside: no automation ability in the beta I had, not even a simple scripting engine). Configuration is sent over the network as special UDP (I think) packet.

      The card has a few oddities nonetheless. First, when you install these cards, you need to build an "install image" on the policy manager. You then have to run that after you put the card in the machine to flash it's firmware (the cards send heartbeats back to the Policy Server, so they have to know where to send them). In effect, your users always have to download an install from your network to set up their cards, they can't just go out to the web and grab one. Fortunatly the card works as a regular NIC before you flash it.

      This card also includes IPSEC offload for people running VPNs and the like. I never actually got it to work, but it's supposed to do the encryption in hardware. Apparently the firewall sits OUTSIDE of the ipsec traffic though, so all it sees are the encrypted packets, which limits its usefulness considerably.

      All in all the cards are OK, not supurb yet (that management console is very click intensive to use), and reasonably cheap for their target market. I think they stand a good chance of taking off, especially as corporate security folks notice that these are the perfect replacment for the ubiquitious software firewalls in use today.

      One more thing I thought would be amusing. If someone were to steal your machine and turn it on elsewhere without noticing what card you have, the security folks would immediatly know where their machine went.
  • Sounds good but.... (Score:3, Interesting)

    by RealisticWeb.com ( 557454 ) on Thursday April 25, 2002 @05:33PM (#3412414) Homepage
    It sounds like a good idea, but It seems to me like just a fancy way to sell you another server to have to manage. A central server for your NIC cards? Thats the last thing that I want to have to deal with. I would be curious to see benchmarks against something like this and a traditional firewall.
    • And interesting to see if more of them are programmed correctly than the traditional firewalls. Some traditional firewalls leak a bit. Something I find interesting is to see how many web servers are inside a firewall vs. outside. Since many attacks are focused on port 80, putting a web server inside (or in a DMZ) may be counterproductive. Depends on the layout.
  • Interesting Idea (Score:2, Insightful)

    I can see the advantage of putting that in hardware (firmware?).
    But I don't believe it can be useful in filtering outgoing packets; how can it tell what program or user is sending it.

    Because of that I think that software based solutions are better.

    And besides .. if the OS is good then nobody without proper permissions can change the firewall rules anyway!

    • Re:Interesting Idea (Score:1, Informative)

      by Anonymous Coward
      Software firewalls... HAHAHA. That's funny. You can't rely on software to protect an OS that has holes in it already. If code can circumvent the OS, it has complete control over the software running on that OS, including software firewalls or antivirus.

      You can't rely upon a software firewall when readily-available, freely-downloadable, simple programs can take it completely out? These trojans and viruses can take out software firewalls today:

      OptixPro
      OptixLite
      OptixKiller
      Buschtrommel
      Y3kRAT
      Pentagoner

      Plus more. Embedded Firewall is hardware-based. Because all of the firewalling functions happen in hardware, they are completely independent of the host operating system. Even if you circumvent the host OS, you will never be able to change your own security policy.
      • Embedded Firewall is hardware-based. Because all of the firewalling functions happen in hardware, they are completely independent of the host operating system. Even if you circumvent the host OS, you will never be able to change your own security policy.

        Now I'm sure 3Com don't expect users to have to flash each and every NIC. They will include some sort of software based setup tool. If a trojan has control of the OS, then it simply needs to emulate that tool. It's then 'just another firewall' to the trojan, software based or not.

        It wouldn't even have to go that far, what's stopping the trojan from sending anyway? A firewall that is OS independent cannot filter outgoing packets based on who or what sent it.

  • "The NIC costs $120 list price, and the embedded firewall is another $50 for each client." My last NIC cost me $4.95 [compusa.com]. So it's really $165 for the firewall.What if you need to VPN into work, and your employer's VPN won't work through the firewall firmware? Not that it would be a problem, but if it were a problem can you turn the firewall off?

    • My friend bought it when all it could do was the hardware-based encryption, just to say he had the fastest and sexiest NIC available. Even though he wasn't planing to ever use its encryption. So apparently the price isn't that big of a deal to some people.

      (phththt, hi slordak :) )

    • Skipping the fact that these are clearly _server_ class NICs, they aren't as expensive as you'd imagine out there in closeout land.

      Pricewatch [pricewatch.com] has a vendor selling a (no doubt earlier version) 3CR990 for $59. That's a bit more than your CompUSA card, but a respectable price for a brand-name card -- especially one with an embedded ARM processor specifically for offload processing.

  • by meta-monkey ( 321000 ) on Thursday April 25, 2002 @05:38PM (#3412467) Journal
    I'm getting rather tired of these stripped down firewall implementations. I've used several (linksys and dlink DSL routers, and lrp), but I've always found them either

    a) buggy, or
    b) very inflexible

    For the life of me, I couldn't get the linksys box to track an incoming FTP session. The D-link router would crash if you tried to pump too much traffic through it (I was running UDP netperf tests). lrp just didn't have the features I wanted. Eventually I just scrapped it all and installed RH 7.2 on a p166, and turned off everything except iptables, roaring penguin, and ssh. It tracks all my connections just fine, forwards ports appropriately, and I've got scripts set up to restart my IPSec tunnel and re-register my IP with a dynamic DNS server every time my IP changes. I get the same throughput and latency I got through the other solutions, too. Sure, I'm doing more complicated things than most users, but even when I wasn't, the 'firewall in a box' gizmos still gave me headaches. I have a feeling a 'firewall on a NIC' would be even less flexible...
    • "b) very inflexible"

      Aren't firewalls SUPPOSED to be inflexibe? ;)

      Heh I think I should wear asbestos underpants when I make a comment like that...
  • The only people who are going to buy these are people who are fairly security-conscious anyway.
    • I'd have thought that this is going to be a stripped down firewall implementation, which for the security conscious folks won't be good enough.

      "NIC costs $120 list price, and the embedded firewall is another $50 for each client. The policy server costs $1000."

      Looks a little pricey at the moment as well. How many firewalls do you need? One per desktop or one per gateway?

      • Even a stripped-down firewall on each desktop would give you a little more defense in depth than just a firewall per gateway. Sure, the OS could handle firewalling too, but here's a solution that's OS independent (I'm assuming).

        I think that's supposed to be the appeal, but then, what do I know? I'm an amateur.

  • Hardware VPN? (Score:3, Interesting)

    by Kenja ( 541830 ) on Thursday April 25, 2002 @05:40PM (#3412486)
    No word on if this card will support site to site VPN tunnels. If so it could be very usfull for remote clients connecting into a main network. As it stands such users are forced to use a software VPN client.

    In related news, I hear that Sonicwall will have a VPN/Firewall in a PCMCIA card later this year.

    • I've seen a lot in the past few months about hardware firewalls built into all manner of things. The ones that I found most interesting were the PCMCIA card that you mentioned, but also a handheld that would have a hardware firewall built on. That seems rather gratuitious, but gratuitious tech is cool.
      • If you want the PDA to have a secure connection (say via wireless) to your main network having a firewall/VPN onboard makes a lot of sense.
    • The 990 was originally designed to offload IPSec. Pretty good chance it's going to support VPN's in one form or another.
  • interesting (Score:5, Funny)

    by flynt ( 248848 ) on Thursday April 25, 2002 @05:41PM (#3412500)
    Interesting idea, although it'll be interesting to see if the idea catches on.

    That's interestingly a very interesting comment that piqued by interest in this interesting subject of interest. What I'm more interested in knowing is if any other interesting people are interested in this interesting idea? Because if there are interesting people interested in this interesting idea, well, I almost hesitate to say it, I'd be interested!
  • Who's the target? (Score:3, Insightful)

    by Telastyn ( 206146 ) on Thursday April 25, 2002 @05:43PM (#3412518)
    Who needs a firewall nic that needs a central policy server? Anyone who can connect to the central policy server is probably already behind the firewall.

    Remote users? They all use laptops.

    What's that leave?
    • Anyone who uses multiple DMZ's in their network. With a lot of servers. I'm thinking hosting companies that want to ensure their clients only get the services they pay for.
      • Ensuring everybody in their cubicles are only running the software they are meant to. No IM clients, no P2P, only their proprietary little enterbrise database querying tool. And Outlook. [This is a corporate office]
    • Re:Who's the target? (Score:3, Informative)

      by demaria ( 122790 )
      Internal attackers.

      Disgruntled employees. Fired employees. Untrustworthy people on the inside trying to access payroll systems.

      (avoiding debate between hardware vs software firewalls here)
      • Then why don't you have an internal firewall? It's foolish not to these days as prolly 80% of your attacks will be internal.
        • That's my point. :-) Parent post wanted to know why you'd have an internal firewall.

          Although I'd say 80% of the attempts will be external, but 80% of the successes will be internal.
  • Yes, CmdrTaco, although it is interesting, nevertheless, it will be interesting to see what happens with it.

  • Does sound interesting, but, If you have even modest connections, you can pick up an old pentium for around 20 bucks. Plenty of preconfigured linux packages with firewalling options, right?
    Considering you can make a firewall/router for so little.. 120 bucks for a nick card seems a little pricey. Although, if it works well and isn't a hassle to set up, I suppose its a good solution. Also good if you don't have the know-how or desire to set up a whole system.
    • Re:Good idea? (Score:4, Insightful)

      by NerveGas ( 168686 ) on Thursday April 25, 2002 @05:58PM (#3412616)
      Well, the $20 Pentium firewall isn't quite the same - while it can seperate one part of the LAN from another (or different networks), the advantage of the card is that it protects your machine from *everything* else, at least theoretically.

      Having a principle firewall on the border of your network isn't challenged, but in a setting with many computers which can't be closely individually monitored (libraries, college campuses, etc.), these will at least help to prevent one person from attacking/abusing other machines on the same network.

      steve
  • by irregular_hero ( 444800 ) on Thursday April 25, 2002 @05:48PM (#3412548)
    The article indicates that the NIC in question is the 3CR990, which, up until this point, has been the "encryption offload" high-performance NIC. The firewall simply replaces the onboard encryption "soft"-ware with something that handles packets a little differently. I find it fascinating that the NIC is simply "reloaded" with appropriate software that can directly alter its core function. It would be really intruiging to figure out just how this is done on the card.

    What is especially interesting is what is loaded: Secure Computing's Gauntlet firewall product (yes, it is originally derived from the old TIS stuff, but has been commercially, er... hydrogenized :) ). This would seem to indicate that the card can support applications that weren't written for it, e.g., it can use software whose platform has been retargeted in compilation (well, at least it implies that).

    I wonder what other derived applications could be loaded into that space? Hmmm... the mind wanders...

    You thought I was going to mention a Beowulf cluster, didn't you? Shame on you. No cookie for you.

    • These cards are actually based on Broadcom's 5703 [broadcom.com] MAC, aka "Tigon III". The Tigon chipset is really rather cool, in that it includes dual MIPS cores running at high speed. This enables all of their "value-added" features, like encryption assist, firewalling, and TCP segmentation acceleration.

      If you can write MIPS assembly, you can run anything that you can fit into 64k on this card.

      • They are not... BCM5703 hasn't been shipping as long as these cards have (for at least 2 years now). It's a 3Com proprietary processor internally code-named Typhoon. It's 3Com NIC technology combined with an ARM9 cpu running @ 120mhz.
    • So they threw a processor on a network card. It's actually a StrongARM. A processor you say! Why, you could run applications on your network card!!!! Amazing!

      If you were one of the three people with one of these, YOU COULD RUN LINUX ON YOUR NIC! But WHO CARES??? THAT'S WHY YOU HAVE A CPU!!!!!! Companies sell a computer on a PCI card! NIC's don't need to run an os, a firewall, or Duke Nukem.
      Jesus.
      • You're missing the point, as if there was one being stressed that was worth refuting.

        The processor is an offload processor. This doesn't mean a lot to the average user, but to a business user, it's gangbusters.

        The "point" is that the NIC is essentially like putting a small server box in front of each of your real servers at a much lower cost. It's also platform independent: With a Linux implementation on the card, you could get a Linux firewall protecting every Linux, OS/X, or Windows server that you own. And those servers wouldn't expend any CPU just processing packets in order to reject them.

        Put it this way: If you ran a business that made money on CPU cycles dedicated to a particular application, you'd want that processor dedicated full-time to the task at hand. You'd take great leaps to turn off all non-essential services, tweak the bus speeds, optimize block sizes on the filesystems, nice the process to the max, rob Peter and pay Paul -- just to get the extra 5%. In business, time is money, regardless of whether it's personnel or CPU. That's why an offload NIC is so damned attractive -- because some of us work in companies that care about the bottom line as opposed to dicking with ways to make our 1st-person shooter faster.

    • Got an email asking if I wanted to beta one. Replied sure (duh, more geek-toys), and a rep called me. Currently, only Win2K drivers are out (again, duh... Who needs an embedded firewall more than a Windoze box?) but Linux drivers are right behind. So far, there are 2 NICs, a 'server' class NIC and a 'workstation' class NIC. The differences aren't throughput; it's the capacity for 'rulebases'. Forthcoming are PCMCIA NICS (great for end users who VPN in and are exposed to the 'Net), and potentially a combo 56K/NIC in the next year.

      All in all, should be pretty cool for people like me stuck in the corporate world.
    • Now my Q3A server can run without being on my desktop. :-)
  • Although the concept sounds cool. I am a little weary of moving out away from a centrally based firewall that sits in front of the servers.

    However the concept has extreme merit if used in conjunction with contempory firewall solutions already in place. It would definitely add an extra layer of security to the network if properly managed. That then brings the only bad point I can think of right off the top of my head which would be the headache involved in managing so many different firewall configurations. It might turn out to be more of a headache than it is really worth for the Sys. admins in charge of a given network.

  • Already happened (Score:5, Informative)

    by aridhol ( 112307 ) <ka_lac@hotmail.com> on Thursday April 25, 2002 @06:05PM (#3412661) Homepage Journal
    Merilus already has a FireCard [merilus.com].
    It isn't quite the same, but it exists.
  • Uses (Score:4, Insightful)

    by Frying Ferret ( 557022 ) on Thursday April 25, 2002 @06:07PM (#3412669)
    I do see this as having some use. While a firewall can be usefull for protecting from attack from outside, what about attacks from inside. What happens if a user brings in a worm on a floppy that goes after all the machines on the network. The best configured firewall on the between your network and the internet wont help you. Having a firewall protecting each PC could help prevent infection through out the whole lan. Just my $.02
  • "It's like netbios except different!"
  • A card like this should be required for anyone connecting a Windows box (or even a novice connecting a Linux box) with a high-speed link to the Internet.

    Don't get me wrong, I'm sure there are a few people here who know how to configure a proper firewall, but most people with cable modems, DSL connections, or other high-speed access at home have no idea how to harden their desktop machines. What's worse, they run dangerously vulnerable email programs such as Outlook and use web browsers such as Internet Explorer. This opens them up to a wide variety of very vicious viruses, worms, and other nice programs which can be used to gain access to their computers and turn them into little more than bandwidth machine-guns.

    With a network card such as this shipping in a relatively locked-down state, it would be easier to detect and block attacks originating from a compromised computer. Unfortunately, I can't smack every clueless computer user on the Internet upside the head with one of these things. Because of this, I'm sure things will only get worse before they get better.

    - A.P.
  • Firewall in a NIC??? Nothing new here. We've been using them for a few months now. A company called Merilus has been making them for awhile. It runs an embedded form of Linux. It has tons of features for a Firewall on a PCI card and best of all, it's made in Chilliwack, BC, Canada. Gotta love the name. Check it out... www.merilus.com
  • 3com Mailer (Score:3, Interesting)

    by Wells2k ( 107114 ) on Thursday April 25, 2002 @06:22PM (#3412761)
    I received a mailer from 3com recently advertising this very card, offering one of them to institutions as a freebie if the institution qualified. The mailer itself was a piece of work: You had to unfold it to find out what it was, and on each of the folds was the word "ping". When you got to the center of it, it had something about being hacked, and then the rest of the ad talked about getting this piece of equipment for your protection, etc.
  • Obviously a card of this nature will have to have some flexibility to it. If you wish to configure the card, say to deny an address, does it flash some form of memory on the chip or would the settings be put into the driver - software based? If its done through the driver, I'd rather just run some form of personal firewall software and use a $5 dollar NIC from pricewatch. Cool concept though.
    • When the Policy Server pushes a policy down to the NIC, it goes straight to the NIC hardware and is immediately implemented (yay, no rebooting). The Host OS never sees the packet.
  • by Anonymous Coward
    I beta tested this for 3Com and Secure Computing a year ago--guess the cat is out of the bag now so I'll talk a bit about this nifty product.

    The NICS have onboard 3DES crypto accelerators and talk via an encrypted channel to policy servers that in turn are all then handled by a centralized management console. So from one place, you can distribute NIC firewall policies to the policy servers on different networks who then distribute the firewall policies to the cards. The onboard accelerators and manual keying basically enable you to create a corporate VPN that allows ONLY these keyed cards to operate on the network--theoretically.

    There is a server version and a client version of the card. The client can handle 16 rules, the server 32 rules. At the time of the beta test, the onboard firewalls were not stateful, but that was to be implemented.

    Now the cool stuff: The user can't tamper with the card or its firewall ruleset--it's centrally managed. Should the user try, the card "breaks" and denies all traffic--with the exception of traffic from the policy server. And policies can be applied remotely to the client controlling OUTBOUND communication. For example, if users ONLY get to browse the web, then you ONLY allow outbound port 80. No audiogalaxy for you. Additionally, these cards remotely log policy violations to the centralized server. And you can remotely TURN OFF the card from the centralized server. Suspect a machine is compromised? Remotely disconnect it from the network by telling the card to disallow all traffic (except from the policy server of course).

    The bad stuff: Windows only at the time of beta testing, although Linux and Solaris support was planned. Control software runs on Windows only. And the cards can only be configured via the management software--which was a completely different beast you had to purchase, and the cost depends on the scale of your EFW deployment.

    This info may have changed since last year as well, so take it all in stride.

    Overall, I think the cards are great to deploy for select critical Windows servers or public lab resources you want to lock down a bit. It would be nice to have the ability to buy a server card, stick it in a Linux box, and use some floppy util to configure some basic rules that get burned to firmware. Disregarding OS compatibility, these cards seriously rock, and should be added to any "defense in depth" arsenal, IMO.
  • "The NIC costs $120 list price, and the embedded firewall is another $50 for each client. The policy server costs $1000."

    For fifty dollars per client I would be happy to configure a firewall through remote access using free software and a $15 NIC.

    I hate to admit it, but I'm getting envious. While I'm having difficulties finding a job as a Linux admin - probably because companies here in Germany fear to employ me with my 57 years, the big companies are charging $50 per client for some crypto-interface software.

    Obviously hardware sells better than humans.

  • A consumer version of this,(with a dumbed up ui) would probably do well with home broadband providers. A lot of them will provide NICs anyway. Offer Joe consumer the (added value, of course) option of *hardware firewalling* and badda bing.

    You can deposit my check with Pay-Pal, Time Warner...
  • Time vs security (Score:3, Insightful)

    by Zapman ( 2662 ) on Thursday April 25, 2002 @07:39PM (#3413210)
    The eternal war. Given enough time, you can secure 1000 boxes (turn off all un-needed services for the application(s) that this box needs to run, apply all the patches to those apps, tune the OS tightly...) Takes quite a while.

    Or (says the 3com salesperson) you can just spend some money. Central server says this box can only talk on this (short) port|protocol list. Everything else is droped at the interface, doesn't even get to the kernel.

    Sure, there are things you can do on a large scale to make securing boxes much easier (jumpstart, kickstart, whatever NT calls it, to get a secure base install, etc), but you still have to deal with patching individual boxes.

    If I have to deploy a lot of computers in an activly hostile environment, something like this would be very nice.
  • by option8 ( 16509 )
    sounds like an excellent idea to me. add to this a cable/DSL modem, all in one card.

    maybe the next thing we see will be a little UPS-in-a-power-supply combo thingy.

    that would cut down on a lot of clutter for me, lose a couple more boxes under the desk, and three or four cables.

  • by Anonymous Coward
    I just hope they include the ability to disable this feature. I can see numerous connectivity problems and difficult troubleshooting ahead...

    Does this mean you will be unable to ping the loopback address???

    Will you have to swap the card out to see whether the firewall on the card is playing up?

    Jeeezus
  • 99.997% of the problems with Open Nap,Gnutella and the likes are people not opening their firewalls to allow sharing of the files they SAY they are sharing. You try to download from them and you never connect, the push happens over and over.... you'll never get the file because the firewall is closed.... your request never get's there.

    I personally think the OpenNAP servers and Gnutella apps need to self terminate the connections if such a condition is found with a "Open your firewall on Port XXXX and YYYY and this program will start to operate again."
  • 64MB on a NIC (Score:2, Insightful)

    by athlon02 ( 201713 )
    Now if they could put 10/100/1000 + Firewall + NIDS on a NIC (with say 64MB flash for logging purposes) that'd be interesting, albeit expensive. But in that case I'd just wait for it to come down to a reasonable price and be integrated into the chipset of the latest & greatest motherboards.
  • Okay, so basically it's a poor man's blade. Cool! :)

    It's a really sweet idea - the card sounds really hackable. I'm gonna have to pick up a gigabit version when it hits the shelves and see what kind of evil can be wrought with it.


  • All the research for this product was done by college students at Calpoly [calpoly.edu] as a part of a 3Com sponsored project. Its a rather interesting read as to what else has been done by in the field on Intelligent NICs and the number of PhDs and MSs that came out of it too. Another interesting site on NIC based Firewalls from Carnegie Mellon University [cmu.edu] as a part of their "Better Security via Smarter Devices" research is up here [cmu.edu]. I would strongly suggest that people explore these links.
  • by acoustix ( 123925 ) on Thursday April 25, 2002 @10:45PM (#3413959)
    I'm seeing this debated on here a lot. The problem is that you're ASSUMING that the "bad guys" are on the other side of your network.

    What some of you don't realize is that some of the worst offenders of "hacking" or "people being where they shouldn't" (sorry, couldn't think of a better way to say it) are INSIDE your network. There are a lot of users that might be "just looking around" on the network, but they can cause problems unintentionally.

    This example might be harsh but everyone here remembers the TV commercial where the users say "I'm off to crash the server" or "I'm about to take user error to the next lever".

    Bad things can happen on the inside, too!

The only function of economic forecasting is to make astrology look respectable. -- John Kenneth Galbraith

Working...