Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Hardware

Firewall On A PCI card 137

Posted by timothy from the oooh-this-wall-is-toasty! dept.
robags writes: "The people at Merilus have grabbed a PCI card, embedded Linux, added some Ethernet ports and come up with the FireCard. The OS on the host system can crash out, without affecting your firewall. 'Once installed, the FireCard provides firewalling, routing, bandwidth management, virtual private networking, redundant failover, intrusion detection and much more.'" This sounds like a smart product, especially for telecommuters; I sure hope it's not a pointless hoax or vaporware.
This discussion has been archived. No new comments can be posted.

Firewall On A PCI card More

Firewall On A PCI card

Comments Filter:

  • SBC thoughts (Score:4)

    by lythander ( 21981 ) on Tuesday November 14, 2000 @04:11AM (#625319)
    Since this seems to be a single board computer without a disk, couldn't one plug a bunch of these into a passive backplane to create a pile of independent firewalls (not very useful for the home user, but useful for those in the ISP business)? These backplanes would also eliminate the concern over power dependency. Along these lines, the home user could grab a 2 or 3 slot backplane and a power supply and have a pc-power-independent solution.

    Along these lines, can one take an SBC and plug it into an ISA or PCI slot on a regular MB to power a second PC from the first, inthe same case?
  • Domain Name: MERILUS.COM

    Created on..............: Fri, Sep 01, 2000
    Expires on..............: Sun, Sep 01, 2002
    Record last updated on..: Tue, Sep 05, 2000

    And the company started 1997?

    Well at least they did a lot of work on the website :)
  • I've "bent the ears" of a couple of cable modem service providers at conventions with the idle thought that it would be a slick idea to hook up some form of "embedded firewall" box to the cable modem.

    The issue is that when you connect to a cable modem, you immediately have a perhaps-24x7 connection that someone can attack. Hooking up a Windows box to this is nigh unto suicidal.

    The thought I had had was to have a little "shoebox" system; no screen; only two Ethernet ports, one to go towards the outside world, and one to provide services "inside."

    The "FireCard" is a quite clever idea; it cuts down on the requirements by one Ethernet port by itself replacing the usual Ethernet card that gets put in the PC.

    With luck, they have some scheme for remote management whereby it knows just enough SSL (or some other cryptographic protocol) that it can be possible for folks at the ISP to log into it to help out if there are problems.

    This isn't a "B1 System" for people who thought Multics [multicians.org] wasn't tough enough to crack; it's a "C1 system" for the people running "D1 secure" PCs...

  • quit being a damned karma whore. Why the hell would andover own shares in Merilus. And despite the fact the posted it twice, two separate users submitted the story. Get a goddamned life and stop worrying that the FBI is really only after YOUR computer.

    ---
  • I have inside info. that Secure Computing (maker of the sidewinder firewall) is working on the same thing with 3com.

    "Product details are not being provided at this time but the companies confirmed that products resulting from their cooperation would be announced in the first half of 2001. "

    The Press release [sctc.com]

  • Um, 20-40 hours to build a solid firewall?

    I just helped an acquaintance build one from an old 486 and two new, cheap ISA Ethernet cards using the EigerStein beta2 Linux Router Project-based floppy. Hardware & software took 2 hours, and I was showing him how all the way. Of course, it was the 3rd one I had done, but I'm also no Linux expert so I suspect most of the readership here would have no trouble matching my 2 hours.

    The down side is the cost of electricity for keeping this PC running (but no hard drive, so that saves a bit). I think the firewall-on-a-pci card has a decent market niche, for those who don't want to spend the electricity, take up the space, or put up with the noise of a separate firewall box. But if you have a 486 kicking around, the LRP makes a very nice firewall option.

  • My html is really rusty. Here's the link to the EigerStein LRP implementation:

    http://lrp.steinkuehler.net/DiskImages/Eiger/Eiger Stein2BETA.htm [steinkuehler.net]

  • There have been PCs on PCI cards before. For example, http://home.netscape.com?cp=wn6/ [netscape.com] I don't think they make them anymore, though.
  • Whoops, wrong URL. http://www.orangemicro.com/opc660.html [orangemicro.com] is what I meant to paste.
  • You're right.. it is rusty :) .. NP.

    Corrected EigerStein LRP link here [steinkuehler.net]

    --

  • I'll tell you if it's a hoax or not... (Score:3)

    by PsychoKiller ( 20824 ) on Tuesday November 14, 2000 @09:52AM (#625329) Homepage
    since I'm going to a presentation on the Merilus card at my local Linux user's group on Monday.

    www.vanlug.bc.ca

    I'll keep you all updated :)

  • Re:What about re-boots. (Score:3)

    by itarget ( 168249 ) on Tuesday November 14, 2000 @04:16AM (#625330)
    The PCI slots only lose power on a power cycle (or maybe a hard reset on older power supplies). With this thing being completely self-contained it will continue to function during normal reboots, resets (on ATX power) or even total OS failure.

    Though it does beg the question of why it couldn't just be a seperate device... space, maybe? With those 3 ports it can perform the duties of a 4-port hub with less hardware and cabling.
    ---
    Where can the word be found, where can the word resound? Not here, there is not enough silence.

  • Agreed (Score:1)

    by s390 ( 33540 )
    Saw this yesterday, linked at "UserFriendly." It rocks!

    Lots of small businesses and home LANs (2 - 25 PCs, with T1/Cable/xDSL) need something like this. GUI for configuration, no maintenance (read, Staff), good security. If I didn't already have a strong software firewall (Injoy), I'd order one today. I'm going to recommend this to a friend who needs a minimal broadband firewall server.

  • Deja vu (Score:3)

    by Anonymous Coward on Tuesday November 14, 2000 @04:18AM (#625332)
    Dave Chalk? "Yes Dave, but wait... there is more. If you buy our Firecard before the end of the /. effect you'll get a screwdriver for free so you can easily screw it into your computer. Please allow 28 days for deliviry, and remember... If your network somehow does get totally r00ted and fucked beyond repair you are can use our money back guarantee. Yes Dave, thats right... If you get h4x0r3d within the first 6 weeks of your purchase we will refund you the entire amount spend on our card and whats more... You can keep the card for free as a token of our good faith!." Now where did I hear that before?
  • Would whoever posted this crap (Steve Coogan is *NOT* funny. REPEAT. Steve Coogan is not funny), please go outside more often. It's also an offence under the copyrights and patent's act to post this, but today's freeloader society doesn't care about that, do they?

    And whoever moderated this up should have all moderator rights removed completly.

  • Interesting:

    http://merilus.com/firecard/entspecs.shtml

  • I took the lid off my Livingstone firewall, 90% air. I took the lid off my 2501, 90% air. Why do Cisco/Lucent/etc. think that comms equiptment has to be big to be any good. I't just like the old shitty Amstrad hifis of yonder. 90% Air.
    OK, the 'housed inside one computer' aspect may not be brilliant, but the simple fact that thye've proven that this kind of technology can be miniturised. Shame on the big companies for lagging.

    FP
  • After some research, it turns out that the cost for ne of these is 595.00USD for thew SOHO and 1195.00 USD for the enterprise. And you have to install software on the pc.
  • If it takes you 20 to 40 hours to set up a linux firewall box, you have a serious problem. As far as a simple LRP box goes, I can set one up in 30 minutes. Try coyote LRP at http://www.coyotelinux.com, download the free Linux version, run the makefloppy.sh script, and you're ready to go.
  • You're a good friend and you want to help him out. You have a few choices:

    The important one you missed is that they can get a linksys (or similar) firewall box, and plug it in. If the other side supports DHCP, they don't need to do ANY configuration to get up and running. At all. If not, they have to set an IP, netmask, and default route.

  • Along these lines, can one take an SBC and plug it into an ISA or PCI slot on a regular MB to power a second PC from the first, inthe same case?

    No. SBCs are inserted into passive backplanes, from which they only get power (if that), and they drive the bus signals on it. If you put a SBC into a PC, your SBC and your PC's chipset will both be trying to control the bus, and they will both fail miserably, possibly (probably) with circuit-burning results.

    If these devices ONLY got power from the bus, and NOTHING else (IE, they had a serial port for control or something) then you could stick a whole bunch of them on a passive backplane, let them get power from the bus, and have a large number of seperate firewalls in a box, which would be handy for a colocation service.

  • Effnet has a more mature product already (Score:1)

    by Anonymous Coward
    effnet (www.effnet.com) has been making the
    ROC (router on a card) for long time now

    does andover own shares in Merilus, or what?

  • The board is also joe users ethernet card, which they would also have to buy along with the separate box.

    If they price it "correctly" it should be somewhere between the price of a plain old ethernet card, and the separate box.

    For those that haven't designed consumer electronics before, the case and any switches are the most expensive part of the thing, usually about half the total budget. So by being a parasite off another box, you can save significant amounts of money. And as bad as they are, a PC power supply is going to be a whole lot more reliable than the typical wall wart that poweres the tiny boxes.

    As to "when they reboot", as long as they don't actually power cycle the machine, the card should be fine. Only the host ethernet part has to notice that RESET got asserted. The part doing actual routing (which only depends on the box for a couple of watts of power) won't care that someone applied the defibrilator. I am sure the configuration paramaters are in some form of non-volatile RAM.

    I agree that a good place for this is inside the DSL or cable box. (the cable boxes already have most of it, as they include packet filtering, to deter the amateur packet sniffers).

    For that matter, why duplicate so much hardware and software?. Perhaps there is a niche for ISP's that provide firewall service. If I wasn't running a server, or didn't have the skills to do it myself, I would pay an extra buck a month to have someone full time looking after a best-available-technology-with-current-patches firewall on the othe side of the DSLAM from my wire. While they are at it, a realtime blackhole spam filter would also be nice.

    -dp-

    Junkyard Wars Marathon Nov 24th TLC noon->3AM.
    MIT Sneak Preview Nov 20. Email for invatation.
  • I couldn't follow the link, either my routing table is f-d up, or the site is down. /.ed already?
  • Wrong....this card does NOT interface with the OS, so therefore cannot be used as an ethernet card. It seems they have gotten rid of the flashy plastic cases and are only using the PCI bus for power.

    It *would* have been quite clever...

  • Doesn't the PCI loose power on a re-boot? And might it not just be simpler to keep this as a seperate device?

    Have to give them credit the red board looks cool!

  • You can get the LinkSys dedicated box for under $200 (around $100 if you only want a single port on the home side), another $20 for an ethernet card for your box. Too bad, this could have been interesting.
  • Didn't I hear something like this before, about some Seti card...?
  • hmm.. last time I checked there wasn't that many pci slots in my pc, and aint there some major IRQ sharing sux arse type reasons that this would be worthless?
  • My Gravis Ultrasound PnP is red.
  • Looks like the company name changed not long ago though, so I can be wrong :)

  • I work as a security architect/consultant for a pretty major bank - let me give you a potentially major advantage of this kind of system.

    Cost.

    When we talk about providing VPNed telecommuting connections to home systems, or physical token based identification for tens of thousands of employees then a cost differential of even 5 dollars can be a huge cash saving and make or break a project.

    Now, lets say (and this *is* genuinely hypothetical) that we want a major home working rollout but are unhappy with software based "personal firewalls", and so forth. If these cards are reasonably cheap when bought in bulk we can give them to all staff who need to telework to plug into their systems, regardless of system spec or connection method, and perform the VPN'ing from the card which requires the card to be in and enabled for connectivity.

    We save ourselves the cost of dedicated dialup facilities, of standalone firewalls, of buggy or circumventable software. (buggy and circumventable firmware is another issue ... ;) )

    Shrug. I'm not saying we use it, or plan to, but... there are reasons this sort of stuff can be interesting to people, even if its not immediately apparent to the uber-home-networking crowd...

    (yah,yah. My home nets got an OpenBSD firewall, a sparc 20 and NFR. But I am not normal. and thats a fact. ;) )

    cheers.

  • It's real goddamn it. It's an older company normally based on www.netmaster.com.

  • That's what I just said, in a mental note to myself :)
  • Companies do change their name sometimes.
  • They say its independent of the OS on the computer, but what happens when Winblows craches and I have to reboot? That would screw it up wouldn't it? or would it have its own backup power or power source like the Voodoo5
  • Well the case on that small independent computer costs as much as the circut board (populated). And that wall wart power supply has a mtbf measured in months. Hopefully it dies in a way that doesn't take the machine with it. If you want a 1u case and ps, figure it will be $200 extra at retail. (rule of thumb for consumer electronics: the whole is 6 times the cost of the parts)

    Having said all that, I set my father up with one of the Linksys boxes. (middle brother is in the computer surplus biz, I could get a fine mini desktop case p75 that was easily the master of the job, for free, some assembly required)

    The dedicated box was cheap, and a lot less work than putting together, and more importantly keeping running, a linux box 40 miles from home. I promised the father-in-law the same when he is ready to get a cable connect. (he is 300 miles away. They get software maintence and consumer electronics repair for christmas each year)

    Junkyard Wars Marathon TLC Nov 24 noon->3 AM
    MIT Junkyard Wars sneak preview Nov 20. Email for an invatation.

    Its also silent, so I don't have to worry about it getting shut off (wasting electricity) with the computer, and him having to wait while fsck grovels the disk before he could use it.
  • I'd rather have a Linux-based firewall built into my cable modem or whatever other means my network is connecting the the Net. It'd just simplify the number of devices chained together for me.

    What I'd really like as a PCI card capable of doing encryption for standard things like SSL and PGP (GPG for me actually) so it wouldn't hit my CPU so hard serving https pages etc. gzip/bzip/etc compression would be another dandy thing to build into the card. If they could fit several such functions onto a single PCI card for a decent price I'd probably add one to every computer I have. Even my dual PIII 800Mhz box soon bogs down under heavy compression or encryption tasks and the P100's just choke along painfully. :)
  • I agree about the rack-case - they are expensive, but what I was originally thinking of was something the size/shape of the old USR Courier modems.

    And that wall wart power supply has a mtbf measured in months.

    Is this is US thing? I've never had a wall-wart die. The only thing near that I've had is the cable mangled beyond use by me carrying it around a lot (on my old CD walkman), and I have a few running continuously (hub, modem, scanner etc...). American AC outlets have always struck me as flimsy, especially when you hang heavy things from them. Or is it just generally crappy components? I assumed I get my 240VAC wall-wart from the same korean (or wherever) factory that you get your 110VAC one.
  • hmmm...
    200mhz computer w/128mb and enet. - Onsale.com - $139
    Netgear enet card - cdw.com - $18
    OpenBSD 2.7 - OpenBSD.org - $free
    Having the most secure open source based firewall. - Priceless.

  • Livingstone Portmaster IRX Router:
    25*5*38?cm (assuming my span is 20cm). Probably a single 68360 and about 2M RAM, 512K ROM, similar flash, and a couple of custom ASICS. Oh - and 4 rubber feet at the bottom. Yuppers, this aint no rackmount. And yes, it runs in a wardrobe.

    i.e. there's about a quarter of the kit that we (where I work) shove on a single slot (2*15*25cm?) in out access multiplexer subracks. And we have no fans.

    Trust me, they charge you for the software license and the name on the box more than the hardware.

    It's the TV size principle. Big is good. Small is good. Anything in between can't be any good.

    When I first got my Cisco 2501 (OK, 1U rackmount) I opened it up and just laughed. _cigarette packet_ is the correct size for one of those.

    FP
  • I did a beta test on the software portion of this product this summer, so I can verify that it's not all vapor anyways, and putting it on a card should be straighforward enough.


    ----
    Remove the rocks from my head to send email
  • Well, again, I'd argue that you're not the target market. Gamers tend to use high-end gear and to really need hubs, since a LAN party with only one guy on-line would be pretty lame. Every LAN party I've ever been to has involved a well-wired house, or at least a temporarily well-wired house (hey boss, just evaluating one of the new gigabit switches and a couple NICs...).

    Imagine for a moment if you only had one computer at your house, ever. (yes, pretend you're an average computer user.) Now see why it's useful? If you have to take that computer down for a hard reset, it doesn't matter if the firewall is down, seeing as nothing else connects to it.

    --
    "Don't trolls get tired?"
  • Jane looked at the integrated router/firewall/hub solutions, but she didn't like that. She already doesn't like that her cable modem has one ugly box next to her computer, and she doesn't want another ugly box there. The last thing she wants is more confusing cables to figure out

    translation:

    "Jane likes cute little toys and is easily confused. Math IS hard, Jane."

    Your Jane could have been the knowledge hacker, but instead you made her the stupid user.


  • Must be a hoax... (Score:3)

    by jm91509 ( 161085 ) on Tuesday November 14, 2000 @04:38AM (#625363) Homepage
    Usually hoax's are uncovered because they are too good to be true. That doesn't count here. Its not really that useful as anything that you can do on this you can do on the host (probably cheaper) and you also know where all the stuff has come from (use the source). However, it does have the advantage that if you want to, you can easily move your firewall to another host machine, if you want to use the other for something else...

  • Re:Hoax? Well, the domain is not old... (Score:3)

    by stu72 ( 96650 ) on Tuesday November 14, 2000 @04:38AM (#625364)
    Naw, it's real:

    They just got bought by Golden Soil [yahoo.com].

    And here's a press release [yahoo.com] or two [yahoo.com] from no less an authority than yahoo re: "embedded security devices" and transmeta.

  • Do not forget that there is 90% air inside most computer cases as well, and there is a very valid reason for all of this: cooling. If all the components were scrunched together, there would be intense overheating problems. Laptops utilize special cooling technologies to 'wick' the heat away from the processor without airspace.

    In order to reduce noise, these soho firewall/router products are often made without fans, and without any kind of active cooling, the passive cooling(airspace) has to be rather good.

  • There's a couple reasons...first of all, anything that's gonna go in a rack needs to be 19" wide, and thick enough for some mounting brackets to be securely attatched. Then there's the ventilation aspect. The manufacturers can't count on Joe Schmoe to leave adequate spacing between devices and have the room properly air conditioned, so they compensate by having large airflow spaces within the device itself. Third, and possibly most important, a lot of stuff like this is really expensive...and stupid managers don't like to spend several grand on something that comes in a tiny box.

  • I think you fail to see the reason for using such large cases. Sure it would be nice to be smaller, something you can put on your desk... oh wait, they do have those :P
    On the other hand, the large cases seem suspiciously the right size for a 1u or 2u, etc etc rackmount.... You draw your own conclusions :P

  • I worked on one project in years past that made a firewall. There was one intended customer: a goverment site that I can't admit to knowing the name of that intended to buy a few thousand and seperately attach every comptuer. Top seceret military doesn't trust their co-workers, and doesn't want to take the chance that one compromised comptuer on the internal network can compromise anouther.

    I'm sure there is more then one layer of security in the above scheme, I know the above details but I strongly suspect they have a strict policy that no one person is trusted to know or be able to find out all the details of their security.

  • But one per machine. HR running its own VPN Network inside on the company's. Cool.
  • Someone turned off the Pee Cee that had their firewall. It will come back up just as soon as they get to work this morning.

  • I had meant to make Joe a clueless user who simply follows his friend's instructions. Jane, on the other hand, was meant to be a non-technical, but intelligent person, who fully comprehended the technical benefits that the geek had explained, while finding additional, non-technical benefit to this particular solution, thus her reaction to the geek's suggestion.

    You're right though, it would've been better if I had made the geek a character more like Bernie [waitingforbob.com] from Waiting For Bob [waitingforbob.com]



    --
    "Don't trolls get tired?"

  • I'll buy this arguement, but then why the multiple ports? Doesn't this just increase the price of a product intended for a single machine. It's the duality of that that makes me wonder about it. Like I said before, if this is substantially cheaper than the Linksys, then it makes sense, and people will buy it.

    It just occured to me that more people would probably buy it if it accepted a phone cable and provided firewall services for users of AOL accounts, etc. I know an AOL user who is sick of the chat rooms because of random tear droppers, etc. This would help out there.

    Just thinking out loud. n/m

  • No hoax. Do some research (like google 'merilus british columbia' returns Britich Columbia Internet Association. And, they list Merilus as a sponsor. It's a real company, so unless someone hacked their website and put some nicely convincing pages up... IT'S REAL!

    As for being worthless:
    I have to presume you've never been a tech that deals with SOHOs. There are many small companies that use one server and one to five workstations. Accountants, flower shops, gas/service stations, etc... the list can go on and on... anyone with the need for more than one computer and internet access but doesn't wanna spend another grand or two on a seperate machine.

    yes, you can build a sweet li'l firewall/router from an old P75, but the ppl they buy hardware from will sell them spankin' new 600MHz machines with CD/sound/the works... cause their greedy.

    If this card sells for under 100 it will be worth it without a doubt. And I'll be informing my old boss at one of the local VAR/OEMs about it so he can save his customers some cash (and he can set his margin up on this PCI card to show them the hundreds of dollars they'll save while he still makes a pretty penny).

    J.. hut! hut!
    e.. Hut!
    D42!! ... HIKE!

    mmm... beer *drool*
  • This isn't for a business, or for a hardcore geek. It's meant as a security solution for your average Joe, who only has one computer, and wants to work from home on his broadband connection.

    I don't think that's the case. Why the extra ports if it's intended to be a single box solution. Admittedly it's not targeting an Enterprise environment, but small business/networked home situations seem to be the actual target.

  • This whole trend reminds me of an old slogan used by Sun... "The network is the computer"

    Remember the days when a computer was a CPU, a little RAM and a few peripherals hooked together by a PIC and a few other parts?

    Now we have a motherboard that has a CPU. The CPU has an FPU that independantly does your math. You have a semi-intelligent power supply (ATX) than can turn itself on and off.

    Your grapics card more than likely comes complete as an embedded computer of sorts to handle 3d. If your system is performance oriented then your SCSI card may have it's own CPU on it. This often handles tagged queues and elevator sorts requests and may even provide hardware buffering with it's own battery!

    Now I see you can buy network cards with their own embedded TCP/IP stack to free up the CPU. Some of them even have high speed CPUs where they do SSL type encryption right on the network card.

    So where is this going? Our desktop systems are becoming more and more like networks of small specialised computers. I think as performance demands increase we will see more and more stuff like this.

    In an abstract sense the computer of the future may look like a microkernel where most of these peripherals are hooked up via a common bus. Oh damn, I had to reboot my sound card again, it keeps crashing. I can imagine it will be the flash bios hell of the future too.

    -Michael
  • Oddly, I came away with the impression that Jane was a fairly sophisticated user, someone who knew enough to worry about the security concerns inherent in running your workstation as a firewall.

    -Mars
  • Because it's more trouble than it's worth. *sits behind his IPMASQ firewall smiling*
  • From a marketing manager's point of view, it doesn't look like a decent sollution to anything, it looks like cash. Personally, I don't see the point of such a product. You have 'firewall' software (BlackIce/Lockdown and other crap), which would perform the same function. The problem with these is, is that when you're on a LAN they're useless. This is another crappy idea that restricts infiltration protection to one machine, that is also dedicated to a user..A user who will always screw things up. I'm using a rebuilt 486 with an LRP [linuxrouter.org] disk. It's never shut down, never rebooted, and will still be able to route/protect my other workstation if this one goes down. If I had one of those IMHO useless cards in this machine, my other workstation would be as useless as this one in it's inoperative state. (Unless I wanted to do something offline..which isn't likely :P)
  • Well, if it's a hoax, actually having real phone numbers like their contact page [merilus.com] lists is a nice touch as well.

    "Thank you for calling Merilus; our regular business hours are..."

    ---

  • The colour of the PCB is not going to affect the heat disapation in any significant way. If the colour did matter a red PCB would be better anyway. A green PCB asorbes red light and reflects green light. A red PCB reflects red light.

    Celestica ram used to be on a red PCB. It was very distinctive. The reason most PCBs are green is more historical then anything. People expect PCBs to be green as in the past the most common epoxy used was green. Today most PCBs are brown with a green sealant coat.

  • I've seen these on the shelves at several small computer shops here in Ottawa, Canada (not sure about big-name stores though, I tend to avoid them and their inflated prices). They look awfully real for vapourware.

    I suppose the boxes could actually be empty, in which case I'd have to wonder how they got these places to stock them. :-P

    ---
    Where can the word be found, where can the word resound? Not here, there is not enough silence.
  • Has anyone else noticed that "Merilus" is an anagram for "Im Luser"

    Just a thought....


  • I sure hope it's not a pointless hoax or vaporware.
    How could this sort of hoax be worthless? Whatever gets /bots mucking their pants for some new functionally redundant item that has "geek cred" is good for a laugh. A product with Linux + Transmeta is to SlashBots what the Virgin Mary in a tortilla is to Mexican Roman Catholics;"proof" that the angels are on their side.

    Face it, the arguments in favour of this product are all flawed. A small business can't afford a firewall and a router? How cheap [compusa.com] do they need it? And if they can afford a small server, they can afford a firewall.

    A failsafe solution for any company? Bullshit, if a server crashes hard and you don't already have a failsafe, you're dead. If theoretically the server has crashed hard but still has a functional power supply, you have only bought yourself enough time to bring up a backup firewall box and router inline, so that the server with the card can be brought down and repaired. This is the same net effect as buying a dependable router and having a dedicated firewall box and synchronized backup ready to switch. Either way, you're going to have a few seconds to a few minutes of downtime, and one way you are going around your elbow to get to your nose.

    Isolated from host PC software, therefore more secure? Two words: embedded Linux. So when some skriptkinder come up with the latest supersmurf, teardrop, raindrop, DoS or overflow vulnerability in Linux, do you have to ssh into the card, apply a patch, recompile and reboot? Will the company provide a flash utility with timely kernel updates? Why depend on them?

    I'm not trying to prove that this is a hoax; that's an easy do. What I'm saying is that this is a stupid idea for a product, and shame on /. editors for biting on it.

  • Yup! My lovely GUS had the 2 foot long (seemed like it back then) red pcb back when my AMD 386 DX 40 with 4 megs of ram was a killer machine!

    Boy howdy i miss those days of playing Future Crew demos showing off my powerfull Oak OTI66 card with 512k ram and my Gravis Ultrasound pumping out 32 simulatenous tracks of S3M heaven hehe. (My gus had more memory then my video card at one point!)

  • Okay, two things I may have missed on the site are:

    1. Written proof (not photos) of how many ports this thing has
    2. Written proof of what these 'ethernet' ports are. 10baseT? 100baseT?

    Details like this are what makes the difference for me when I try to catagorize these guys as 'legitmate' or 'fly-by-night'.

  • nope; they are simply showing how effective the card can be in conjunction with a web server.

  • The differance is in case of a server / backplane daughterboard. You've seen the PC cases that have twenty slots for cards? (Go look at pricewatch if not!), well, what was suggested is an excellent idea. As far as IRQs and the like, the PDF gives no details, but I'd suppect that the cards could do one of three things: Doesn't need the IRQ, shares an IRQ[1], or requires an IRQ. If the first two then any number of cards can be used (limited by space), the third would be braindead for large operations.
    [1] Terratec had an ISA soundcard which would share the IRQ between soundcards, so you could have as many as eight of these in your machine.
  • Hey, don't delete duplicate stories! I was about to go read the comments to the second story but it has vanished in a puff of greasy black smoke... Couldn't you just move it off the front page, with a comment appended?
  • I think this is what IBM has been doing for years with the AS/400. Basically, they embed a complete PC system with a customized firewall OS into an AS/400. You can, if necessary, reset the PC system no matter what state it is in, without harming or interrupting the AS/400. And AS/400 boxen are "somewhat" more reliable than PCs, even if you run a "real OS" on the PCs.

    After quick-parsing some search results from the IBM AS/400 website, I think this is what you'll want to read: http://www.as400.ibm.com/sftsol/fir ewa ll.htm [ibm.com]

  • Yeah, there is such a device, it's called
    a Netscreen NS5. 7Mb/s 3DES for $400 ain't bad.
  • The site is /.ed at the moment. Did anyone notice a price?
  • It seems that according to the Merilus page the Firewall card is independant of the PC, so as long sa you don't physically power the machine off the firewall should remain up even if you reboot your PC.

    Sounds great if it works.

    forge
  • Add this to a single board PCI computer, and a passive backplane, and you would have a product.

    I'm thinking about a smart vending machine, or more in context, voting machines. Cluster them together, pop one of these cards into the "master", and connect the local network to the 'net.

    Many small companies have a server system, which if it power cycles, they are basically down for the duration anyway. With a UPS and on a server, reboots shouldn't be a problem.
  • I'm not trying to argue with you, but if the firewall can survive a soft-reboot, wouldn't that mean all it needs is power? IE, you can use it as a NIC, but you don't have to; and the card just thinks the system is in a perpetual process of rebooting.

    --
  • Great idea, but it would be so expensive you wouldn't want it. I work for a DSL company and our VLSI guys came up with a design very similar to what you said: DSL, Voice Modem, Fax, Answering Machine, etc... all in one. Hell our DSP could handle it, so they made a controller to handle it as well. Then our hardware guys got ahold of it and found out that it would be so freakin' difficult and expensive to add in all the necessary filtering and line-drivers that it would just be cheaper to buy everything separately. So they settled on just adding a port for a daughter-board, and letting our customers figure out what they wanted to do with it. It sounds great and works well from a chipset perspective, but there is more to a board than that (at least until analog VLSI catches up with digital VLSI design)
  • In this, the best parallel is with TVs. Today, there is a TV in the living room, the parents bedroom, the childrens room, and maybe the kitchen. Computers are, Surprise!, following the same paradigm. You had the big family console that cost $$$$ and was to "Further the Knowledge of the Family." That decomposed into: parents want one thing, children want another, and we can afford more than one. Now into this enters the FireWall on PCI. This goes into the parents computer cuz thier "WinME box for bills" never crashes, running lines out to the kids Kiwi-Raspberry iMac and the kitchens iPaq. When the parents want the kids to go to bed and not use the Net, they do, since the parents have direct control over the pipe.

    In fact, I would not be surprise to see a similiar product for the cable. Parenting has moved from an "installing vital morals young *whack whack*" to the "judiciary adversarial system" where the parents and the children are out to foil one another's cases before a percieved 3rd party judge, be it: Timmy's mom lets him do it, this is wrong in the eye's of GOD, or if you do this you can do that.

  • Yes! I have been out of tha industry for a while and could not remember "solder mask" for the life of me.

  • I think this product is aimed at Windows users. Other posters have commented that personal firewall software for that particular platform leaves a lot to be desired. Since the average web surfer uses Windows and is likely to be clueless about setting up a 486 or similar as firewall using Linux, this could be a good choice for the average user. Not for the /. crowd, who's more likely to have made a cool solution like yours. But the number of average users is way larger than the number of /.'ers, so from a marketing point of view, I think this makes perfect sense.

  • I think this product is aimed at Windows users. Other posters have commented that personal firewall software for that particular platform leaves a lot to be desired. Since the average web surfer uses Windows and is likely to be clueless about setting up a 486 or similar as firewall using Linux, this could be a good choice for the average user. Not for the /. crowd, who's more likely to have made a cool solution like yours. But the number of average users is way larger than the number of /.'ers, so from a marketing point of view, I think this makes perfect sense. An average Windows user has just one machine, hooked up to AOL (or something) for internet access, so there is no need for this device to be useful on a LAN.

    If it really is meant to be a proper firewall, it should be possible to update its firmware on a regular basis. New attack methods require new defenses. I wasn't able to get onto their apparently slashdotted site, but without such an option it is IMNSHO worse that useless - it gives a false sense of security, far worse than a true sense of insecurity.

  • The biggest reason I can think to have multiple ports is that the chipset needed to make a hub is very inexpensive, thus giving them a feature while adding little expense. I can't actually think of any other reason...

    --
    "Don't trolls get tired?"
  • As I noted above, my only explanation for the extra ports is that the chipset neccessary to make a hub is dirt cheap, so why not?

    --
    "Don't trolls get tired?"
  • ... the idea of a PC in a PCI card is not that bad (but it seems stupid to limit it to firewall stuff), and maybe it already exist...

    Could be used as a Windows box while running under linux (with a special VNC driver, for instance).

    (And sure, it could be used as a seti@home box...)

    Would have a great hack value. I'd love one of them. (But I would prefer it in a PCMCIA slot...).

    Cheers,

    --fred

  • And most offices have spare old hardware gathering dust anyways, so there's plenty of products better suited, such as NetBSD/i386 Firewall Project [dubbele.com]

    You might want to buy this card for the support (although I feel for small offices the firewall should just sit quietly in a corner simply always work), but in that case, why not spend money on a stand-alone box anyway?

  • You are not the target market. (Score:5)

    by mosch ( 204 ) on Tuesday November 14, 2000 @06:32AM (#625407) Homepage

    This isn't for a business, or for a hardcore geek. It's meant as a security solution for your average Joe, who only has one computer, and wants to work from home on his broadband connection.

    Joe currently has a few options, he can get some personal firewall software, but he was talking to a geek friend of his who told him that it would be pretty trivial to make a trojan that would disable the personal firewall software.

    Jane looked at the integrated router/firewall/hub solutions, but she didn't like that. She already doesn't like that her cable modem has one ugly box next to her computer, and she doesn't want another ugly box there. The last thing she wants is more confusing cables to figure out, and besides, her power strip doesn't have any more space for the wall wart that invariably powers those things.

    Joe and Jane talk to their geek friend, and he says 'hey, i've got a solution which is just as good as a seperate computer, but it goes right inside your current 'puter, but has it's own processor and everything, so it's not affected by trojans, viruses or anything'. Joe thinks 'great, i have no idea what that means, but what the hell, if my geek friend says it's the shit, then it's the shit'. Jane thinks 'Hmmm.... that sounds good, and it eliminates any number of security attacks, while reducing cable clutter, i'll buy one for myself.'

    Then their geek friend helps them set it up, and goes home to the p75 that he converted into a firewall. On the way, he opens his mailbox and inside is an electric bill. He reads the bill, and does some calculations on the operating cost of the p75, and realizes that in addition to being a white-noise generator and an eye-sore, that p75 is costing him more money than it's saving. The geek goes out to the store, buys one of these firecards, installs it, and realizes that for a home solution, it's really not a bad idea.



    --
    "Don't trolls get tired?"

  • Re:But why? (Score:5)

    by MarNuke ( 34221 ) on Tuesday November 14, 2000 @05:14AM (#625408) Homepage
    I'm not sure I understand the benefits of taking a small independent computer and making it dependent on another one, even if it is just for power... surely a box the same size as the card, with it's own PSU and a serial port for control is more reliable? Or a 1U case for a rackmount "enterprise" one

    I doupt this will be marketed for enterprise users using CheckPoint or what not. The real market for this device is personal firewall market.

    Here's the deal. You're a UNIX security Guru. You know `ipchains` like you know perl. You don't compile a kernels, you rewrite drivers. Your best buddie down the street just got that high bandwidth connection that makes you sick. It might be DSL, Cable, 10bt, or even Fiber. You know he needs a firewall. He knows he has to have one. There's no way around it. Buddy only know AIM, pr0n, mp3's, and types http://www before every url.

    You're a good friend and you want to help him out. You have a few choices:

    You can give him one of yours 486, find 20-40 hours, build a solid firewall, and give him a your pager number so he can call you when it fails
    You can tell him to go out of the box firewall that runs on windows and cost $19.95 that require a machine or run on the host machine but you know these solutions are lame as hell. Heck you crack the "firewalls" in you spare time!
    Or you can tell him to buy this card, which doesn't require that much effort, just as secure as the stand alone, and you can still have a life!!!

  • I didn't understand either, but apparently the Firecard ALSO behaves as an ethernet card for the local machine. So, the benefit is that it somewhat simplifies the setup of a home office workstation.
  • Ah, but it wasn't deleted, just stripped of all referring links [slashdot.org]. As good as deleting, yes, but if somebody else were to post the link [slashdot.org] in their comment, others can still go see what happened [slashdot.org] fairly easily (hint, hint [slashdot.org]).

    10 PRINT "This is a"
    20 PRINT "Haiku program."

  • But why? (Score:5)

    by Howie ( 4244 ) <howie@thingy.cPOLLOCKom minus painter> on Tuesday November 14, 2000 @03:40AM (#625417) Homepage Journal
    I'm not sure I understand the benefits of taking a small independent computer and making it dependent on another one, even if it is just for power... surely a box the same size as the card, with it's own PSU and a serial port for control is more reliable? Or a 1U case for a rackmount "enterprise" one.

    (the red PCBs look cool though :-) )
  • PCI 2.2 compliant motherboards supply standby 3.3V to all PCI slots (and memory and PS2 ports), even when turned off. You have to unplug the machine in order totally remove power from the system. My Tyan S1837DUANG-L is one of these boards. Once, when adding a card without having unplugging the power supply, the system started to power up. Therefore, I see no problem with the FireCard remaining powered, as long as the motherboard is up to it.

  • The big benefit is presumably you can use the host PC to administer and set up the card.

    You cannot really contemplate administering a firewall device over the network by default. So they make it a "parasite" of a PC and viola you have a direct connection, screen, keyboard & mouse, plus a CPU to run your configuration programs, and, a disk to store your configuration and backup your software.

    Makes a lot of sense really!

  • Step backwards (Score:4)

    by Phaid ( 938 ) on Tuesday November 14, 2000 @03:48AM (#625438) Homepage
    This is at best about as useful as putting a firewall in a DSL modem / router (which is not that bad an idea), but with the added disadvantage that it can't be as flexibly located since it's "in" one of the PCs on the network. I guess it's nice that you can get power from the host PC, except that if the host PC crashes and you have to reboot it then you'll have to reboot your "firewall" ase well. And really, ethernet isn't so slow that you need to be able to DMA directly from your firewall to the PC over the PCI bus.

    Totally pointless product. On the scale at which this thing is designed to operate, the LinkSys and NetGear DSL/Cable/modem routers already do this sort of thing quite well and without the above mentioned disadvantages. For a single user, all of this stuff can easily be done in software using e.g. ipchains or one of the many Windows-based personal firewalls, and for any kind of office or enterprise you'll really want the flexibility and expandability of a full sized computer to serve as a firewall.
  • I can possibly understand the application of this in a home networking situation, especially since most broadband users are unaware of the dangers their system may be subjected to.

    In a way this is good, because it enables broadband users who know nothing about security to secure their systems. However, there is great potential for abuse should someone find a backdoor or hole in the 'FireCard'.

    The card makes no sense in an enterprise environ, however. This is a simply silly use of it. Why not opt for a bit of extra configurability and peace of mind and roll your own firewall configuration, as I have?

    The card would be beneficial to small time home users, but it makes no sense to the enterprise network admin.

  • That's not what I got out of it at all. Since this card also serves as a NIC for the host system I assume that it will require at least one IRQ and a base address. However, this may also mean that you have freed up an IRQ and base address by not having a stand alone NIC inside the machine.
    _____________
  • her power strip doesn't have any more space for the wall wart that invariably powers those things

    I Just bought a Linksys EtherFast 4-port Cable/DSL Router [bestbuy.com] and for the record, it uses the exact same power cable that a computer uses. Thus, no AC/DC adapter taking up 2-3 spots on the powerbar. In addition, I love the fact that it's power is independant of any of my machines. I don't want to have to worry about the power to my router dieing because I had to hard reset a computer (happens sometimes while gaming). If that were to happen: bye bye connections. Any friends who were on the game server with you are gone too.

    That said, if this were a lot cheaper than the Linksys, then I can see a market.

  • Firewall cards (Score:5)

    by QuantumG ( 50515 ) <qg@biodome.org> on Tuesday November 14, 2000 @04:01AM (#625451) Homepage Journal
    Two years ago I did the embedded programming on a firewall PCI card. They had a proprietory TCP/IP stack (though I'm sure it was based on some BSD code) which they wanted ip forwarding and packet filtering from. It was a REALLY easy job. I essentially cross compiled the code and used the example code that came with the ethernet chips (there was two, which BTW, if you don't have on that card, it aint a firewall) with 10/100 UTP ports, one for the Internet side of the firewall and the other to plug into your hub. I think they eventually abandoned the product as stupid and developed it into a sealed box firewall about the size of a matchbook. Last time I talked to them they still hadn't shipped.

  • This is great stuff, but completely off-topic... Surely you could find some other space for it. Aren't there other forums (probably not in /.) in which you could have dumped it?

  • Re:Step backwards (Score:4)

    by LHOOQtius_ov_Borg ( 73817 ) on Tuesday November 14, 2000 @04:08AM (#625454)
    Having used a number of the Windows-based personal firewall products, I can say that in the Windows arena I welcome any new product in the persona firewall area. The only software firewall I have been impressed with at all is Wingate, and even that left a lot to be desired in terms of flexibilty of configuration.

    Price will be a determining factor in the appeal of this system. My company, for example, has a lot of telecommuters. If the card's network autodiscovery features work well, the default security is reasonable, and the remote admin software works well... then I will be psyched to recommend that all telecommuters who can move to DSL and this card - allowing us to just use the DSL hardware provided by the ISP and, if reasonably priced, a Firecard for each user. Users would thus have very little to do to set up their system, we have problems with this feature of our current Firewall/VPN product, especially on Windows. If Merilus got it right, and we'll test it and find out, then maybe finally the telecommuter problem is solved for IT organizations.

    Regarding the issue of rebooting, what is actually the issue is power-cycling, since the card draws power from the system but does not rely on the host OS to be up and running for the firewall and routing functions to operate. Thus, cold reboots are the issue - any form of warm reboot shouldn't effect the firewall. It does not say how long the card takes for it to boot on a power cycle, but I would suspect it's not very long. So, that "problem" is a red herring, unless Merilus is just lying about this...

    Also, especially for home users with machines that are likely both lower down on the CPU chain AND overloaded with fat programs like games and M$ Office, etc., the fact that this system does not put a heavy load on or depend upon the OS (and still does encryption for VPN and routing, hence the Crusoe chip) makes it perfect for the telecommuter situation.

    So, while the product may seem useless to you, it won't be for everyone. Telecommuters, SOHO, and probably even branch office users could get some milage out of this product if it lives up to its billing...

  • The OS on the host system can crash out, without affecting your firewall.

    But where's the advantage? If the OS could affect your firewall otherwise you can be sure that the software running on the OS also sustains the proxy server. Since the proxy and any routing capabilities are gone after your OS crashes I also don't see anyone being able to do nasty things from the Internet.

    If the OS can't effect your proxy but still is in some form of "protection control" you're probably using a router of some kind. But most routers also have firewalling capabilities nowadays, so why settle for a PCI card when you can in fact stop the burglar way sooner? Now that I'm focusing on security; take this situation and lets assume one uses this card.... Its 5pm and the people go home. The PC on which the PC card runs is turned off (by accident perhaps?) and now what ? This is a very nice and big security hole, if I ever seen one. Too big to be true IMHO.

Slashdot Top Deals

Pascal is not a high-level language. -- Steven Feiner

Close