home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers


Security
S N E A K   P R E V I E W  
3Com Embeds Firewall in PC NICs

  November 15, 2002
  By Mike Fratto


TOC Issue TOC
Printer Print full article
E-Mail E-Mail this URL
flameauthor Flame the author

Secure Computing and 3Com have collaborated to develop a firewall that can be embedded in a PC NIC. The goal of the effort, which has resulted in the 3Com Embedded Firewall (EFW), is to provide packet filtering on the NIC so server traffic can be filtered with little impact on the host. The technology provides an effective firewall for laptops and other PC Card-enabled devices. I tested two EFW PC Card NICs: the 3CRFW102 (a Type II card with a dongle for the RJ-45 jack) and the 3CRFW103 (a Type III card with an integrated RJ-45 jack) in our Syracuse University Real-World Labs®. I was impressed with the card features and management.

Policy Building

All EFWs are centrally managed through a 3Com-supplied plug-in to Microsoft Management Console (MMC). The Policy Server is used to develop and distribute the policies that affect the EFWs and collect and display logs as well as the status of EFWs.

Each device set is assigned one policy, but EFWs can belong to two device sets by means of a tool called a Locator. The Locator is used to enforce policies depending on whether an EFW is on a local or remote network as determined by IP address, available DNS or DHCP servers, or connectivity to the Policy Server.

The point of differentiating local and remote is that you might want to define an open policy for the local network as it is trusted and assign a restrictive policy for remote networks because they can be more hostile.

Policies are read top down and are similar to other ACL (access control list)-based rules. You can filter traffic based on source or destination IP address, TCP/UDP port pairs, and/or protocol types. But because the EFW is a packet filter, you must have separate rules for inbound and outbound traffic to allow for bidirectional traffic, including for nearly all TCP and UDP connections.

To allow outbound HTTP, for example, I created a rule that permitted TCP outbound from the EFW address from source ports 1,024 through 65,535 to any destination IP address on Port 80. I defined a second rule that allowed inbound TCP from source Port 80 to the EFW IP address and any port 1,025 through 65,535. You can reuse your rule sets as needed to define common access policies. In addition, 3Com provides several predefined policies. Once you create or modify the policy, it is pushed out immediately to all connected EFWs in the device set.

Making Connections

Good
• End users cannot disable the firewall policy.
• Effective group management for easy deployment.
• Works when remote EFWs are behind NAPT routers.

Bad
• The PC Card can be removed--and the policy with it.
• You must create inbound and outbound rules.
• Support limited to the Windows platform.
The Policy Server and the EFWs communicate over UDP when the EFW checks in with the Policy Server or sends events. There is a problem if the EFW is behind an NAPT router. Because UDP is connectionless, many network devices, including NAPT devices, determine that the connection is no longer active if there is no UDP traffic for a designated period of time so the NAPT association is removed. The connection to the Policy Server won't be re-established until the EFW initiates it. Unfortunately, if a policy update needs to be served but there is no established connection between the EFW and the Policy Server, the EFW policy won't be updated until the connection is re-established.

3Com offers two solutions to the NAPT problem. The Policy Server will wait for the EFW to check in periodically with its heartbeat. When this happens, the Policy Server will push the new policy to the EFW using the established UDP connection. Bear in mind, though, that intervals between heartbeats can be very long--hours, days or even a week. Better yet, you can set the EFW heartbeat for device sets that represent roaming users to update every two minutes. By using a relatively fast heartbeat, chances of the UDP connection timing out are slim, and the Policy Server will be able to reach the EFW whenever a policy changes.

Regardless of the method used, the EFW always attempts to contact the Policy Server on boot-up. If it is successful, it will get the updated policy. In the event the EFW can't contact the Policy Server, it can be configured to implement a fallback policy, such as allowing or blocking all traffic or implementing the last known good policy.

Pretty Features

The EFW interface provides a detailed event log that includes an administrative and policy log for management events, which can be exported as a comma-separated-value (CSV) file. The filtering is top-notch and you can build specific queries.

Vendor Info
3Com Firewall PC Card with 10/100 LAN, Type II or Type III, $219. 3Com Corp., (800) NET-3Com, (408) 326-5000. www.3com.com
Another nice feature is error processing prior to saving a filter. During my tests, I built a query that would bring up events associated with a specific policy, but I forgot to make the necessary selection. When I saved the filter, a message box told me of the error. I double-clicked on the event and it opened to the proper tab. In addition, the logs can be sorted by any of the many available fields.

The EFW policies can't be modified or removed from the EFW by end users, but the EFW device can be pulled from the laptop, thus removing the firewall protection. To ensure users can't add or remove hardware, you have to make sure the onboard NIC is disabled in the BIOS and that end users are not members of the administrator group before deploying the EFW.

Mike Fratto is a senior technology editor for Network Computing. Write to him at mfratto@nwc.com.







Looking for a new job?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
IT Jobs Stabilize; Tech Unemployment Rate 5.5%
The tumbling of IT jobs stopped in the second quarter, as the IT sector added about 44,000 jobs.

Oracle Execs See First Hints Of IT Spending Turnaround
It's just a glimmer, but Oracle is starting to see a bit of light at the end of the recession tunnel.

More articles from our career center










2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



Techweb
Informationweek Business Technology Network
InformationweekInformationweek 500Informationweek 500 ConferenceInformationweek AnalyticsInformationweek Events
Informationweek MagazineGlobal CIOIWK Government ITbMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingPlug Into The CloudDr. DobbsContentinople
space
TechWeb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0Mobile Business ExpoNoJitter
Black HatGTECEnergy CampCloud ConnectGov 2.0 ExpoGov 2.0 Summit
space
Light Reading Communications Network
Light ReadingLight Reading AsiaUnstrungCable Digital NewsInternet EvolutionPyramid Research
Heavy ReadingLight Reading LiveLight Reading InsiderEthrnet ExpoTelco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems and TechnologyInsurance and TechnologyWall Street and TechnologyAccelerating WallstreetBST SummitBuyside Trading SummitIT Summit
space
Microsoft Technology Network
MSDNTechNetTotal IT ProTotal Dev ProNET Total Dev Pro CommunitySQL Total Dev Pro Community
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service