3COM brings hardware firewalling to the desktop!
The 3COM 3CR990 is a new concept in network protection.
The card comes in 1DES and 3DES version with an onboard 3XP encryptionprocessing engine. This offloads encryption calculations onto the network carditself rather than placing additional load on the server.
As well the 3CR990 can also operate as an onboard firewall if required. Allnetwork traffic is encrypted and Policy Servers can be set up to configureallowed traffic and blocked traffic to and from each network card. Thefire-walling takes place on each network card itself.
Previously networks have been protected by boundary firewalls. These onlyprotect from external threats, and can be compromised if an attacker can access aserver on the network due to software flaws or misconfiguration and thereby gainaccess to the internal network.
As well, they do not protect again one of the main network threats - internalusers
Due to curiosity or malicious intent against the company, research has shown themain threat to network security and the security of company information isinternal users
Internal Networks are vulnerable to attacks because:
Stealth and Action at a Distance sanitizes the criminal act.
An insider can leverage knowledge about the corporate network and assets.
Automated off-the-shelf attack tools make it easy.
Technique propagation make the tools widespread and easy to find.
The 3COM firewall solution is tamper resistant distributed security implemented at the Network Interface Card.
The 3Com Embedded Firewall enables your enterprise to confidently grow its E-business by enforcing security policy at the extranet (or intranet) server.
Protect your business information at the source - the server.
The 3Com Embedded Firewall also protects your network based assets by limiting network access on a need to have basis to your employees and contractors at the desktop client.
Address the threats at the source the desktop
Software distributed firewalls can only try to protect only the host.
Hostile users, hostile code, and even friendly applications can disable software firewalls and thereby get network access.
The 3Com Embedded Firewall protects the Network as well as the Host.
The tamper resistant firewall is Embedded in the NIC, independent of the operating system, and therefore is resistant to hostile users and hostile code and therefore protects the enterprise network as well as the host
Software Firewalls can and are being turned-off and mis-configured by hostile users and hostile code.
Trojan kills software firewall:
http://www.mischel.dhs.org/buschtrommel100analysis.asp
Black ICE Agent dies by Trojan:
http://www.itweb.co.za/office/holton/PressRelease.asp?StoryID=45630
Software Firewall hacking techniques:
http://www.mischel.dhs.org/bionet312analysis.asp
Only the 3Com Embedded Firewall provides simple tamper resistant Distributed Security:
IT Administrators don’t want to waste time and money deploying solutions that aren’t reliable and effective
The Basic Principles of the Embedded Firewall are:
Runs in hardware, below the OS and is therefore Tamper Resistant.
There will always be some security holes in the OS
Is Un-bypassable.
Is Centrally Managed (a DFW).
A must have for enterprise networks (lowers TCO).
Intuitive, easy to use GUI.
Creates Policy Enforcement Points
Access control policies can be dynamically downloaded.
Policy enforcement provides positive discrimination – determines what access is allowed.
Are independent of network topology (unlike ACLs in routers).
Filters on:
Source/Destination IP addresses & Port Ranges
IP protocol & subnet masks
Direction (transmit/receive)
TCP initiation vs. accept
Controls for:
Non-IP traffic
Fragmented packets
Packet sniffing
IP spoofing
Actions:Allow packet, Allow & Audit packets,Deny (drop) packet, Deny & Audit packets
3Com Embedded Firewall provides robust protection at the Network Layer.
IP Packet Filtering is a simple tool for blocking ports and protocols (plus other parameters) which are all too often misused and abused during network hacks.
The Embedded Firewall also blocks sniffing and spoofing which are again all too often used during network hacks.
- Enforces Global Good Security Hygiene
- Eg. no sniffing and no spoofing.
- Enforces Role-Based Group Policy
eg. sales personnel can’t access financial servers.
- Hardens Mission Critical Servers
- Supports Defense in Depth strategy.
- Stops the spread of the worm and trojans.
- Provides Intrusion Resistance
- Passive, and therefore no silly, time wasting false positive alarms.
Designed w/ Microsoft for optimal Win2K & WinXP performance
Executes EFW for tamper-resistant host & network protection
Encryption chip and RISC processor for fast, reliable, IP Security supporting 1024 Security Associations
Offloads key TCP/IP tasks to free up CPU
System Specs:
Desktop NIC – 64K bytes of RAM
Server NIC – 128K bytes of RAM
ARM 9 RISC processor
Advanced Manageability
Alerts Standards Forum (ASF) - industry standard
Remote Wake-Up, DMI 2.0, MBA with BIS for Secure booting
IEEE 802.1p Traffic Prioritization (layer 2 & 3)
Firmware upgradeable for future enhancements
Advanced Server features for high availability & scalability
3COM Embedded Firewall Details
The 3COM Embedded Firewall consists of
3CR990 NIC running Firewall Firmware.
Management software running on Policy Server
Policy Server is Windows Service .
Management Console is MMC snap-in or stand-alone Java application.
On start up the 3C990 card will attempt to contact a Policy server or secondarypolicy server to verify that the policy is correct for the particular networkcard using encrypted protocols and keys.
The network card contains a hash code of the firewall software image. If thefirewall is modified (by attacker), NIC will lock-up.
If the run time image is modified after boot, NIC will continue to function with Embedded Firewallpolicy
If Network card cannot reach the policy server, will enter fall back mode. Will then try a primary then secondary policy server
Three options for fallback policy:
- Block all traffic
- No Sniffing, no spoofing
- Allow everything
End user operations cannot:
- Change policy on an EFW NIC.
- Uninstall EFW from the NIC.
- Overwrite EFW software (without disabling NIC).
- Cause NIC to go into fallback mode (with then operate with default Enforcement Policy)
- Swap out board.
- Physically short out NV Memory to disable enforcement and tamperproof characteristic.
- Remove client application (agent).
Policy Domain
Database
All servers have copy of most domain data.
Exceptions: audit records (only stored on primary server SQL DB).
Communication
NICs can wakeup/heartbeat/audit to any server in domain (try primary first).
NICs accept instructions from primary server or a backup.
Policy distribution is “task shared” among all policy servers.
Server/NIC Cryptographic Binding
Servers in domain share public/private key pair key generated on first server start-up.
NIC obtains public key during its installation.
NIC will not listen to servers from other domains
Information supplied by Award One Technology is believed to be accurate andreliable at the time of display,
but Award One Technology assumes no responsibility for any errors that mayappear in this document.
Award One Technology reserves the right, without notice, to make changes inproduct design or specifications.
Information is subject to change without notice.