Hardware Firewall On a USB Key

An anonymous reader writes "An Israeli startup has squeezed a complete hardware firewall into a USB key. The 'Yoggie Pico' from Yoggie Systems runs Linux 2.6 along with 13 security applications on a 520MHz PXA270, an Intel processor typically used in high-end smartphones. The Pico works in conjunction with Windows XP or Vista drivers that hijack traffic at network layers 2-3, below the TCP/IP stack, and route it to USB, where the Yoggie analyzes and filters traffic at close-to-100Mbps wireline speeds. The device will hit big-box retailers in the US this month at a price of $180." Linux and Mac drivers are planned, according to the article.

Re:Why would I want this?

[richardtallent]

Just like software firewalls, this is just snake oil for feeble-minded people who don't realize that firewalls are for blocking access *between* networks, not for closing ports that shouldn't be open in the first place on individual machines.

Re:Why would I want this?

[fishybell]

According to their nifty flowchart [linuxdevices.com] it supports whatever windows supports. It takes the inbound traffic after the hardware receives it, but before the TCP/IP stack. It sits in the same place as a software firewall, but offloads the calculations and filtering to the dongle's cpu.

Why would anyone want this? Well, a router that combines firewall, nat, vpn, etc. is fine for home use, but what about the coffee shop? For a mobile computer having a on-computer firewall is a must. As far as why anybody would choose to use this over any software firewall... I can only assume it's for people who don't want yet another piece of software hogging their cpu. Most software firewalls aren't that intensive, but if you're looking to free up that 3-5% of your resources, hardware is the way to do it. Of course, without a benchmark showing a difference, the actual performance increase is lost in the market speak.

Re:something similar but better...

[Dan Ost]

http://www.gumstix.com/ [gumstix.com] might be what you're thinking about.

USB2, yes.

[RingDev]

Uhh, USB2 runs at 480Mbps and in practice can push 40MBps (320Mbps) for bulk transfer (ie USB Hard drives).

So for them to claim that this device can push 100Mbps really isn't that surprising. So long as the little processor can burn through the logic checks fast enough, the bus can definitely handle the load.

-Rick

Re:Hardware firewall definition

[Anonymous Coward]

A hardware firewall is a firewall that runs on separate hardware from the hosts that it protects. In other words, it's a software firewall on a dedicated machine, which may or may not have specialized packet-filtering hardware. The "hardware/software" distinction made by marketeers isn't really important; more significant is the distinction between "network firewalls" and "host firewalls". Network firewalls are separate devices that are capable of filtering all traffic entering or leaving a network of multiple computers; host firewalls are limited to the traffic entering or leaving a single host, and are normally tightly integrated with that host's operating system.

This gimmick consists of a coprocessor and some low level operating system drivers, and appears to be primarily designed as a host firewall. It might be useful in a network firewall, it the operating system components could be ported to an operating system adequate to the task.

Re:Not really a hardware firewall

[MattskEE]

That is why Yoggie also offers the Gatekeeper [yoggie.com], which does exactly what you want.

The new device was created because a USB interface is less cumbersome and less expensive, while still offering a similar feature set and only somewhat reduced security.

Re:Not really a hardware firewall

[kasperd]

Why not just put an ethernet controller into it, and use it as a USB network adaptor?

I think that is exactly the point the grandparent was trying to make. If it had an actual ethernet interface you would only have to transfer the packets over the USB interface once, thus you'd reduce the load on the machine. You'd also get better security since the machine would no longer be connected to the network without going through the firewall. You'd avoid hacking the network stack, and the result would be something working on more systems without the need for special drivers. And you'd free up the ethernet port on the machine, so it could also be used in situations where the machine did not have exactly as many ethernet connections as you'd want. Basically adding a real ethernet interface to this gadget would have increased its value by at least a factor of two.

Re:odd

[Deadplant]

Perhaps, but the US, Israel, Russia and China together manage to do a startling amount of shady shit.
Their efforts really do put the rest of the world to shame (er, maybe i mean the opposite of that)

That being said; the fact that this product was developed in Israel is not a reason to avoid it.
*That* being said; the fact that this security product relies on closed-source binary drivers and runs on XP *IS* a reason to avoid it.

I would trust this product about as much I would trust Norton or Mcafee.

Mod up.

[Ayanami Rei]

(*eyeroll*)
The point of the article (if anyone bothered to read it) was the miniaturization feat... 12 LAYER PCB!

I am from Yoggie: Critial information disclosed

[SST]

Dear All, Yes, I am from Yoggie and its a pleasure and honor for me to provide some "internal" information: Some of you mentioned that you need 2 network ports to make a "real" Firewall. True, please refer to our web site: www.yoggie.com and find the Yoggie Gatekeeper. This product released few months ago comes with two network ports running same processor, same memory, OS and 13 application. Some of you, view Yoggie as a Firewall and compare it to Routers and access points: Please note that Yoggie is by far more than just a Firewall and in fact its like a set of enterprise security appliances packed in a miniature computer. Lets see what's in there: 1. FireWall, NAT, DHCP Server and client 2. Full snort implementation including IPS on top. VRT updates will come soon. 3. 4 transparent proxies: 2 for web: HTTP, FTP and 2 for email: SMTP and POP3 4. True File-Type detection agent so file type are detected by content analysis and not based on MIME or file extension! Compressed file - are uncompressed in real time before scanning!!! 5. Anti Virus agent - Kasperski! 6. Anti Spyware agent - both signature based and behavior based! 7. Anti Phishing - since it sees the web and email traffic - it can "close the phissing loop" and verify content/url. 8. anti SPAM - based on Mailshell engine. 9. URL CAT and parental control - based on SurfControl. 10. Layer 8 agent - performs content scanning to "above layer 7" applications, AJAX, VBS, JS, etc. to detect new and unknown virus (not based on signature). 11. MLA - Multi Layer Security agent - a new invention - event correlation in REAL TIME for all event from all other modules - to drastically reduce false positive of IPS and Layer 8 agent. 12. VPN Client. These applications take 35% - 45% of PC Windows CPU. More, one cannot find a commercial implementation of all these applications in one security appliance, even when it comes to a 1U, 2U or 4U appliance. Simply, no one yet managed to integrate layer 2/3 security with layer 7 and above layer 7 content analysis. Yoggie is a unique combination of 7-8 commercial different security appliances. Why did we come with the Yoggie PICO? and why after Gatekeeper: First, we wanted to provide the experts with a 2 network ports solution: we launched the Yoggie Gatekeeper. After we came with this great invention that one can implement an *almost* identical solution using *s-route driver* at the lowest level that still NAT (yes, this is the first NAT and DHCP service inside a protected driver and in between network layers) IP address so external IP address is different from IP addresses Windows application gets. This unique implementation is the only one capable stopping attacks such as "ARP cache poisoning" - something only hardware based firewalls can do. (will go via software firewalls). We absolutely agree that Yoggie Gatekeeper using two network interfaces provides the ultimate separation and isolation but we also know that Yoggie PICO unique "S-Route driver" is by far better than software firewall. Why we didn't add network port to PICO ? - we let this choice with the Gatekeeper (for people that absolutely requires two ports) and made an alternative with almost same security level but with a much smaller form factor (easy to carry)and using the existing network port in the laptop. Your comments and suggestions are welcome. SST.