Hardware Firewall On a USB Key

An anonymous reader writes "An Israeli startup has squeezed a complete hardware firewall into a USB key. The 'Yoggie Pico' from Yoggie Systems runs Linux 2.6 along with 13 security applications on a 520MHz PXA270, an Intel processor typically used in high-end smartphones. The Pico works in conjunction with Windows XP or Vista drivers that hijack traffic at network layers 2-3, below the TCP/IP stack, and route it to USB, where the Yoggie analyzes and filters traffic at close-to-100Mbps wireline speeds. The device will hit big-box retailers in the US this month at a price of $180." Linux and Mac drivers are planned, according to the article.

Not really a hardware firewall

[dreamchaser]

A true hardware firewall wouldn't have to hijack traffic via a driver. It would have it's own ethernet port and would inspect data before it even touches the network stack on the host OS.

A bit hyped up if you ask me.

odd

[otacon]

Did anyone else find it odd that it runs linux, but doesn't actually work with a linux box, but only with a windows one?

Why would I want this?

[morgan_greywolf]

I mean, increasingly, firewalls are being combined into multipurpose devices that provide NAT, Web serving, DMZ, VPN, media streaming, wireless access, etc. I mean even the lowly Linksys WRT54G, available for ~$50 USD almost anywhere, supports VPN, provides NAT, DMZ, UPnP capabilities, rudimentary web filtering, and has a built-in wireless access point. I mean, this thing doesn't even support wireless, which would make it useful for laptops, etc.

IOW, someone tell me why I should care?

Marketing Gimmick

[dreamchaser]

It's a marketing gimmick. At the very best it's a software firewall with a (not really needed) co-processor to do packet inspection.

Personally it looks like a waste of money to me.

from the article

[MarcoAtWork]

Once running, the Pico establishes an SSL (secure sockets layer) http connection to Yoggie's central servers, where it checks for updated firewall policies and rule sets, Touboul said. It subsequently checks every every five minutes, by default.

so basically this means allowing a black box to hijack completely my IP stack, a black box which phones home every 5 minute and arbitrarily downloads software updates... just think if this company's server was compromised even for an hour, given that all of the devices update every 5 minutes you could compromise pretty much all of them at the same time.

Not to mention that if this device can insert a 'low level driver' that hijacks the IP stack, I'm sure a virus will come up sooner or later that will re-hijack this and compromise it. The only really 'safe' hardware firewall is, guess what, a completely separate hardware firewall (like my custom LEAF install on my old p3-500), this sounds like those 'one time pad, guaranteed!' crypto products we often lambast here on /.

Re:odd

[BosstonesOwn]

Odd or ironic ?

I find it Ironic personally that the linux device can easily hijack packets from a windows stack but the driver to hijack the traffic from the mac or linux boxes are still not ready.

The true question at this point is who can't steal hijack packets from a windows box.

Re:Why?

[rickkas7]

Software firewalls are hardly performance hogs.

You've obviously never used Norton Internet Security 2007 [symantecstore.com] or McAfee Internet Security Suite 2007 [mcafee.com].

Huh? That's not a hardware firewall!

[gnuman99]

It is just another type of a software firewall. A hardware firewall has at least one input and one output jack (unless it is some weird VLAN firewall). The firewall then checks the packets *before* they get to the hardware that processes them.

Here we have a software layers shunting packets for filtering to another "device" and then they are probably reinjected. The software layer that does this shunting and re-injecting of packets makes this not a hardware firewall.

Or are we saying that iptables is a hardware firewall as well?

Re:odd

[Josiah_Bradley]

If it's running Linux then you can probably get the same apps it's running and install them on your Linux machine. And if your already running Linux you probably don't need a firewall for windows anyway...

Hardware firewall definition

[sverrehu]

Eh, could someone please define the term "hardware firewall"?

Re:Not really a hardware firewall

[nine-times]

Yeah, that was my thought. If you're plugging the ethernet into your computer and relying on software to route traffic to this device in the first place, how is this better than software firewalls?

Re:Hardware firewall definition

[griffjon]

RTFA - it's obviously any doohicky that plugs in to your computer-thingamajig.

I mean, it's a cool idea/system, but... uh, not really a "hardware" firewall if it needs client system software to route to it..

Re:Hardware firewall definition

[qwijibo]

A piece of hardware that plugs in between your computer and your internet connection. Ie, not this product.

Re:Why would I want this?

[leather_helmet]

For a mobile computer having a on-computer firewall is a must...

Very much agreed - At first glance I dismissed the product but then realized that it would be great for the laptop that I am typing away on now. Yes, there are software solutions etc. but having a dongle that I can take from one machine to another would be awesome - Potentially I no longer have to install firewalls on each and every computer that I use

Lotsa useless negativity

[ushering05401]

There is a niche for this thing... a very small one, but it is there.

I, for one, might look into owning one of these. After all, I spend a shitload of time working on client machines trying to isolate and diagnose problems. Being able to plug in a USB key to emulate the hardware firewall the client *should* have would be helpful. Notice, I said emulate, not duplicate.

Just because it is on the front page of /. does not mean it is supposed to save the world.

Regards.

Re:Why?

[Terrasque]

Comparing those products to a firewall?

That's like comparing a normal handgun to an ED-209 [wikipedia.org] on a rampage.

Re:USB2, yes.

[theRiallatar]

Assuming there isn't one or more of the following also attached to the same USB Bus. Wired/Wireless Mouse Printer Keyboard Digital Camera USB Flash Drive etc

Re:Not really a hardware firewall

[TheRaven64]

Why not just put an ethernet controller into it, and use it as a USB network adaptor?

Also ZoneAlarm freeware version.

[Anonymous Coward]

If anyone is looking for a free (as in beer) software firewall for Windows with a very small footprint, Ghostwall is a great choice for the not-afraid-of-configuration.

Not quite as small of a footprint as Ghostwall, but ZoneAlarm's free-for-personal-use version is excellent, and a very well-respected Winblows software firewall. It's one of the first things I installed on my new laptop (XP partition, I don't need no steenking extra firewall software for the OpenSuSE 10.2 dual-boot partition) before taking it online, and ZA has found and stopped several nasty malwares I otherwise would've picked up just by visiting some websites with IE that tried to install crap to my laptop.

Re:holy hackable hardware, batman!

[dfries]

I should get one of these. It would be great. I have this 486DX-133 playing ogg vorbis audio files and it isn't fast enough for the highest quality music. It does have a PCI USB 2.0 card in it, it would just be awesome having a 520MHz USB key doing the decoding. It would just be so backward nobody would believe me having the USB key being the CPU and the computer being storage and I/O. Goofy.

Re:Not really a hardware firewall

[dmsuperman]

Or just spend the $180 on a better processor. Look, better performance, and far better than the USB key provides.

Re:Not really a hardware firewall

[hattig]

Basically adding a real ethernet interface to this gadget would have increased its value by at least a factor of two.

and useless when the laptop user connects to the internet via their GPRS card, or their Bluetooth enabled phone, or via wireless ...

This device works with all of them, it could only be better if they made it in an ExpressCard format, which I'm sure is in their plans.

Missing the Point

[Anonymous Coward]

A real hardware firewall doesn't rely on the system it is protecting.
In this case, since the processing of the packets is done on the computer itself, the "hardware firewall" is just an illusion.
If the software doing the processing has been compromised, you're screwed, thus this design obliterates the philosophy behind a hardware firewall.
Plus you have more cross-platform and deployment issues.
This is really stupid. An ideal solution would have been a hardware firewall performing inline filtering by a microcontroller/FPGA/whatever embedded system with just two ethernet jacks.

Don't fall for this marketing gimmick. These guys just want to make some dough and you can get Norton for free after a mail-in rebate from Fry's.

Re:Apparently we all didn't actually RTFA

[Mr. Roadkill]

How can it possibly duplicate the functionality of regular AV software that has hooks in the file system and email clients? It can't possibly do all that.

You're quite correct about the filesystem checks... it can't do those.

For email, though, it could be quite decent - provided the signatures are kept current, and/or are broad enough to pick up new variants of some of the more common varieties. Many AV products set up POP, IMAP and SMTP proxies (although this looks like it only does SMTP and POP)... your mail client talks to a proxy, which scans inbound and outbound traffic and works the appropriate voodoo in the event of something nasty being discovered. It looks like it also checks web traffic too. This offloads the scanning to a dedicated piece of hardware, which is less likely to get subverted if or when something nasty makes its way onto John Q. Shouldshowermore's computer - you know, the guy who doesn't really know what he's doing and goes out looking for warez or b00b13zp1cs and gets a nasty case of the Russian Mafia from a dodgy website? Um, your neighbour? Yeah, him.

Of course, I'd probably still recommend using at least a free AV product on the machine... belt AND braces AND duct tape are better than belt alone, and there's always a window of opportunity between when new malware is released and when it's picked up by various scanner... and it makes sense to have something on the machine that can clean up after something nasty gets in. Sure, it's a terrific idea, but I wouldn't recommend it INSTEAD of AV software on the PC... it'll be great at offloading mail and web traffic scanning, and providing anti-phishing functionality, but it can't replace the basic "Whoops, caught something nasty after looking at something I shouldn't have - clean it for me" functionality of desktop AV software.

That said... it's cool, and there's a niche. I can't wait for some Chinese manufacturer to start including that kind of functionality in network cards. Filtering in your router, filtering in your NIC, desktop AV software (with the mailscanning turned off) - sounds like a combination made in heaven for people who just want their stuff to work without having to think about it too much.