Embedded Firewalls: The Next Wave?

Certainly your organization uses a firewall, most likely at your network borders. And many of you have adopted firewalls to protect your internal network segments, servers, and workstations. Most of these solutions are software-based—you must load that software on top of an existing OS. The exceptions are dedicated hardware-based firewalls and routers with embedded firewall add-ons.

Software-based firewalls are great tools, but some people argue that hardware-based firewalls are more effective because they're harder to tamper with. Another cited benefit is that hardware-based firewalls are standalone units that are less prone to interruption from services that often run on an underlying OS.

At the recent RSA Security Conference in San Francisco, 3COM announced that it's taking hardware-based firewalls to the next level by embedding distributed firewall technology in its new network cards. The idea is to offer centralized control of network traffic at the NIC level where the user has no access or control over the embedded firewall. 3COM partnered with Secure Computing to produce the 3COM Embedded Firewall. Secure Computing makes the popular Sidewinder firewall solution.

According to 3COM, the solution works by using associated 3COM Embedded Firewall Policy Servers. Security policy is managed centrally on the Policy Servers and then downloaded to the appropriate NICs across the network. According to 3COM, the solution will help prevent users from operating packet sniffers, spoofing packets, and running unauthorized services of all types. 3COM will offer a 10-client starter kit that includes hardware and software, including one Policy Server, for a list price of $2114. The solution will be available third quarter 2001 and will initially support Windows 2000, Windows NT, and Windows 9x. 3Com made no mention of Windows Me support in its press release.

3COM did well to partner with an existing and reputable firewall maker to establish its new embedded solution. By doing so, the company gains credibility and some amount of initial trust for its solution. I haven't seen the product in action yet, but it seems like a tempting solution. And the price of roughly $210 per seat for a 10-seat network is certainly competitive with various other firewall solutions on the market.

Embedded firewalls seem like the next logical step in the evolution of firewall technology—I'm pleased to see this technology become available. And with 3COM using its own 3XP processor on board its new NICs, the firewall probably won't add any more overhead than a traditional desktop or server-based firewall. In fact, having the firewall embedded in the NIC might lower system overhead in some cases.

In my experience, hardware-based firewalls typically cause far fewer headaches than firewalls that run on top of existing OSs, mainly because they stand alone and are unaffected by any OS-related snafus. So I'm glad to finally see a firewall embedded in a NIC. Perhaps we'll see other vendors follow 3COM's lead. It doesn't seem far-fetched to think that Intel might respond by creating a similar solution related to its NIC products and router-based PIX firewall technology.

What do you think? Would centrally managed NIC-based firewall solutions benefit your network? Send me a note with your thoughts or post them as a Reader Comment.