Cyberguardian Keeps Hackers, Insider Threats at Bay

June 2001
By Henry S. Kenyon

Intelligent security device reinforces network defense.

Smart hardware will allow administrators to foil intruders and internal attackers before they can cripple computer systems. The firewall, embedded within a network interface card, creates a tamper-resistant security layer that cannot be subverted or deactivated like traditional software-based defenses. When installed on desktop computers and servers throughout an organization, the cards selectively permit or deny certain types of activities at the department, office or individual levels.

Though a great deal of attention has been paid to external threats to computer systems, many attacks originate from within an organization. A recent network security survey by KPMG Consulting notes that while chief executives worry about attacks from outsiders, their real concern should be Trojan horses—the human kind—disgruntled employees with the inside knowledge to steal sensitive secrets easily. These internal dangers may be countered with intelligent network management tools that allow administrators to control access and set the guidelines for use.

The technology to embed firewall software within a network interface card represents the combined efforts of hardware manufacturer 3Com, Santa Clara, California, and Secure Computing Corporation, a San José, California-based computer security firm. The product of this union is the 3Com embedded firewall for the 3CR990 network interface card.

According to Christopher Filo, vice president and general manager of Secure Computing’s advanced technology division, the original concept for the device came from a Defense Advanced Research Projects Agency program. The project’s goal was to enhance network security by installing protective measures closer to the data source. Secure Computing was interested in merging its firewall and authentication software with 3Com’s network interface card technology to develop an embedded firewall. When both firms agreed to collaborate, they pooled their funds with federal research and development money to create the 3Com platform, Filo explains.

The card uses a defense-in-depth strategy to foil internal and external attacks. The device contains a 3XP microprocessor and an encryption chip to provide fast, reliable Internet protocol (IP) security. John H. Harrison, product line manager for 3Com’s business productivity group, claims this is the first available network interface card that offloads firewall capability to the card itself. This feature offers several advantages: It is built directly into the card, and it is inherently tamper-resistant because it cannot be shut off or circumvented like many software-based firewalls. The processor also uses data encryption standard (DES) or triple DES algorithms to secure every packet traveling within the network, he says.

Data throughput also greatly increases because the firewall functions are on the card instead of in the network. Harrison notes that in general, throughput on an average host system is 95 megabits per second. This speed drops to 20 megabits per second if the firewall operates on the host central processing unit (CPU). By running security functions on the network interface cards, throughput only drops to 90 megabits per second while providing IP security encryption. By offloading some of the transmission control/Internet protocol stack, CPU performance is enhanced in both desktop computers and servers, he says.

The 3CR990 operates in a Windows environment and is compatible with Windows 95, 98, 2000, and Windows NT 4.0. The embedded policy server also operates on Windows 2000 and Windows NT 4.0, as does the management-user interface. Harrison notes that installing the system is as simple as putting in the network interface cards. This ease of use lowers operating costs.

The cards can be remotely upgraded. For example, if a customer has version 1.0 of the card, he or she can upgrade the security functions to version 2.0 throughout the network without physically touching any of the desktop computers. Harrison notes that the capacity to upgrade is an important factor for information technology managers.

Each 3CR990 network interface card and embedded firewall is installed on individual desktop computers and servers. The server portion consists of a Microsoft management console interface that allows an administrator to set network policy by controlling access to each desktop computer. Secure Computing’s Sidewinder firewall provides an added layer of security, Harrison says.

Once computer and server functions are set, only the systems administrator can change them. For example, a hacker may try to subvert an e-mail server operating Microsoft Outlook by making it operate a rogue application or perform some other function. The 3Com embedded firewall prevents this because if the server is set to run only Outlook, it will operate only in that function. When a card’s rules set is violated, it will not perform any activity it has not been designated to do. It also sends an alert to the administrator and creates an audit and audit log of the event. Filo notes that with time, these capabilities will continue to grow, providing a more comprehensive set of abilities.

Another key aspect of the 3CR990’s tamper resistance is that users cannot accidentally or intentionally disable the firewall, Harrison explains. Virus scanning software is capable of disabling traditional firewalls, and hackers sometimes use code designed to turn off certain types of security software. The network interface card serves as a first line of defense. “We are really protecting the network right in front of the system before the traffic ever really comes into the node,” he says.

The embedded firewall system also provides filtering on source and destination IP addresses, port ranges, IP, subnet masks and directions. For example, individual servers can be set to limit them to sending and receiving specific protocols or the entire network can be set to be on alert for certain threats. These filters would detect sniffing or spoofing attacks aimed at circumventing the firewall under a forged e-mail address or eavesdropping on data communications. Harrison notes that if an attacker attempts to use network sniffer software to set an interface card into promiscuous mode, the embedded security features would prevent spoofing or transmission of IP packets in fragments.

An important difference between the embedded firewall and software variants is that the policy enforcement capability resides in the network interface card itself and cannot be bypassed, Filo says. In the 3Com product, the system administrator sets policy via an encrypted channel from the policy server to the network interface card itself. Even if an employee or a hacker had root access and was sitting at a terminal in the facility, he or she could not change the policy on that card. “That’s a very powerful argument for going with something in the hardware that can’t be controlled or circumvented by the individual user,” Filo maintains.

When the system is operating, it remains invisible to the end-user because it does not appear on a monitor, Harrison says. If the policy prohibits a specific person from initiating or receiving hypertext transfer protocol (HTTP), then those packets will be dropped when they come off the network. The packets will never go up the stack to the administrator or enter the system. He adds that this is another way to reduce cycle time on a processor system because it can drop unwanted traffic.

The ability to shunt or discard unwanted packets and conduct firewall and encryption functions at the hardware level allows the 3CR990 to operate as a bandwidth management tool. Harrison notes that a network could be set up so that HTTP packets might only be allowed at certain hours of the day, or traffic to certain machines could be limited to e-mail or World Wide Web-only functions.

The bandwidth control feature provides a defense against denial of service attacks because selected incoming messages or packets are kept out of the system. This capability also serves as a forensic tool to determine the source of an attack, Filo says. While it only traces attacks originating within the network, administrators can review audit logs to trace the source of an attack or intrusion to a specific machine.

Harrison believes that increased demands by clients and other users have made many firewalls so permeable that their networks have really become public. He claims that the advantage of this technology is that administrators can begin deploying the system immediately by installing 3CR990 cards.

Certain functions within the embedded firewall may be activated directly from an administrator’s console, Harrison remarks. For example, if an organization’s financial or human resources department required encryption to protect every packet of data leaving its servers, an administrator could designate coding specifically within a department or group. This feature also extends to desktop machines in conference rooms or lobbies that are frequently used by contractors. These publicly accessible machines are often the weakest links in network security, Harrison says.

Demand for reliability and ease of use opens the market for embedded firewalls in government applications, where they can replace specialized proprietary hardware. Harrison believes that by making the cards available on the mainstream market, 3Com raises the bar for minimum acceptable security within an organization.

The 3CR990 also has applications in educational institutions and other publicly accessible networks, which are often used as launch pads for distributed denial of service attacks on federal computers. Harrison admits he would like to see embedded firewall cards become standard equipment in university computing environments. “That’s really where we’re pitching this because it becomes an easy solution for them to manage, and those machines won’t be compromised as well,” he says.

The U.S. Defense Department is also interested in the technology to protect its networks as communications links to allied militaries and governments continue to grow. Filo notes that there is a need for shared services among multinational partners and a high degree of interest exists in embedded firewall capability because it can be used to specify policy on almost a per-nation basis. This would allow countries varying degrees of access to network database servers based on their identity, the time of day, their location, their relationship to the United States and peacetime or war conditions, he says.

Harrison expects future cards to be laptop-compatible. However, this capability will not be available in the current release. While 3Com is not announcing laptop functionality at this point, he notes that the ability to operate on military mobile networks will be a part of the firm’s full solution in the future. The 3CR990 will enter the market this summer.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.