3COM 3CR990 Firewall Network Card

If you would like to place an order or require more information,
you can contact us by sending Email to [email protected]
or phone us on (03) 9555 2958, or fax to (03) 9532 2643.
Award One Technology is located in Melbourne, Australia.


3COM brings hardware firewalling to the desktop!

The 3COM 3CR990 is a new concept in network protection. 

The card comes in 1DES and 3DES version with an onboard 3XP encryptionprocessing engine. This offloads encryption calculations onto the network carditself rather than placing additional load on the server.

As well the 3CR990 can also operate as an onboard firewall if required. Allnetwork traffic is encrypted and Policy Servers can be set up to configureallowed traffic and blocked traffic to and from each network card. Thefire-walling takes place on each network card itself.

Previously networks have been protected by boundary firewalls. These onlyprotect from external threats, and can be compromised if an attacker can access aserver on the network due to software flaws or misconfiguration and thereby gainaccess to the internal network.
As well, they do not protect again one of the main network threats - internalusers
Due to curiosity or malicious intent against the company, research has shown themain threat to network security and the security of company information isinternal users


Internal Networks are vulnerable to attacks because:
Stealth and Action at a Distance sanitizes the criminal act.
An insider can leverage knowledge about the corporate network and assets.
Automated off-the-shelf attack tools make it easy.
Technique propagation make the tools widespread and easy to find.

The 3COM firewall solution is tamper resistant distributed security implemented at the Network Interface Card.

The 3Com Embedded Firewall enables your enterprise to confidently grow its E-business by enforcing security policy at the extranet (or intranet) server.
Protect your business information at the source - the server.


The 3Com Embedded Firewall also protects your network based assets by limiting network access on a need to have basis to your employees and contractors at the desktop client.
Address the threats at the source the desktop

Software distributed firewalls can only try to protect only the host.
Hostile users, hostile code, and even friendly applications can disable software firewalls and thereby get network access.

The 3Com Embedded Firewall protects the Network as well as the Host.
The tamper resistant firewall is Embedded in the NIC, independent of the operating system, and therefore is resistant to hostile users and hostile code and therefore protects the enterprise network as well as the host

Software Firewalls can and are being turned-off and mis-configured by hostile users and hostile code.
Trojan kills software firewall:
http://www.mischel.dhs.org/buschtrommel100analysis.asp
Black ICE Agent dies by Trojan:
http://www.itweb.co.za/office/holton/PressRelease.asp?StoryID=45630
Software Firewall hacking techniques:
http://www.mischel.dhs.org/bionet312analysis.asp

Only the 3Com Embedded Firewall provides simple tamper resistant Distributed Security:
IT Administrators don’t want to waste time and money deploying solutions that aren’t reliable and effective

The Basic Principles of the Embedded Firewall are:
Runs in hardware, below the OS and is therefore Tamper Resistant.
There will always be some security holes in the OS
Is Un-bypassable.
Is Centrally Managed (a DFW).
A must have for enterprise networks (lowers TCO).
Intuitive, easy to use GUI. 

Creates Policy Enforcement Points
Access control policies can be dynamically downloaded.
Policy enforcement provides positive discrimination – determines what access is allowed.
Are independent of network topology (unlike ACLs in routers).

Filters on:
Source/Destination IP addresses & Port Ranges
IP protocol & subnet masks
Direction (transmit/receive)
TCP initiation vs. accept
Controls for:
Non-IP traffic
Fragmented packets
Packet sniffing
IP spoofing
Actions:Allow packet, Allow & Audit packets,Deny (drop) packet, Deny & Audit packets

3Com Embedded Firewall provides robust protection at the Network Layer.
IP Packet Filtering is a simple tool for blocking ports and protocols (plus other parameters) which are all too often misused and abused during network hacks.

The Embedded Firewall also blocks sniffing and spoofing which are again all too often used during network hacks.

3COM Embedded Firewall Details


The 3COM Embedded Firewall consists of 

3CR990 NIC running Firewall Firmware.

Management software running on Policy Server
Policy Server is Windows Service .
Management Console is MMC snap-in or stand-alone Java application.

 

 

On start up the 3C990 card will attempt to contact a Policy server or secondarypolicy server to verify that the policy is correct for the particular networkcard using encrypted protocols and keys.
The network card contains a hash code of the firewall software image. If thefirewall is modified (by attacker), NIC will lock-up. 
If the run time image is modified after boot, NIC will continue to function with Embedded Firewallpolicy
If Network card cannot reach the policy server, will enter fall back mode. Will then try a primary then secondary policy server 

Three options for fallback policy: 

End user operations cannot:

End user can:

Policy Domain

Database
All servers have copy of most domain data.
Exceptions: audit records (only stored on primary server SQL DB).

Communication
NICs can wakeup/heartbeat/audit to any server in domain (try primary first).
NICs accept instructions from primary server or a backup.
Policy distribution is “task shared” among all policy servers.

Server/NIC Cryptographic Binding
Servers in domain share public/private key pair key generated on first server start-up.
NIC obtains public key during its installation.
NIC will not listen to servers from other domains

 


Information supplied by Award One Technology is believed to be accurate andreliable at the time of display,
but Award One Technology assumes no responsibility for any errors that mayappear in this document.
Award One Technology reserves the right, without notice, to make changes inproduct design or specifications.
Information is subject to change without notice.