Hardware Firewall On a USB Key

An anonymous reader writes "An Israeli startup has squeezed a complete hardware firewall into a USB key. The 'Yoggie Pico' from Yoggie Systems runs Linux 2.6 along with 13 security applications on a 520MHz PXA270, an Intel processor typically used in high-end smartphones. The Pico works in conjunction with Windows XP or Vista drivers that hijack traffic at network layers 2-3, below the TCP/IP stack, and route it to USB, where the Yoggie analyzes and filters traffic at close-to-100Mbps wireline speeds. The device will hit big-box retailers in the US this month at a price of $180." Linux and Mac drivers are planned, according to the article.

Not really a hardware firewall

[dreamchaser]

A true hardware firewall wouldn't have to hijack traffic via a driver. It would have it's own ethernet port and would inspect data before it even touches the network stack on the host OS.

A bit hyped up if you ask me.

Re:

[nine-times]

Yeah, that was my thought. If you're plugging the ethernet into your computer and relying on software to route traffic to this device in the first place, how is this better than software firewalls?

Re:

[bobo mahoney]

It might not offer better protection than a software firewall, but it will offload the work to it's own processor freeing up cycles on your computer. If you are pushing your machine this could be a fairly inexpensive way to squeeze a little more life out of an older /underpowered box.

Re:Not really a hardware firewall

[TheRaven64]

Why not just put an ethernet controller into it, and use it as a USB network adaptor?

Re:Not really a hardware firewall

[kasperd]

Why not just put an ethernet controller into it, and use it as a USB network adaptor?

I think that is exactly the point the grandparent was trying to make. If it had an actual ethernet interface you would only have to transfer the packets over the USB interface once, thus you'd reduce the load on the machine. You'd also get better security since the machine would no longer be connected to the network without going through the firewall. You'd avoid hacking the network stack, and the result would be something working on more systems without the need for special drivers. And you'd free up the ethernet port on the machine, so it could also be used in situations where the machine did not have exactly as many ethernet connections as you'd want. Basically adding a real ethernet interface to this gadget would have increased its value by at least a factor of two.

Re:

[hattig]

Basically adding a real ethernet interface to this gadget would have increased its value by at least a factor of two.

and useless when the laptop user connects to the internet via their GPRS card, or their Bluetooth enabled phone, or via wireless ...

This device works with all of them, it could only be better if they made it in an ExpressCard format, which I'm sure is in their plans.

Re:

[TheRaven64]

USB WiFi and bluetooth interfaces are under $20. I'm fairly sure they could have put wired, 802.11, and Bluetooth on the device without increasing its price by more than 10%, and they would have dramatically increased its usefulness.

Re:

[smart_ass]

Anyone even RTFA ...
They had a previous with ethernet ports. This thing is a (FORWARD-thinking) change from this to reduce physical size.
For a large percentage of the real world, having drivers that allow it to work on Windows only is sufficient.

Re:Not really a hardware firewall

[larkost]

Except that all of your traffic is now going over your USB port twice... and the USB port is your most processor-intensive I/O. I have no idea how the numbers will work out... but there is a good chance that this will eat a lot of processor time.

Re:

[cheater512]

Plus it works on *everything*, not only wired networks.

Re:

[MattskEE]

That is why Yoggie also offers the Gatekeeper [yoggie.com], which does exactly what you want.

The new device was created because a USB interface is less cumbersome and less expensive, while still offering a similar feature set and only somewhat reduced security.

Mod up.

[Ayanami Rei]

(*eyeroll*)
The point of the article (if anyone bothered to read it) was the miniaturization feat... 12 LAYER PCB!

It's just Killer.NIC on USB

[DrYak]

They just basically just invented the USB equivalent of the Killer.NIC :
a small embed router + a driver that directly taps into the WinXP TCP/IP stack (instead of having the packets go through the whole stack then over a short "virtual" network link to the router then up to TCP/IP again, then routing, then back to Ethernet then on the "actual" cable).

My only though : Is it programmable ? Could it be reflashed to function as something else more creative and be powered from a wall-socket USB 5v power brick ?

C

Re:

[LWATCDR]

It does. If you look at the device it has an Ethernet port on one end and a USB on the other. The driver is probably makes it look like USB network adapter plus allows for configuring the firewall.
I see this as being handy for anyone that plugs into foreign networks like at some Hotels. Good little road warrior tool.

Re:

[ehrichweiss]

Are you talking about the Pico or the Gatekeeper? I don't see an RJ45 on the Pico at all. The presence of one would make a lot more sense than relying on the host computer's enet to handle the WAN traffic as well.

Re:

[LWATCDR]

your right. I read the diagram wrong. Two bad they could do it the way I described.

Why?

[csnydermvpsoft]

As another poster has suggested, this isn't truly a hardware firewall - it hijacks the network traffic from the host OS, after all. Since the network traffic is already in the network stack, how is this any better than a software firewall? Software firewalls are hardly performance hogs.

Marketing Gimmick

[dreamchaser]

It's a marketing gimmick. At the very best it's a software firewall with a (not really needed) co-processor to do packet inspection.

Personally it looks like a waste of money to me.

Re:Why?

[rickkas7]

Software firewalls are hardly performance hogs.

You've obviously never used Norton Internet Security 2007 [symantecstore.com] or McAfee Internet Security Suite 2007 [mcafee.com].

Re:

[Terrasque]

Comparing those products to a firewall?

That's like comparing a normal handgun to an ED-209 [wikipedia.org] on a rampage.

Re:

[Deadplant]

of course I haven't...
jeez, why would do something like that to myself?

Re:

[rapidweather]

Those programs come with Dell Vista computers, usually with a 30 day trial, or one can go ahead and order the PC with a year or so of "coverage". You pay upfront, then pay Per PC for continued protection. And yes, there is a performance hit, but in the day of dual core processors, 2 GB of RAM, one may not notice. My Knoppix-based linux (see screenshots, below) uses the Guarddog firewall, preconfigured and enabled by default. The user does not have to start up the Guarddog interface, and switch the firewall

Re:

[Quasar1999]

He said software firewalls, not protection from viruses, data-loss and identity theft and a firewall. The McAfee firewall for instance uses around 4mb of memory and barely registers for CPU load, the whole suite however is obviously larger. Norton's is harder to isolate since it's more tightly bundled with all their other 'services'. Heck even the Vista advanced firewall isn't resource intense...

Re:

[jafiwam]

There is a niche for this tool, but it is a small one and not one that will pay $180 for this thing.

For example, I run no firewalls whatsoever on my home network, instead relying on my NAT router to keep inbound traffic out, and configuration / backups to keep risk to acceptable levels elsewhere.

Taking a laptop to a cafe or hotel or something, or a gaming machine to a LAN party means I'd have to muck around with a Firewall before (or just go without) going.

So I would use this thing there. But, probably not

Re:Why? - your wish is granted - Yoggie Gatekeeper

[AYeomans]

Yoggie already make the Yoggie Gatekeeper, a full hardware firewall with two ethernet ports, just as you suggest. This also has a USB port for power. Using ethernet means this is completely OS-neutral, and can be used with Linux or OS X.

The Yoggie Gatekeeper can also be used like the Yoggie Pico in USB-only connection mode, with a Windows driver. You might want to do this to connect with built-in laptop wireless hardware, or with USB ADSL "modems".

odd

[otacon]

Did anyone else find it odd that it runs linux, but doesn't actually work with a linux box, but only with a windows one?

Re:

[BosstonesOwn]

Odd or ironic ?

I find it Ironic personally that the linux device can easily hijack packets from a windows stack but the driver to hijack the traffic from the mac or linux boxes are still not ready.

The true question at this point is who can't steal hijack packets from a windows box.

Re:

[zappepcs]

Apparently just about anyone... ergo the need for such a device? :-/

Re:

[towsonu2003]

The true question at this point is who can't steal hijack packets from a windows box.

Or, whether the linux kernel developers will (correctly) perceive the driver for Linux as a bug in the kernel and fix it.

Re:

[fohat]

oops, here. You dropped your tin-foil hat on the way to making that comment. Why buy anything from anywhere that has a government that might do questionable things? Doesn't all government do questionable things?

Re:

[Deadplant]

Perhaps, but the US, Israel, Russia and China together manage to do a startling amount of shady shit.
Their efforts really do put the rest of the world to shame (er, maybe i mean the opposite of that)

That being said; the fact that this product was developed in Israel is not a reason to avoid it.
*That* being said; the fact that this security product relies on closed-source binary drivers and runs on XP *IS* a reason to avoid it.

I would trust this product about as much I would trust Norton or Mcafee.

Re:odd

[Josiah_Bradley]

If it's running Linux then you can probably get the same apps it's running and install them on your Linux machine. And if your already running Linux you probably don't need a firewall for windows anyway...

Re:odd

[jcgf]

It's not as odd as you think. There have been several routers and such which either require you run a config program on a windows box or access them using a browser which had to be IE, despite the router itself running Linux.

makes sense

[bussdriver]

Only a windows user would have any need for a stable secure firewall (based on linux) where ironically, it depends upon a windows driver to properly function.

Re:odd

[Ant P.]

Not odd at all. Windows is the only desktop OS in use today that needs a device like this.

Why would I want this?

[morgan_greywolf]

I mean, increasingly, firewalls are being combined into multipurpose devices that provide NAT, Web serving, DMZ, VPN, media streaming, wireless access, etc. I mean even the lowly Linksys WRT54G, available for ~$50 USD almost anywhere, supports VPN, provides NAT, DMZ, UPnP capabilities, rudimentary web filtering, and has a built-in wireless access point. I mean, this thing doesn't even support wireless, which would make it useful for laptops, etc.

IOW, someone tell me why I should care?

You shouldn't

[dreamchaser]

It's a hyped up device that nobody really needs. We're posting in a Slashvertisment thread after all.

Re:

[toleraen]

Because you can plug it into your laptop if you're at a local hotspot? Think mobility + offloading processing. Not exactly the most useful of devices, but for someone who's constantly at the mercy of free/public wifi it could be convenient.

Re:

[dreamchaser]

A software firewall is more than enough for those situations. Heck, for half that price you could buy a little router and carry it with you! I'm being a bit facetious here, but I really don't see a good niche for this product as you can tell from my previous posts in this thread.

Re:Why would I want this?

[Kam Solusar]

Heck, for half that price you could buy a little router and carry it with you!

And in many parts of the world you could even get a little guy to carry it for you too!

Re:

[StarfishOne]

My laptop IS a local hot spot! ;XD

(sorry, could not resist)

Re:

[racermd]

You should have returned your Sony laptop battery when it was still a part of the recall, then.

(I'm wearing my asbestos underwear for this)

Re:Why would I want this?

[richardtallent]

Just like software firewalls, this is just snake oil for feeble-minded people who don't realize that firewalls are for blocking access *between* networks, not for closing ports that shouldn't be open in the first place on individual machines.

Re:

[jimicus]

You ever tried closing everything on a Windows machine then making the machine vaguely useful in real-world scenarios?

It's not just Unix software which is guilty of gratuitously using the TCP/IP stack for IPC.

Re:

[Vellmont]

this is just snake oil for feeble-minded people who don't realize that firewalls are for blocking access *between* networks not for closing ports that shouldn't be open in the first place on individual machines.

I guess I'm "feeble-minded" because I believe security should at best be layered, and also realize that protecting the inside of a network is important as well. Maybe you never thought that firewalls can restrict port access to only certain IP addresses that simply closing a port wouldn't allow?

Ther

Firewall is a small part of the product.

[Ayanami Rei]

It runs content scanners, checks attachments (including peeking inside ZIP files), blocks phishing sites, blocks viruses and malware, and so on. It automatically downloads updates every few minutes, and comes with a year of support. That's pretty comprehensive for the price.
Or you could just read the article.

Re:Why would I want this?

[fishybell]

According to their nifty flowchart [linuxdevices.com] it supports whatever windows supports. It takes the inbound traffic after the hardware receives it, but before the TCP/IP stack. It sits in the same place as a software firewall, but offloads the calculations and filtering to the dongle's cpu.

Why would anyone want this? Well, a router that combines firewall, nat, vpn, etc. is fine for home use, but what about the coffee shop? For a mobile computer having a on-computer firewall is a must. As far as why anybody would choose to use this over any software firewall... I can only assume it's for people who don't want yet another piece of software hogging their cpu. Most software firewalls aren't that intensive, but if you're looking to free up that 3-5% of your resources, hardware is the way to do it. Of course, without a benchmark showing a difference, the actual performance increase is lost in the market speak.

Re:

[Odiumjunkie]

If anyone is looking for a free (as in beer) software firewall for Windows with a very small footprint, Ghostwall [ghostsecurity.com] is a great choice for the not-afraid-of-configuration. The setup file is less than a MiB.

Re:

[StikyPad]

Ghostwall doesn't do application control, which is the only particular purpose I have for a software firewall.

Re:

[leather_helmet]

For a mobile computer having a on-computer firewall is a must...

Very much agreed - At first glance I dismissed the product but then realized that it would be great for the laptop that I am typing away on now. Yes, there are software solutions etc. but having a dongle that I can take from one machine to another would be awesome - Potentially I no longer have to install firewalls on each and every computer that I use

Re:

[morgan_greywolf]

But it uses software to re-direct Layer 2/3 to the dongle. Which means basically makes it a software firewall.

Re:

[slamb]

Why would anyone want this? Well, a router that combines firewall, nat, vpn, etc. is fine for home use, but what about the coffee shop? For a mobile computer having a on-computer firewall is a must. As far as why anybody would choose to use this over any software firewall... I can only assume it's for people who don't want yet another piece of software hogging their cpu. Most software firewalls aren't that intensive, but if you're looking to free up that 3-5% of your resources, hardware is the way to do it.

Re:

[slamb]

In a coffee shop, you're going to be transferring stuff exclusively over their crappy (maybe 512 kbps) Internet connection. I would be shocked if any software firewall were so inefficient as to take more than 1% CPU in that situation on a modern machine

Somehow I missed the middle of the article. They don't just do the normal firewall things - they also do a bunch of higher-level things (snort, HTTP antivirus proxy, etc.) which are more CPU-intensive. So I guess it might save significant CPU usage over doi

Re:

[Vicegrip]

I suspect the main appeal would be for laptop owners on public networks where they don't own the router or control them-- rather than just trust their Windows firewall to protect them. It'd be like having your own private router protecting your laptop on a public network. Not be a bad idea.

The device has sex appeal in terms of form factor accomplishments. But the OS level filter driver requirement turns me off.
A device like this needs to be totally independent of the OS to be attractive.

I won't be buying t

Re:

[morgan_greywolf]

That's the best response I've seen so far! Bravo! A generic Linux box that one could turn into almost anything... hmmm...

Not too bad

[NickisGod.com]

My favorite is the "Layer-8" security engine (Patent pending).

That's where all of my clients' problems come from.

-Nick

Re:

[Tuoqui]

Oh Yeah! Well I patent Layer-42 ultra security engine! (Patent Pending).

Layer-42 is available under GPLv3.

Re:

[GiMP]

You're probably joking, but there is actually an ISP of that name... I suspect the 42 in their name comes from 42U racks, or maybe just the HHGTG.

100Mbps on USB?

[cravey]

I keep wondering how they put such a fast processor on a usb stick and then squirt bidirectional 100Mbps over the USB port. Sounds a lot like my former boss trying to convince me that our building would give us 100Mbps internet for only $50/month. I dislike misleading articles and I dislike misleading product descriptions even more.

It seems much more likely that there's an app on the USB stick tht is run by the windows machine making the USB stick just a different delivery mechanism than a CD/DVD. Probably way cheaper to produce, update and ship.

USB2, yes.

[RingDev]

Uhh, USB2 runs at 480Mbps and in practice can push 40MBps (320Mbps) for bulk transfer (ie USB Hard drives).

So for them to claim that this device can push 100Mbps really isn't that surprising. So long as the little processor can burn through the logic checks fast enough, the bus can definitely handle the load.

-Rick

Re:

[theRiallatar]

Assuming there isn't one or more of the following also attached to the same USB Bus. Wired/Wireless Mouse Printer Keyboard Digital Camera USB Flash Drive etc

Re:

[pyrrhonist]

Do you know the Gumstix http://www.gumstix.com/ [gumstix.com] they are embedded linux platform which run on that pxa270. With 64mb of ram and I can't remember the flash size, it's smaller than a juicy fruit stix...

But does the taste move you when you pop it in your mouth? It's just not the same unless the taste - the taste - the taste - the taste is gonna move ya.

from the article

[MarcoAtWork]

Once running, the Pico establishes an SSL (secure sockets layer) http connection to Yoggie's central servers, where it checks for updated firewall policies and rule sets, Touboul said. It subsequently checks every every five minutes, by default.

so basically this means allowing a black box to hijack completely my IP stack, a black box which phones home every 5 minute and arbitrarily downloads software updates... just think if this company's server was compromised even for an hour, given that all of the devices update every 5 minutes you could compromise pretty much all of them at the same time.

Not to mention that if this device can insert a 'low level driver' that hijacks the IP stack, I'm sure a virus will come up sooner or later that will re-hijack this and compromise it. The only really 'safe' hardware firewall is, guess what, a completely separate hardware firewall (like my custom LEAF install on my old p3-500), this sounds like those 'one time pad, guaranteed!' crypto products we often lambast here on /.

Re:

[racermd]

I hate to nit-pick (okay, I love it, really) but the only 'safe' hardware firewall is to have absolutely no connection at all. Better yet, turn the computer off. That's the only way to be sure.

And, in all seriousness, there may very well be unforseen vulnerabilities in the device in question. However, that's certainly no reason to write it off as a completely useless product. Like everything else relating to security, the question is one of balance. More specifically, how to balance access to those tha

Re:

[GiMP]

Software firewalls have an edge on hardware firewalls in that they can filter according to users and executables on the system. This can go hand in hand with system ACLs.

For instance, you can prevent the 'bind' user, as well as the named binary from accessing port 25, which would prevent a hole in bind from allowing emails to be sent. With hardware-only solutions, to provide this level of security, you would need to setup a separate machine on its own network segment and subnet, running bind, and then blo

Huh? That's not a hardware firewall!

[gnuman99]

It is just another type of a software firewall. A hardware firewall has at least one input and one output jack (unless it is some weird VLAN firewall). The firewall then checks the packets *before* they get to the hardware that processes them.

Here we have a software layers shunting packets for filtering to another "device" and then they are probably reinjected. The software layer that does this shunting and re-injecting of packets makes this not a hardware firewall.

Or are we saying that iptables is a hardware firewall as well?

something similar but better...

[i.r.id10t]

I read (here on /. IIRC) a few years ago about a gumstick sized machine that had 2 ethernet ports on it. Possible to use Linux on it (or other embedded OS), have a dhcp client on one port and a dhcp server (or just static addy on "real" machine) with gateway/NAT/etc. on the other port. Would allow you to plug into any ethernet connection and then provide NAT, etc. (and some degree of protection and trust) to your laptop, etc.

Anyone remember this, maybe have a link?

Re:

[Dan Ost]

http://www.gumstix.com/ [gumstix.com] might be what you're thinking about.

Intel?

[TheRaven64]

Intel sold the XScale line to Marvell Technology Group in June 2006. It was only a year ago, so it probably counts as news by Slashdot standards, but can we try to keep the summaries slightly accurate please?

Wait

[Tarlus]

But does it run Li... oh, sweet.

Compare this USB device to a software firewall such as Zonealarm. It costs $180 whereas you can get free versions of Zonealarm. It routes your network traffic via USB, which makes me shudder. That would be a nightmare on older pre-USB2.0 machines. It requires software drivers in order for network traffic to be directed through it. That's more "moving parts" than should be necessary. Because, of course, the more moving parts there are, the more there is that can break.

Now if t

Hardware firewall definition

[sverrehu]

Eh, could someone please define the term "hardware firewall"?

Re:

[griffjon]

RTFA - it's obviously any doohicky that plugs in to your computer-thingamajig.

I mean, it's a cool idea/system, but... uh, not really a "hardware" firewall if it needs client system software to route to it..

Re:Hardware firewall definition

[Anonymous Coward]

A hardware firewall is a firewall that runs on separate hardware from the hosts that it protects. In other words, it's a software firewall on a dedicated machine, which may or may not have specialized packet-filtering hardware. The "hardware/software" distinction made by marketeers isn't really important; more significant is the distinction between "network firewalls" and "host firewalls". Network firewalls are separate devices that are capable of filtering all traffic entering or leaving a network of multiple computers; host firewalls are limited to the traffic entering or leaving a single host, and are normally tightly integrated with that host's operating system.

This gimmick consists of a coprocessor and some low level operating system drivers, and appears to be primarily designed as a host firewall. It might be useful in a network firewall, it the operating system components could be ported to an operating system adequate to the task.

Re:

[sverrehu]

Thanks, mate. I find the term quite stupid, and you explained why in a way that most geeks can understand. Again, thanks.

Re:

[qwijibo]

A piece of hardware that plugs in between your computer and your internet connection. Ie, not this product.

Re:

[jimicus]

Right. But seeing as practically every hardware firewall in existence today is essentially a general-purpose computer with a specialised OS (be it Cisco IOS, VXWorks or a custom-built Linux) with, if you're lucky or pay a lot of money, some sort of acceleration hardware for things like VPNs, where do you draw the line?

I could sell you a box which boots off CompactFlash, runs one of the common Linux firewalls such as Astaro or Smoothwall, but it would technically be a software firewall. If I customised the

Re:

[GweeDo]

A firewall that runs on hardware :)

sorry, needs to be ENTIRELY outside the pc

[TheGratefulNet]

else its NOT a hardware firewall. ..no matter what the slash-vertisement tries to say.

now, take that neat usb form factor, put 2 rj45 jacks on it and THEN we'll talk.

Re:

[griffjon]

Now, this is interesting for GPRS and wifi connections on a laptop. It is nice (tho not worth $180) to have a separate system that reboots "pristinely" that deals with GPRS and wifi. It's convenient for the mobile user. agree that it's not a true hw fw, but hey.

Re:

[Gordonjcp]

now, take that neat usb form factor, put 2 rj45 jacks on it and THEN we'll talk

Stick a single RJ45 on it, and use it as an extra ethernet interface. Come to that, stick 802.11a/b/g wireless on it and make something incredibly useful.

Close but no cigar

[PHPfanboy]

Funny, a good friend of mine almost worked there.... Anyway, I thought this device would only be any good if: 1) it had a wifi chip in the device and 2) connected via ethernet port as a mini and compact external network element that 3) would do encryption for SMB non-VPN customers 4) in unencrypted hotspots. 5) to prevent snort wifi sniffer attacks But it doesn't. Still, from what I understood they're trialling at some large enterprise IT departments who think it's super, so maybe I missed something. Nic

why not make it fire wire or pci / pci-e based

[Joe The Dragon]

that would be better and it will have less system cpu over head.
also some chipsets like the nvidia ones have build in firewalls

100 mbps "Wire Speed"?

[Autonin]

Uhm... USB 2.0 bandwidth is 54 mbps. In order to filter traffic going through it, you'd have to use the bus twice - once to send a packet to it, and once to get the packet (provided it was permitted) back from it.

I'm sure *internally* it'd handle it at wirespeed, but... otherwise, I can't see how even 50% of wirespeed is possible. Possibly closer to 20%, which, incidentally, is still faster than most home user's bandwidth.

And yes, this gadget's a total gimmick.

Re:

[cicadia]

Uhm... USB 2.0 bandwidth is 54 mbps. In order to filter traffic going through it, you'd have to use the bus twice - once to send a packet to it, and once to get the packet (provided it was permitted) back from it.

As far as I know, the USB 2.0 fast transfer rate is 480Mbps. A rough 25% overhead rule of thumb yields a rate of 384Mbps, or 48MBps, easily enough to handle a 100Mbps ethernet connection.

Also, you don't necessarily have to send each packet over the USB twice, if you are not doing any packet shaping, or address translation. A 1-bit response to each packet (pass / fail) is enough for a simple packet filter. The software drivers that intercepted the packet in the first place would then send the original pa

holy hackable hardware, batman!

[radarsat1]

firewall schmirewall, I can't wait to see what "wrong" things people do with this.. a Linux machine on a USB stick? For 180$? Awesome.

Re:

[dfries]

I should get one of these. It would be great. I have this 486DX-133 playing ogg vorbis audio files and it isn't fast enough for the highest quality music. It does have a PCI USB 2.0 card in it, it would just be awesome having a 520MHz USB key doing the decoding. It would just be so backward nobody would believe me having the USB key being the CPU and the computer being storage and I/O. Goofy.

Re:

[adolf]

Better idea: Just rescue a Pentium-class machine from the curb and be done with it. I know it's so obvious that it hurts, but *come on*, man.

And then, if you still need/want extra points, remove as many of the critical moving parts from the box as you can to enhance reliability. Think undervolting, big heatsinks, and solid-state storage.

But $180 is too much to spend just for geek cred alone.

If that's your whole goal, then look not toward needless complication. Far better (and cheaper) results would come

Sorry guys,

[Slithe]

it will take more than that to keep out the Palestinians.

I think I could buy an N Router

[Nom du Keyboard]

I think I could buy an 802.11n router w/firewall for less to protect all my home systems. Since I'm not using a portable system on the road, it would seem like a better buy.

Professional Product.

[hattig]

I think I could buy an 802.11n router w/firewall for less to protect all my home systems. Since I'm not using a portable system on the road, it would seem like a better buy.

You don't say! Duh!

This is a product for mobile professionals. The IT department can stick this cheap (for a multinational) dongle into their laptops and guarantee that the professional person, who probably isn't too bright in terms of IT, won't get owned on their round the world trips with their various different types of connectivity t

Lotsa useless negativity

[ushering05401]

There is a niche for this thing... a very small one, but it is there.

I, for one, might look into owning one of these. After all, I spend a shitload of time working on client machines trying to isolate and diagnose problems. Being able to plug in a USB key to emulate the hardware firewall the client *should* have would be helpful. Notice, I said emulate, not duplicate.

Just because it is on the front page of /. does not mean it is supposed to save the world.

Regards.

Re:

[mikelieman]

Boot Knoppix. It's up, and working? The diagnosis is a blown Windows install.

While in Knoppix, grab the Documents and Settings folder and copy to a USB drive.

Reformat HD, reload windows, copy over Document and Settings.

very cool

[Deadplant]

that is really quite cool but it is clearly not a 'complete hardware firewall' as it lacks the key component of a hardware firewall.... physically separate hardware.

Apparently we all didn't actually RTFA

[Anonymous Coward]

Because if we had, then we might have noticed that this little device incorporates anti-virus software. Why do you care? I'll tell you why: because that eliminates one of the biggest annoyances for windows users since Clippy.

Anti-virus software always slows down your PC. No matter what. It has to because it scans each and every file as its accessed (assuming resident scanner operations).

This little gem allows me to not bother with installing any anti-virus software and just offload that function to a li

Re:

[Mr. Roadkill]

How can it possibly duplicate the functionality of regular AV software that has hooks in the file system and email clients? It can't possibly do all that.

You're quite correct about the filesystem checks... it can't do those.

For email, though, it could be quite decent - provided the signatures are kept current, and/or are broad enough to pick up new variants of some of the more common varieties. Many AV products set up POP, IMAP and SMTP proxies (although this looks like it only does SMTP and POP)... yo

Passthrough TAP IDS/IPS

[Twillerror]

I'd rather see a device like this that is a tap based IDS or IPS system.

You can buy taps and redirect copies of network traffic into a snort or other IDS, but I'd rather have a small all encompassing device I could take on the road.

Wouldn't work for wireless, but I'd rather hop on a wired connection at a hotel anyways. Half the time wireless is shotty or the signal is weak.

If I just plug the ethernet into one port and then plug my laptop into the other that would be great. It could then block traffic on non

I am from Yoggie: Critial information disclosed

[SST]

Dear All, Yes, I am from Yoggie and its a pleasure and honor for me to provide some "internal" information: Some of you mentioned that you need 2 network ports to make a "real" Firewall. True, please refer to our web site: www.yoggie.com and find the Yoggie Gatekeeper. This product released few months ago comes with two network ports running same processor, same memory, OS and 13 application. Some of you, view Yoggie as a Firewall and compare it to Routers and access points: Please note that Yoggie is by far more than just a Firewall and in fact its like a set of enterprise security appliances packed in a miniature computer. Lets see what's in there: 1. FireWall, NAT, DHCP Server and client 2. Full snort implementation including IPS on top. VRT updates will come soon. 3. 4 transparent proxies: 2 for web: HTTP, FTP and 2 for email: SMTP and POP3 4. True File-Type detection agent so file type are detected by content analysis and not based on MIME or file extension! Compressed file - are uncompressed in real time before scanning!!! 5. Anti Virus agent - Kasperski! 6. Anti Spyware agent - both signature based and behavior based! 7. Anti Phishing - since it sees the web and email traffic - it can "close the phissing loop" and verify content/url. 8. anti SPAM - based on Mailshell engine. 9. URL CAT and parental control - based on SurfControl. 10. Layer 8 agent - performs content scanning to "above layer 7" applications, AJAX, VBS, JS, etc. to detect new and unknown virus (not based on signature). 11. MLA - Multi Layer Security agent - a new invention - event correlation in REAL TIME for all event from all other modules - to drastically reduce false positive of IPS and Layer 8 agent. 12. VPN Client. These applications take 35% - 45% of PC Windows CPU. More, one cannot find a commercial implementation of all these applications in one security appliance, even when it comes to a 1U, 2U or 4U appliance. Simply, no one yet managed to integrate layer 2/3 security with layer 7 and above layer 7 content analysis. Yoggie is a unique combination of 7-8 commercial different security appliances. Why did we come with the Yoggie PICO? and why after Gatekeeper: First, we wanted to provide the experts with a 2 network ports solution: we launched the Yoggie Gatekeeper. After we came with this great invention that one can implement an *almost* identical solution using *s-route driver* at the lowest level that still NAT (yes, this is the first NAT and DHCP service inside a protected driver and in between network layers) IP address so external IP address is different from IP addresses Windows application gets. This unique implementation is the only one capable stopping attacks such as "ARP cache poisoning" - something only hardware based firewalls can do. (will go via software firewalls). We absolutely agree that Yoggie Gatekeeper using two network interfaces provides the ultimate separation and isolation but we also know that Yoggie PICO unique "S-Route driver" is by far better than software firewall. Why we didn't add network port to PICO ? - we let this choice with the Gatekeeper (for people that absolutely requires two ports) and made an alternative with almost same security level but with a much smaller form factor (easy to carry)and using the existing network port in the laptop. Your comments and suggestions are welcome. SST.

How does it compare to...

[Aryeh Goretsky]

Hello,

What I would like to know is how Yoggie [yoggie.com]'s devices compare to Zyxel [zyxel.com]'s ZyWALL P1 [zyxel.com]. Zyxel's device is larger at about 5×3×0.75" (assuming I'm doing the metric conversion properly) but it is a standalone device with two 10/100 Ethernet ports. Zyxel's web site says anti-virus, IDP and anti-spam will be available in the future, but since that was two years ago with no update to the web site since then, I'm guessing they will never be added, so the device only acts as a firewall with SPI

Oh that's just great.

[Organic Brain Damage]

"Honey, have you seen my firewall? Where'd I put that dang firewall...I know it's around here somewhere...oh geez, it was in my pocket the whole time."

I do this now with keys, wallets and cell phones. Do I really need to do it with my firewall?

Re:Troll!

[Pojut]

They are like you in every way, except for one thing: They remember to actually click "Post Anonymously"