Nice idea in theory, but personally I think its utterly pointless in practice.

For a start, does anyone actually need it? Why would you want to have a hardware firewall in each individual PC in the enterprise?
If you're that anal about security, you impliment access lists and filters at your switches and routers between LANs, and you run a proper hardware firewall on any connection between your network and the outside world.

My daily jobs is LANs, WANs and the like, and anything extra in hardware with the potential to induce all sorts of odd problems could make the job of people like me a nightmare if it goes wrong.

About the only use I can see for this is in conjunction with a MAC list on the local switch (to ensure that a hacker cant just replace the NIC with a firewall-less one) and prevent all but the most neccessary IP or IPX functions from working on a PC.
But you can do that on a decent switch anyway, and its easier to keep an eye on a handfull of switches& routers for hacker activity than it is a few thousand desktop PCs.

For the record, I run Zonealarm Standard on my home PC, and it rarely shows up in Windows 2000 Taskmanager as using more than 1% CPU or any significant amount of memory.

is this the same guy?

Richl is right. It's easier to watch a switch or a router for odd activity instead of a group of PCs.

If you suspect a security breach, shut the port on the suspect unit and see if the problem goes away, then block the MAC address from the router so if the intruder gets through on another physical port he'll never even get a DHCP or or BOOTP request out of the segment he's in.

This method is also useful for isolating other detrimental network activity: A lot of packet storms on large networks are caused by ONE piece of failing equipment sending out a multitude of BootP requests or flat out garbage that the router has to try and deal with. Shutting the port fixes the problem.

I just took a wireless security course at work and most of the attacks we were taught to deal were with foreign MAC addresses showing up on the private side of the LAN, since wireless hubs are not switched on a "per port" basis (yet), we need a friendly MAC address access list and have routing tables out there to automatically shun unknown wireless access. Backwards as hell, but it works, for now.

Yes.

Did you have a point in there anywhere?

Or at least something interesting to add to the discussion?

I'd take it. I've been wanting hardware firewalls on NICS/MODEMS for the commericial market for years.

Not really usefull for full deployment in a work environment but I can see it as highly usefull for say the IT staff or those who need to be secure on the network while still having access.

Would be most useful in the home environment however. Some ISP's went setting up broadband for user don't install firewalls, what if they set ya up with a firewall/NICS? Nicceeee. Not as nice as a seprate box but better than nothin'.

DOSFreak: you've got a valid point. When my ISP came and installed my Cable Modem (Almost two years ago, but I digress), nary a word was said about the potential for security breaches.

Just for fun, I went up 10 IPs and down 10 IPs and found no less than 4 machines on the local segment that were totally unsecured, and File and Print sharing were ENABLED. Sucks to be them.

It's one thing to setup an FTP or private folder if you need access to files you may have on your computer remotely, it another to have your root drive shared with no permissions.