nForce3-250Gb: On-Chip Firewall

Frankly, it's a good feeling to be relatively safe behind a router in a network. Any security expert, however, will tell you that the big risk in recent days has come from infected email attachments that get through any router setup and are spread friend to friend or across a home network. Active LAN gamers also can pose high security risks because they often end up opening huge IP holes in their setup so they can play their games on-line. nVidia has tried to address these types of security risks with an on-chip firewall in nForce3-250 that can be easily configured in your internet browser.

The nVidia Firewall is a hardware-optimized solution and an integrated component of nVidia nForce media and communications processors (MCPs). Currently, the nF3-250 chipset offers the on-chip firewall, but nVidia said that they also plan to incorporate the firewall into an upcoming revision to nForce2 Ultra 400. This on-chip design eliminates potential conflicts with third-party drivers, BIOS, or hardware. nVidia tells us that they are also working with Microsoft to make certain that their on-chip firewall is fully recognized and supported in Microsoft's upcoming firewall additions to the Operating System.

Because it is native, the nVidia Firewall eliminates many issues with software conflicts, improves throughput and protection, and lowers CPU utilization. This all sounds good, but we were most interested in how you configured nVidia's firewall, since current software firewalls that are effective are usually a nightmare to configure. Even those that try to be friendly can be a genuine pain to use in the training or "rule-setup" phase.

LAN Gaming

When you look closely at the nVidia firewall, it is clear that someone in the design group understood what was wrong with most firewalls. There are several predefined levels of protection, and the assumptions that were made in defining these levels are about the same as we would make in our own configurations. You define these simple setups in your browser, but what if you're a LAN gamer with 20 games, all requiring different ports for connection? Here, nVidia had you in mind because there are a whole group of predefined games with the corresponding ports. Configuring for your LAN game is as easy as checking the game in the setup or unchecking it when you want to close an access. This is really slick, and something you don't expect in a chipset!

Anti-Hacking

The firewall also has some very interesting anti-hacking features. Most software firewalls can filter IP's just fine, but most have trouble with the kind of hacker attacks that we really see today. The hacker today most often uses a "zombie" PC generating spoofed packets, and the on-chip firewall is a hardware solution that is better able to protect against this type of hacker attack. As nVidia explains:

"A spoofed IP packet has an illegally generated value in its IP Source Address field. By using an intentionally incorrect IP address, it is possible to build certain kinds of attacks. The most notorious is a distributed denial-of-service (DDoS) attack, which is also one of the most common types of attacks that use IP spoofing. These DDoS attacks depend on two things: 1) an Internet-connected "zombie" device, often a PC, that has been compromised; and 2) the ability to command the zombie PC to send packets with spoofed IP source addresses.

Firewalls have always been able to filter based on an IP address, but the detection of spoofed packets involves a more subtle distinction. For example, based on a given packet's IP source address, should that packet have arrived on the interface that received it, given what the firewall knows about the routing table? An intermediate device cannot easily detect that a given packet is spoofed.

The best approach to preventing spoofing is to block spoofed packets at their source - the zombie PCs. By embedding the anti-spoofing capability directly into the PC's networking hardware/software infrastructure, the PC is prevented from using any IP address other than its statically assigned address or its DHCP-assigned address."


Configuration

All the firewall capabilities available are next to useless if the configuration is inaccessible or overly complicated. The new nVidia on-chip firewall is configured through your browser.



nForce3-250Gb: On-Chip Gigabit LAN nForce3-250Gb: 4-Drive SATA RAID and IDE RAID
POST A COMMENT

71 Comments

View All Comments

  • Visual - Friday, March 26, 2004 - link

    This chipset looks promising, I like it. And a great article about it :)

    I'm a bit curious about the raid - do you guys think it may be possible to implement a hot-swappable raid array with integrated raid controllers anytime soon?

    Maybe you can make an article testing the performance boost from using a 4-drive raid 0 array with this baby?

    Another thing that interests me - are there any mobos with IGP for Athlon64? I know it won't be a performer, I'm just curious if it even exists. Also is anything being heared about some new DX9 IGP anytime soon(hopefully with this chipset)? It'd also be cool if having an AGP card doesn't disable the IGP, like the ati-intel chipsets... Well I guess I'm dreaming now, but I'd like to see your comments or any info you have on nVidia's IGP plans. I guess you AT folks could ask nVidia about this :)

    Thanks,
    Visual
    Reply
  • Reflex - Thursday, March 25, 2004 - link

    #59: Try measuring your bandwidth with a 4 drive RAID 0 array using fast drives on that setup and then put the same array in an Intel or AMD chipset system. nVidia's PCI implementation is not very good at all. Reply
  • MichaelD - Thursday, March 25, 2004 - link

    [q] Actually, to date nVidia has had a *very* troublesome PCI implementation, anyone with a PCI RAID controller and a 4 disk RAID 0 array can tell you that. It is so bad, in fact, that prototype NF3-150 boards for Opteron used AMD PCI chips just to avoid using the nForce3 integrated PCI bus. I am not certain if these boards ever reached production status however.[/q]

    Uh, no. Not in my experience. On my 8RDA+, I've used:

    Highpoint ATA133 Contoller Card
    3Ware7000-2 Two-channel IDE RAID card
    LSI Megaraid 1600 SCSI RAID card

    I've had zero problems. Wha'chu talkin' bout, Willis?
    Reply
  • Reflex - Thursday, March 25, 2004 - link

    #55: I did not say DDR2 was needed right now, its not and AMD is making the right decision. I was just pointing out that the latency penalty should not be a real issue since it moves more data. But time will tell.

    #54: I have not checked out the Catalina yet, however if it does not have a coax output, it will not find a home in my setup. SPDIF is a consumer level technology, championed by Sony, but it is not as high quality as coax simply due to the fact that the signal must be converted twice(to and from optical) which is never a good thing. Furthermore, the cables are frail and expensive. Professional level equipment never has SPDIF, it uses coax exclusively.

    Wesley: Glad they are dropping SoundStorm. Waste of time and effort in my opinion.
    Reply
  • BikeDude - Thursday, March 25, 2004 - link

    Thanks Wesley; a single chip implementation makes sense. Now show us the benchmarks! :) Reply
  • Wesley Fink - Thursday, March 25, 2004 - link

    #54 and others regarding Sound Storm -

    1 - nVidia is committed to the one-chip chipset for Athlon 64. They are firmly convinced that the one-chip eliminates the potential bottlenecks of a north-south bridge communications bus. Even with the the memory controller on the chip there is only so much real estate practically available on a single-chip chipset.

    2 - Customer surveys by nVidia found that most buyers did not use Sound Storm, and that Sound Storm did not enter heavily into the decision to buy nForce. So the decision was made to choose the on-chip LAN, firewall, and much-expanded RAID capabilities which benefit greatly from being moved off the bus.

    3 - There are new sound solutions in the works for nVidia. You may see them in a future chipset or on a sound card. Final decisions have not been made.
    Reply
  • Pumpkinierre - Thursday, March 25, 2004 - link

    #53, I'll believe it when I see the tests. It sounds like RAMBUS- that was supposed to be better at latency but turned out the opposite at over twice the cost at the time. Read the last paragraph of Wesley's post(#50)- he's closer to the industry and there are others expressing similar concerns. All these are things that Intel with its resources should iron out and AMD come in when its sorted, If AMD get to a third of the market and in the black then it can show leadership in these areas. Meanwhile stick to what they are best at cpus.
    Reply
  • BikeDude - Thursday, March 25, 2004 - link

    #48: Turtle Beach Catalina which I suspect is a newer card (it's more expensive :) ) than SC, seem to tout optical SPDIF output as a feature (doesn't mention coax at all) and it's merely pass-through SPDIF at that (no hardware Dolby encoding -- thus I'll end up with the additional three audio cables again). Are you sure you have all your facts straight?

    If you're a professional musician -- I agree, the SS isn't for you, but I thought nForce was primarily a chipset targetted at gamers?
    Reply
  • Reflex - Thursday, March 25, 2004 - link

    #52: Latency ends up about the same due to the fact that twice the operations per clock are happening in the same span as regular DDR. It does not, however, give you any real benefit, just higher scalability. The lack of DDR2 support also really has nothing to do with the chipset, its a CPU feature on Athlon64/FX architecture's, not a chipset one, so people bemoaning the lack of DDR2 need to look at AMD, not nVidia.

    Like I said before, the only feature needed from my point of view is PCI Express. I refuse to buy anymore PCI or AGP devices at this point knowing that in a year or two they will be useless. Unlike my CPU, I don't often change out my sound card, motherboard, SCSI card, or other such devices, so when it comes time to upgrade my system, PCI Express will be the order of the day for me.
    Reply
  • Pumpkinierre - Thursday, March 25, 2004 - link

    Good to see your real opinions, wesley #50. I too am worried about this slow latency DDR2 particularly with the a64 where I see system memory latency as being the bottleneck for improved gaming speed. AMD have got themselves a winner with a64/newcastle but still have mainboard issues as well as heavy debt. In these conditions, good poker dictates that you play conservatively. So I'm quite happy to see only DDR1 and PCI on the nF3-250 for the moment.
    Reply

Log in

Don't have an account? Sign up now