nForce3-250Gb: On-Chip Firewall

Frankly, it's a good feeling to be relatively safe behind a router in a network. Any security expert, however, will tell you that the big risk in recent days has come from infected email attachments that get through any router setup and are spread friend to friend or across a home network. Active LAN gamers also can pose high security risks because they often end up opening huge IP holes in their setup so they can play their games on-line. nVidia has tried to address these types of security risks with an on-chip firewall in nForce3-250 that can be easily configured in your internet browser.

The nVidia Firewall is a hardware-optimized solution and an integrated component of nVidia nForce media and communications processors (MCPs). Currently, the nF3-250 chipset offers the on-chip firewall, but nVidia said that they also plan to incorporate the firewall into an upcoming revision to nForce2 Ultra 400. This on-chip design eliminates potential conflicts with third-party drivers, BIOS, or hardware. nVidia tells us that they are also working with Microsoft to make certain that their on-chip firewall is fully recognized and supported in Microsoft's upcoming firewall additions to the Operating System.

Because it is native, the nVidia Firewall eliminates many issues with software conflicts, improves throughput and protection, and lowers CPU utilization. This all sounds good, but we were most interested in how you configured nVidia's firewall, since current software firewalls that are effective are usually a nightmare to configure. Even those that try to be friendly can be a genuine pain to use in the training or "rule-setup" phase.

LAN Gaming

When you look closely at the nVidia firewall, it is clear that someone in the design group understood what was wrong with most firewalls. There are several predefined levels of protection, and the assumptions that were made in defining these levels are about the same as we would make in our own configurations. You define these simple setups in your browser, but what if you're a LAN gamer with 20 games, all requiring different ports for connection? Here, nVidia had you in mind because there are a whole group of predefined games with the corresponding ports. Configuring for your LAN game is as easy as checking the game in the setup or unchecking it when you want to close an access. This is really slick, and something you don't expect in a chipset!

Anti-Hacking

The firewall also has some very interesting anti-hacking features. Most software firewalls can filter IP's just fine, but most have trouble with the kind of hacker attacks that we really see today. The hacker today most often uses a "zombie" PC generating spoofed packets, and the on-chip firewall is a hardware solution that is better able to protect against this type of hacker attack. As nVidia explains:

"A spoofed IP packet has an illegally generated value in its IP Source Address field. By using an intentionally incorrect IP address, it is possible to build certain kinds of attacks. The most notorious is a distributed denial-of-service (DDoS) attack, which is also one of the most common types of attacks that use IP spoofing. These DDoS attacks depend on two things: 1) an Internet-connected "zombie" device, often a PC, that has been compromised; and 2) the ability to command the zombie PC to send packets with spoofed IP source addresses.

Firewalls have always been able to filter based on an IP address, but the detection of spoofed packets involves a more subtle distinction. For example, based on a given packet's IP source address, should that packet have arrived on the interface that received it, given what the firewall knows about the routing table? An intermediate device cannot easily detect that a given packet is spoofed.

The best approach to preventing spoofing is to block spoofed packets at their source - the zombie PCs. By embedding the anti-spoofing capability directly into the PC's networking hardware/software infrastructure, the PC is prevented from using any IP address other than its statically assigned address or its DHCP-assigned address."


Configuration

All the firewall capabilities available are next to useless if the configuration is inaccessible or overly complicated. The new nVidia on-chip firewall is configured through your browser.



nForce3-250Gb: On-Chip Gigabit LAN nForce3-250Gb: 4-Drive SATA RAID and IDE RAID
POST A COMMENT

71 Comments

View All Comments

  • draven31 - Thursday, March 25, 2004 - link

    Yes, the lack of PCI Express is a disappointment

    But, so is the lack of PCI-X. It means that system integrators and postproduction facilities will be hesitant about using NF3-250 motherboards for workstations because a significant portion of the current NLE cards want at least a 64-bit PCI slot, if not a PCI-X 66, 100, or 133.

    This lack of PCI-X slots on Athlon64 motherboards (you have to get a dual opteron board to get them) means i may have to go Intel for my next systems, and i was really hoping to get an Athlon64 because Lightwave runs best on them overall.
    Reply
  • Wesley Fink - Wednesday, March 24, 2004 - link

    #49 -
    I heartily DISAGREE with your conclusions. As you will see soon enough DDR2 is at present the same performance as DDR (at best) at twice the price or more. While I do appreciate the potential of DDR2, the current execution is like Prescott - much ado about very little.

    As for your bandwidth, we are talking about an Athlon 64 and NOT an Intel CPU. Intel design and deep pipes keep it constantly starved for bandwidth; A64 on the other hand has been shown to perform just about as well with current single-channel DDR as it does with much greater bandwidth dual-channel DDR. This actual performance certainly refutes your claim for the A64 "needing DDR2". Even dual-channel is more a checklist item most consumers demand than it is a huge performance booster on A64. But dual-cahnnel will indeed be a part of socket 939 - doubling memory bandwidth for an Athlon 64 that already competes quite well with single-channel memory.

    I do agree with your point about hard-drive throughput, and there is little to complain about in the nF3-250Gb design in that regard.

    Talk to memory manufacturers about DDR2. Most are extremely frustrated at having to add huge buffering to even get the 533 stuff to work. In addition latencies are so high at 4-4-4-8 that any performance gain is pretty much nullified. And the cost is prohibitive (sound like early Rambus?). Things WILL improve with time on DDR2, but your sweeping pronouncements are just misinformed.

    Reply
  • jcoltrin - Wednesday, March 24, 2004 - link

    PCI Express and Hyperthreading won't make a bit of difference in today's games. The only benefit I can think of with nForce3 is *maybe* better sound, and gigabit LAN. PCI Express has been shown to only produce minimal effects on fps, and who cares about hyperthreading unless you enjoy burning CD's and compressing your latest movie while playing a FPS. What this chipset really needed, and the ref . board doesn't support is DDR2. Memory bandwidth and SATA hard drives are the only thing that's going to unleash the power of our already over-kill video cards and load the expansive levels in an acceptable time. Why this article failed to acknowledge this I don't understand. Reply
  • Reflex - Wednesday, March 24, 2004 - link

    #46: For purely gaming purposes the Soundstorm does an adequate job. No complaints there. But many people use their PC for more than gaming, and anyone who cares about the actual quality of the sound coming out, especially for music playback would care about the differences. Yes the S/N ratio is very poor on SoundStorm setups. Anyone who cares about excellent reproduction would not be using SPDIF cables as well, they would demand a coax solution for digital output(Turtle Beach SC for instance offers this).

    Like I said, it was a leap over what was included on motherboards when it was first released, but it has stagnated since then and the competition is far ahead now. Even Creative Labs, which is not even remotely close to being a leader in sound quality, is far beyond the SoundStorm nowadays. Now give me a SS solution with 24/96 capabilities and 106 S/N ratio and they would be back in the hunt. But that won't happen, nVidia is not a audio company.
    Reply
  • Pumpkinierre - Wednesday, March 24, 2004 - link

    The dually is good if you're running a game and other apps even if they are single threaded. I don't of course but many do, to switch quickly to avoid the boss or for 10 minutes relaxation while working. There is some loss of performance as a result of the cpus watching each other but with the present design and power of the opteron it wouldnt be noticeable. I'd like a dually.

    Reply
  • BikeDude - Wednesday, March 24, 2004 - link

    #41: Soundstorm=poor quality in what way? S/N? I'm using the SPDIF connector and get 5.1 surround in most of today's games and DVD movies. What other audio solution features Dolby encoding in hardware? I have not seen (heard) one yet.

    SoundStorm is the only audio solution that offers Audigy2 much competition when it comes to CPU usage in games.

    When something better appears, I'll switch in a second, but for now I dread my next motherboard upgrade as it'll mean I'll have to go back to standard audiocables again (and no less than three at that, in addition to the SPDIF cable!). :-(

    As for USB2: It sucks. Compare external drive solutions, the old firewire400 interface wins every time. If nVidia has really cut firewire support, lets atleast hope they get USB 2.0 support right this time. I had to install an extra USB 2.0 controller to get my Thrustmaster FF wheel working for more than five minutes at a time (I tried with both Epox 8RDA3+ and ABit AN7 motherboards).
    Reply
  • GoatHerderEd - Wednesday, March 24, 2004 - link

    #44:
    My bro is a BeOS fan too! How fun is that?
    Reply
  • iwantedT - Wednesday, March 24, 2004 - link

    personally i wouldnt mind a dual cpu a64 solution. In my experience, it means a hell of a lot more time between upgrades. Hell, i've even still got a dual celeron 500 bp6 setup that is quite usable still, even tho its running BeOS, ie. support is kinda dead :) Reply
  • ripdude - Wednesday, March 24, 2004 - link

    Good article I must say, though the lack of PCI-Express is a small disappointment.

    Also, the conclusion states that socket 939 is a couple of months away, is there a bit more certain release date? Perhaps somewhere in april/may?
    Reply
  • Reflex - Wednesday, March 24, 2004 - link

    Trogdor: Yes multi-threading is more complicated, however its a shift that everyone *is* making. There is really very little excuse to make single threaded applications on today's hardware and operating system environments, its an issue more of an established method of doing things giving way *very* slowly to new ways. For an industry that embraces most new technology, its strange that they did not change their design philosophies long ago, really once Win9x(and Pentium CPU's) became a standard the infrastructure was in place... Reply

Log in

Don't have an account? Sign up now