nForce3-250Gb: On-Chip Firewall

Frankly, it's a good feeling to be relatively safe behind a router in a network. Any security expert, however, will tell you that the big risk in recent days has come from infected email attachments that get through any router setup and are spread friend to friend or across a home network. Active LAN gamers also can pose high security risks because they often end up opening huge IP holes in their setup so they can play their games on-line. nVidia has tried to address these types of security risks with an on-chip firewall in nForce3-250 that can be easily configured in your internet browser.

The nVidia Firewall is a hardware-optimized solution and an integrated component of nVidia nForce media and communications processors (MCPs). Currently, the nF3-250 chipset offers the on-chip firewall, but nVidia said that they also plan to incorporate the firewall into an upcoming revision to nForce2 Ultra 400. This on-chip design eliminates potential conflicts with third-party drivers, BIOS, or hardware. nVidia tells us that they are also working with Microsoft to make certain that their on-chip firewall is fully recognized and supported in Microsoft's upcoming firewall additions to the Operating System.

Because it is native, the nVidia Firewall eliminates many issues with software conflicts, improves throughput and protection, and lowers CPU utilization. This all sounds good, but we were most interested in how you configured nVidia's firewall, since current software firewalls that are effective are usually a nightmare to configure. Even those that try to be friendly can be a genuine pain to use in the training or "rule-setup" phase.

LAN Gaming

When you look closely at the nVidia firewall, it is clear that someone in the design group understood what was wrong with most firewalls. There are several predefined levels of protection, and the assumptions that were made in defining these levels are about the same as we would make in our own configurations. You define these simple setups in your browser, but what if you're a LAN gamer with 20 games, all requiring different ports for connection? Here, nVidia had you in mind because there are a whole group of predefined games with the corresponding ports. Configuring for your LAN game is as easy as checking the game in the setup or unchecking it when you want to close an access. This is really slick, and something you don't expect in a chipset!

Anti-Hacking

The firewall also has some very interesting anti-hacking features. Most software firewalls can filter IP's just fine, but most have trouble with the kind of hacker attacks that we really see today. The hacker today most often uses a "zombie" PC generating spoofed packets, and the on-chip firewall is a hardware solution that is better able to protect against this type of hacker attack. As nVidia explains:

"A spoofed IP packet has an illegally generated value in its IP Source Address field. By using an intentionally incorrect IP address, it is possible to build certain kinds of attacks. The most notorious is a distributed denial-of-service (DDoS) attack, which is also one of the most common types of attacks that use IP spoofing. These DDoS attacks depend on two things: 1) an Internet-connected "zombie" device, often a PC, that has been compromised; and 2) the ability to command the zombie PC to send packets with spoofed IP source addresses.

Firewalls have always been able to filter based on an IP address, but the detection of spoofed packets involves a more subtle distinction. For example, based on a given packet's IP source address, should that packet have arrived on the interface that received it, given what the firewall knows about the routing table? An intermediate device cannot easily detect that a given packet is spoofed.

The best approach to preventing spoofing is to block spoofed packets at their source - the zombie PCs. By embedding the anti-spoofing capability directly into the PC's networking hardware/software infrastructure, the PC is prevented from using any IP address other than its statically assigned address or its DHCP-assigned address."


Configuration

All the firewall capabilities available are next to useless if the configuration is inaccessible or overly complicated. The new nVidia on-chip firewall is configured through your browser.



nForce3-250Gb: On-Chip Gigabit LAN nForce3-250Gb: 4-Drive SATA RAID and IDE RAID
POST A COMMENT

71 Comments

View All Comments

  • Reflex - Wednesday, March 24, 2004 - link

    #39: In my honest opinion, the lack of Soundstorm is an improvement. The APU they were using was a lot of marketing, but relatively poor quality. Even the 'cheap' off brands had better chips available, and nowadays with Via's Envy line the Soundstorm is very, very out of date. I think its absence represents the reality that nVidia did not see enough of a benefit in trying to become a full fledged audio processing company, and since most motherboards without nForce chipsets have other solutions it wasn't a huge value-add(many NF2 boards did not even utilize the nVidia solution).

    Any serious enthusiast would be using a Turtle Beach, M-Audio(or other Via Envy solution), or Audigy anyways, at least if sound quality mattered to them at all. Soundstorm was decent in its time, but they did not try to compete when the next generation arrived(Audigy/Envy) and they weren't top of the line when they were introduced(TB Santa Cruz had that crown).

    Its a risk/reward scenerio, and the rewards did not outweigh the risks of the heavy investment it would take to keep up with the big boys.
    Reply
  • GoatHerderEd - Wednesday, March 24, 2004 - link

    Why did I say it is mostly for servers, and also it would be good for laptops. erg! You get the point. Reply
  • GoatHerderEd - Wednesday, March 24, 2004 - link

    I don’t understand why they don’t have fire wire. It can’t be that hard to include it, and MB manufacturers would be very happy with that since they wouldn’t need to mess with another chip and leads. It would also help in the whole SFF and laptop areas.

    For all the people wining about the sound, I still think they are aiming this at servers and workstations. Plus gamers would want the pci sound anyways, I know people who add pci sound even with the awesome nforce 2 sound, go figure.

    Finally, enough bitching about the typos, once is enough. I don’t see you with a reference board in hand!
    Reply
  • jlfowler78 - Tuesday, March 23, 2004 - link

    I'm disappointed there's no PCI-Express support. What's the deal with that? When will nVidia make a chipset like the n3-250 plus PCI-Express? Geez, even SiS has a good chipset w/ PCI-E. Reply
  • xt8088 - Tuesday, March 23, 2004 - link

    Have at another NForce 3 250 review at http://www.hexus.net/content/reviews/review.php?dX...

    This review mentioned the lack of APU, and it had the benchmark tests.
    Reply
  • Shinei - Tuesday, March 23, 2004 - link

    I'm fairly certain that this is just a generic board to test the chipset out with, it's not going to be the final product put out by GigaByte or Abit... After all, most nForce2 boards have 3 DIMM slots, while the GigaByte GA-7Nxxx series all had 4...

    Now that nVidia's shown that they can still make motherboard chipsets, I think it's time they showed us they can still make video cards that rock your pants off.
    Reply
  • Regs - Tuesday, March 23, 2004 - link

    Wow @ 2.4 Ghz. But Only 2 DIMMs for RAM? Please tell me other boards will have more than 2! Im running with 2x 256 + 1 x 512 Dimm. It would kill my bank account to waste another 100 bucks on ram. Reply
  • TrogdorJW - Tuesday, March 23, 2004 - link

    #31 - You ever tried to make a gaming engine multi-threaded? How about making it really multi-threaded so that you might get a 50-100% boost in performance by adding a second processor? I won't say it can't be done, but it is a *major* change in design philosophy and coding. My experience with multi-threaded applications is that they are much more complex to get working properly. The only game so far that I've heard of trying to use multi-threading was Quake 3, and it didn't work very well. I think the estimate of 3 or more years before games start taking advantage of multi-threading is pretty optimistic, but we'll see. Reply
  • Doormat - Tuesday, March 23, 2004 - link

    Wow, this is the first product in a few months that has been interesting (though, the coming NV40/R420 war will be fun to watch).

    The gigE interests me because I'm looking at a home media network that would be seperate from my normal network, and looking at putting out simulatenous DVD/HDTV feeds over the network was kinda iffy on 100Mbit networks (HD can be up to 19Mbit/s, DVDs are probably anywhere from 2Mbit/s to 4 or 5Mbit/s).

    My only gripe is that the socket 939 chips arent ready yet. I'm waiting for those to show up before I make a move.
    Reply
  • wassup4u2 - Tuesday, March 23, 2004 - link

    Then again, the NF3-150 reference board had a "working" AGP/PCI lock... Reply

Log in

Don't have an account? Sign up now