nForce3-250 - Part 1: Taking Athlon 64 to the Next Levelby Wesley Fink on March 23, 2004 11:55 AM EST
- Posted in
nForce3-250Gb: On-Chip FirewallFrankly, it's a good feeling to be relatively safe behind a router in a network. Any security expert, however, will tell you that the big risk in recent days has come from infected email attachments that get through any router setup and are spread friend to friend or across a home network. Active LAN gamers also can pose high security risks because they often end up opening huge IP holes in their setup so they can play their games on-line. nVidia has tried to address these types of security risks with an on-chip firewall in nForce3-250 that can be easily configured in your internet browser.
The nVidia Firewall is a hardware-optimized solution and an integrated component of nVidia nForce media and communications processors (MCPs). Currently, the nF3-250 chipset offers the on-chip firewall, but nVidia said that they also plan to incorporate the firewall into an upcoming revision to nForce2 Ultra 400. This on-chip design eliminates potential conflicts with third-party drivers, BIOS, or hardware. nVidia tells us that they are also working with Microsoft to make certain that their on-chip firewall is fully recognized and supported in Microsoft's upcoming firewall additions to the Operating System.
Because it is native, the nVidia Firewall eliminates many issues with software conflicts, improves throughput and protection, and lowers CPU utilization. This all sounds good, but we were most interested in how you configured nVidia's firewall, since current software firewalls that are effective are usually a nightmare to configure. Even those that try to be friendly can be a genuine pain to use in the training or "rule-setup" phase.
LAN GamingWhen you look closely at the nVidia firewall, it is clear that someone in the design group understood what was wrong with most firewalls. There are several predefined levels of protection, and the assumptions that were made in defining these levels are about the same as we would make in our own configurations. You define these simple setups in your browser, but what if you're a LAN gamer with 20 games, all requiring different ports for connection? Here, nVidia had you in mind because there are a whole group of predefined games with the corresponding ports. Configuring for your LAN game is as easy as checking the game in the setup or unchecking it when you want to close an access. This is really slick, and something you don't expect in a chipset!
Anti-HackingThe firewall also has some very interesting anti-hacking features. Most software firewalls can filter IP's just fine, but most have trouble with the kind of hacker attacks that we really see today. The hacker today most often uses a "zombie" PC generating spoofed packets, and the on-chip firewall is a hardware solution that is better able to protect against this type of hacker attack. As nVidia explains:
"A spoofed IP packet has an illegally generated value in its IP Source Address field. By using an intentionally incorrect IP address, it is possible to build certain kinds of attacks. The most notorious is a distributed denial-of-service (DDoS) attack, which is also one of the most common types of attacks that use IP spoofing. These DDoS attacks depend on two things: 1) an Internet-connected "zombie" device, often a PC, that has been compromised; and 2) the ability to command the zombie PC to send packets with spoofed IP source addresses.
Firewalls have always been able to filter based on an IP address, but the detection of spoofed packets involves a more subtle distinction. For example, based on a given packet's IP source address, should that packet have arrived on the interface that received it, given what the firewall knows about the routing table? An intermediate device cannot easily detect that a given packet is spoofed.
The best approach to preventing spoofing is to block spoofed packets at their source - the zombie PCs. By embedding the anti-spoofing capability directly into the PC's networking hardware/software infrastructure, the PC is prevented from using any IP address other than its statically assigned address or its DHCP-assigned address."
ConfigurationAll the firewall capabilities available are next to useless if the configuration is inaccessible or overly complicated. The new nVidia on-chip firewall is configured through your browser.