nForce3-250Gb: On-Chip Firewall

Frankly, it's a good feeling to be relatively safe behind a router in a network. Any security expert, however, will tell you that the big risk in recent days has come from infected email attachments that get through any router setup and are spread friend to friend or across a home network. Active LAN gamers also can pose high security risks because they often end up opening huge IP holes in their setup so they can play their games on-line. nVidia has tried to address these types of security risks with an on-chip firewall in nForce3-250 that can be easily configured in your internet browser.

The nVidia Firewall is a hardware-optimized solution and an integrated component of nVidia nForce media and communications processors (MCPs). Currently, the nF3-250 chipset offers the on-chip firewall, but nVidia said that they also plan to incorporate the firewall into an upcoming revision to nForce2 Ultra 400. This on-chip design eliminates potential conflicts with third-party drivers, BIOS, or hardware. nVidia tells us that they are also working with Microsoft to make certain that their on-chip firewall is fully recognized and supported in Microsoft's upcoming firewall additions to the Operating System.

Because it is native, the nVidia Firewall eliminates many issues with software conflicts, improves throughput and protection, and lowers CPU utilization. This all sounds good, but we were most interested in how you configured nVidia's firewall, since current software firewalls that are effective are usually a nightmare to configure. Even those that try to be friendly can be a genuine pain to use in the training or "rule-setup" phase.

LAN Gaming

When you look closely at the nVidia firewall, it is clear that someone in the design group understood what was wrong with most firewalls. There are several predefined levels of protection, and the assumptions that were made in defining these levels are about the same as we would make in our own configurations. You define these simple setups in your browser, but what if you're a LAN gamer with 20 games, all requiring different ports for connection? Here, nVidia had you in mind because there are a whole group of predefined games with the corresponding ports. Configuring for your LAN game is as easy as checking the game in the setup or unchecking it when you want to close an access. This is really slick, and something you don't expect in a chipset!

Anti-Hacking

The firewall also has some very interesting anti-hacking features. Most software firewalls can filter IP's just fine, but most have trouble with the kind of hacker attacks that we really see today. The hacker today most often uses a "zombie" PC generating spoofed packets, and the on-chip firewall is a hardware solution that is better able to protect against this type of hacker attack. As nVidia explains:

"A spoofed IP packet has an illegally generated value in its IP Source Address field. By using an intentionally incorrect IP address, it is possible to build certain kinds of attacks. The most notorious is a distributed denial-of-service (DDoS) attack, which is also one of the most common types of attacks that use IP spoofing. These DDoS attacks depend on two things: 1) an Internet-connected "zombie" device, often a PC, that has been compromised; and 2) the ability to command the zombie PC to send packets with spoofed IP source addresses.

Firewalls have always been able to filter based on an IP address, but the detection of spoofed packets involves a more subtle distinction. For example, based on a given packet's IP source address, should that packet have arrived on the interface that received it, given what the firewall knows about the routing table? An intermediate device cannot easily detect that a given packet is spoofed.

The best approach to preventing spoofing is to block spoofed packets at their source - the zombie PCs. By embedding the anti-spoofing capability directly into the PC's networking hardware/software infrastructure, the PC is prevented from using any IP address other than its statically assigned address or its DHCP-assigned address."


Configuration

All the firewall capabilities available are next to useless if the configuration is inaccessible or overly complicated. The new nVidia on-chip firewall is configured through your browser.



nForce3-250Gb: On-Chip Gigabit LAN nForce3-250Gb: 4-Drive SATA RAID and IDE RAID
POST A COMMENT

71 Comments

View All Comments

  • prisoner881 - Tuesday, March 23, 2004 - link

    #18, I know it's full duplex, but even then you will have a hard time getting full utlization under normal working conditions. Benchmarks are designed to run things at unrealistic rates. The point is, although I don't encourage it, you can certainly put Gigabit on the PCI bus and get very usable performance out of it. In most cases, the limiting factor is going to be CPU utilization anyway. Reply
  • JADS - Tuesday, March 23, 2004 - link

    External HDDs could make good use of a Firewire connection, especially now it is whizzing along at 800MBit/s.

    The multi CPU implementation sounds interesting, of course AMD will completely fail to capitalise on it by not making the FX dual processor capable. How many enthusiasts (AMD wise) could resist the chance of dual FX-53s, especially with the possibility of overclocking them? You have the distinction between the 2xx series and the FX due the removal of ECC/Registered memory in the FX 939 series, so they essentially serve two different markets.
    Reply
  • sprockkets - Tuesday, March 23, 2004 - link

    Why would you need firewire with USB2? OK, ipod and camcorders.

    I have one question. Since you use a browser to configure the firewall, does this mean it is OS independant, i.e., I can use it in Linux without needing drivers to run it?
    Soundstorm not present on here, oh well, almost all uATX boards had the MCP and not MCP-T so it didn't matter anyhow, and it doesn't work in Linux anyhow. VIA sound is troublesome in Linux too. I rather use my own sound card. Just hope there is a driver for the cool LAN adapter.
    Reply
  • Wesley Fink - Tuesday, March 23, 2004 - link

    #10 -
    LAN is Duplex. Gigabit on PCI with overhead can do about 820mb/sec in industry standard tests. nVidia's on-chip LAN could output about 1840 mb/sec in the benchmarks we have seen. This is more than twice as fast IF you have a source that can actually output 1GB in both directions.

    #11 -
    PCI Express will be seen on Intel boards very soon. AMD boards will not move as rapidly to the Intel PCI Express standard.

    #12 -
    Firewire is not on-chip. Undoubtedly many mfgs will add firewire with an additional chip on-board nF3-250.
    Reply
  • fla56 - Tuesday, March 23, 2004 - link

    ''No one can possibly complain about the feature-set of nForce3-250''

    to add my vote to what's already been said, no firewire for my iPod and no SoundStorm/DolbyDigital for that lovely Yamaha amp I just bought mean i think someone needs to calm down a little about all that excitement (and learn a little about the difference between megabits and bytes by the sound of things)

    i wonder if they'll release Soundstorm as a PCI eXpress card....
    Reply
  • Reflex - Tuesday, March 23, 2004 - link

    #8: Actually, to date nVidia has had a *very* troublesome PCI implementation, anyone with a PCI RAID controller and a 4 disk RAID 0 array can tell you that. It is so bad, in fact, that prototype NF3-150 boards for Opteron used AMD PCI chips just to avoid using the nForce3 integrated PCI bus. I am not certain if these boards ever reached production status however.

    As for this chipset, it looks nice, but honestly I'll wait until there is a PCI Express solution out there, I was just forced due to power problems destroying my equipment to upgrade my motherboard prematurely, and I don't intend to buy another until the next wave of features is available...
    Reply
  • DAPUNISHER - Tuesday, March 23, 2004 - link

    Keep your eyes open for my AN50R listing for sale at rock bottom pricing in the FS/FT forum when the 250 is on shelves :D Reply
  • fla56 - Tuesday, March 23, 2004 - link

    Reply
  • prisoner881 - Tuesday, March 23, 2004 - link

    Looks like another error on the "Conclusion" page. Last sentence, second paragraph says "We expect that some enterprising companies, which specializes in catering to the computer enthusiast, will slip in some Socket 954 boards based on the Ultra chipset with a Gigahertz HyperTransport."

    Socket 954? Methinks that ought to be Socket 754.
    Reply
  • arswihart - Tuesday, March 23, 2004 - link

    What about firewire connectors, do you guys think they'll be added to production boards? Reply

Log in

Don't have an account? Sign up now