nForce3-250Gb: On-Chip Firewall

Frankly, it's a good feeling to be relatively safe behind a router in a network. Any security expert, however, will tell you that the big risk in recent days has come from infected email attachments that get through any router setup and are spread friend to friend or across a home network. Active LAN gamers also can pose high security risks because they often end up opening huge IP holes in their setup so they can play their games on-line. nVidia has tried to address these types of security risks with an on-chip firewall in nForce3-250 that can be easily configured in your internet browser.

The nVidia Firewall is a hardware-optimized solution and an integrated component of nVidia nForce media and communications processors (MCPs). Currently, the nF3-250 chipset offers the on-chip firewall, but nVidia said that they also plan to incorporate the firewall into an upcoming revision to nForce2 Ultra 400. This on-chip design eliminates potential conflicts with third-party drivers, BIOS, or hardware. nVidia tells us that they are also working with Microsoft to make certain that their on-chip firewall is fully recognized and supported in Microsoft's upcoming firewall additions to the Operating System.

Because it is native, the nVidia Firewall eliminates many issues with software conflicts, improves throughput and protection, and lowers CPU utilization. This all sounds good, but we were most interested in how you configured nVidia's firewall, since current software firewalls that are effective are usually a nightmare to configure. Even those that try to be friendly can be a genuine pain to use in the training or "rule-setup" phase.

LAN Gaming

When you look closely at the nVidia firewall, it is clear that someone in the design group understood what was wrong with most firewalls. There are several predefined levels of protection, and the assumptions that were made in defining these levels are about the same as we would make in our own configurations. You define these simple setups in your browser, but what if you're a LAN gamer with 20 games, all requiring different ports for connection? Here, nVidia had you in mind because there are a whole group of predefined games with the corresponding ports. Configuring for your LAN game is as easy as checking the game in the setup or unchecking it when you want to close an access. This is really slick, and something you don't expect in a chipset!

Anti-Hacking

The firewall also has some very interesting anti-hacking features. Most software firewalls can filter IP's just fine, but most have trouble with the kind of hacker attacks that we really see today. The hacker today most often uses a "zombie" PC generating spoofed packets, and the on-chip firewall is a hardware solution that is better able to protect against this type of hacker attack. As nVidia explains:

"A spoofed IP packet has an illegally generated value in its IP Source Address field. By using an intentionally incorrect IP address, it is possible to build certain kinds of attacks. The most notorious is a distributed denial-of-service (DDoS) attack, which is also one of the most common types of attacks that use IP spoofing. These DDoS attacks depend on two things: 1) an Internet-connected "zombie" device, often a PC, that has been compromised; and 2) the ability to command the zombie PC to send packets with spoofed IP source addresses.

Firewalls have always been able to filter based on an IP address, but the detection of spoofed packets involves a more subtle distinction. For example, based on a given packet's IP source address, should that packet have arrived on the interface that received it, given what the firewall knows about the routing table? An intermediate device cannot easily detect that a given packet is spoofed.

The best approach to preventing spoofing is to block spoofed packets at their source - the zombie PCs. By embedding the anti-spoofing capability directly into the PC's networking hardware/software infrastructure, the PC is prevented from using any IP address other than its statically assigned address or its DHCP-assigned address."


Configuration

All the firewall capabilities available are next to useless if the configuration is inaccessible or overly complicated. The new nVidia on-chip firewall is configured through your browser.



nForce3-250Gb: On-Chip Gigabit LAN nForce3-250Gb: 4-Drive SATA RAID and IDE RAID
POST A COMMENT

71 Comments

View All Comments

  • Curt Oien - Tuesday, March 23, 2004 - link

    PCI EXPRESS ? Reply
  • prisoner881 - Tuesday, March 23, 2004 - link

    There's a huge gaffe on the On-Chip Gigabit page. It states that Fast Ethernet runs at "100MB/sec" and Gigabit runs at "1000MB/sec." "MB" is shorthand for mega<i>bytes</i>, not mega<i>bits</i>. Megabits should be abbreviated "Mb."

    Normally I wouldn't be this anally-retentive, but the poor usage leads to another problem later on down the page. The article states that Gigabit Ethernet running at "1000MB/sec" is faster than the PCI bus which runs at "133MB/sec." The PCI rate figure is correct, but the Gigabit figure makes it look like Gigabit is about 8 times faster than the PCI bus itself. <i>It's not!</i> The PCI bus runs at (133Mbytes/sec X 8 bits/byte = ) 1064Mbit/sec, which faster than Gigabit. The article is very misleading in this respect.

    In truth, the PCI bus can almost never reach its peak 133MB/sec rate (usually it's around 100MB/sec) but then again Gigabit can't reach it's peak either.

    Regardless, the article is completely incorrect when it indicates a Gigabit card would overwhelm a PCI bus. This is not true.
    Reply
  • BikeDude - Tuesday, March 23, 2004 - link

    Argh... I keep forgetting that it's 1000Mbps _full duplex_... nVidia are indeed correct, the PCI bus is only half that speed. :-/

    --
    Rune
    Reply
  • BikeDude - Tuesday, March 23, 2004 - link

    First off: GB is GigaByte. Wesley wrote "GB" more than once while actually referring to Gigabit (bit has lowercase b).

    Next, 1000Mbps is roughly 125MB/s (theoretical peak I expect). 33MHz 32-bit PCI is roughly 133MB/s. I dislike PCI Gb implementations as the next guy, but I'd still like to know how nVidia managed to come up with the half speed figure? Perhaps nVidia's PCI-bus implementation is sub-par? (which is a real issue! Via has struggled with really bad PCI performance for years :-( )

    Finally there's 6-channel audio; What happened with Soundstorm and Dolby encoding implemented in hardware? (I currently use only the SPDIF connectors on my nForce2 and get surround sound both in games and while playing DVDs -- is there no way to get this functionality with Athlon64?)

    Hopefully the next article will shed some light on some of these issues. Cheers! :)

    --
    Rune
    Reply
  • KristopherKubicki - Tuesday, March 23, 2004 - link

    gigE is awesome and worth it. i dunno about the firewall but eh. 45MB/s network transfers are fun.

    Kristopher
    Reply
  • Verdant - Tuesday, March 23, 2004 - link

    schweet... when is my 16x nforce 250 mobo comming the the mail? Reply
  • klah - Tuesday, March 23, 2004 - link

    hmmm.. seems that last page was slipped in from the November SiS article. weird.

    Reply
  • Phiro - Tuesday, March 23, 2004 - link

    yeah, the SiS 755FX plug at the end was sort of a red-herring - didn't fit at all with the article, which was soley about Nvidia, it didn't need SiS's recent efforts tacked on the end at the last second.

    A couple things:

    1) to all you nay-sayers about the worth of gigabit ethernet - I thumb my nose at you! Let's not play chicken or the egg games here, let's just usher in new *desired* technology as smoothly as possible - having gigabit ethernet will push me to replace my netgear 10/100 switched hub, not the other way around.

    2) Anandtech, what's with the nvidia ass kissing? When you say things like 'Nvidia assured us.." and "We did test Nvidia's claim... [and we believe it]" - come on, a little healthy doubt is a good thing. Just because they supplied you with a reference nforce3 250 mobo doesn't mean you have to see how far you can stick your tongue up their butt. Honestly, the article felt like it leaned toward Nvidia abit. Believe it or not, you can report on a product without it sounding like some money changes hands or something.
    Reply
  • mechBgon - Tuesday, March 23, 2004 - link

    *drool* Reply
  • bldkc - Tuesday, March 23, 2004 - link

    What's with the SiS 755 crap at the end of the article? Someone didn't proof read, huh? That is also obvious in the spelling errors. Excellent article. Better than recent ones. I do wish that you had been able to include the performance portion, cuz now I'm itching to see them.
    One thing tho, how many people have several gigabit systems at home? I know I will not upgrade any of mine until they are replaced, so it will be awhile. Therefore I am not too excited at this point, especially if the high speed wireless standards work out to high enough throughput to allow real time multi-media transfers. Love the on chip firewall, but Zonealarm is still the only useful application specific solution I know of. Not that I'm an expert, I am far from it, but the Blackice debacle was seen coming long ago.
    Reply

Log in

Don't have an account? Sign up now