nForce3-250Gb: On-Chip Firewall

Frankly, it's a good feeling to be relatively safe behind a router in a network. Any security expert, however, will tell you that the big risk in recent days has come from infected email attachments that get through any router setup and are spread friend to friend or across a home network. Active LAN gamers also can pose high security risks because they often end up opening huge IP holes in their setup so they can play their games on-line. nVidia has tried to address these types of security risks with an on-chip firewall in nForce3-250 that can be easily configured in your internet browser.

The nVidia Firewall is a hardware-optimized solution and an integrated component of nVidia nForce media and communications processors (MCPs). Currently, the nF3-250 chipset offers the on-chip firewall, but nVidia said that they also plan to incorporate the firewall into an upcoming revision to nForce2 Ultra 400. This on-chip design eliminates potential conflicts with third-party drivers, BIOS, or hardware. nVidia tells us that they are also working with Microsoft to make certain that their on-chip firewall is fully recognized and supported in Microsoft's upcoming firewall additions to the Operating System.

Because it is native, the nVidia Firewall eliminates many issues with software conflicts, improves throughput and protection, and lowers CPU utilization. This all sounds good, but we were most interested in how you configured nVidia's firewall, since current software firewalls that are effective are usually a nightmare to configure. Even those that try to be friendly can be a genuine pain to use in the training or "rule-setup" phase.

LAN Gaming

When you look closely at the nVidia firewall, it is clear that someone in the design group understood what was wrong with most firewalls. There are several predefined levels of protection, and the assumptions that were made in defining these levels are about the same as we would make in our own configurations. You define these simple setups in your browser, but what if you're a LAN gamer with 20 games, all requiring different ports for connection? Here, nVidia had you in mind because there are a whole group of predefined games with the corresponding ports. Configuring for your LAN game is as easy as checking the game in the setup or unchecking it when you want to close an access. This is really slick, and something you don't expect in a chipset!

Anti-Hacking

The firewall also has some very interesting anti-hacking features. Most software firewalls can filter IP's just fine, but most have trouble with the kind of hacker attacks that we really see today. The hacker today most often uses a "zombie" PC generating spoofed packets, and the on-chip firewall is a hardware solution that is better able to protect against this type of hacker attack. As nVidia explains:

"A spoofed IP packet has an illegally generated value in its IP Source Address field. By using an intentionally incorrect IP address, it is possible to build certain kinds of attacks. The most notorious is a distributed denial-of-service (DDoS) attack, which is also one of the most common types of attacks that use IP spoofing. These DDoS attacks depend on two things: 1) an Internet-connected "zombie" device, often a PC, that has been compromised; and 2) the ability to command the zombie PC to send packets with spoofed IP source addresses.

Firewalls have always been able to filter based on an IP address, but the detection of spoofed packets involves a more subtle distinction. For example, based on a given packet's IP source address, should that packet have arrived on the interface that received it, given what the firewall knows about the routing table? An intermediate device cannot easily detect that a given packet is spoofed.

The best approach to preventing spoofing is to block spoofed packets at their source - the zombie PCs. By embedding the anti-spoofing capability directly into the PC's networking hardware/software infrastructure, the PC is prevented from using any IP address other than its statically assigned address or its DHCP-assigned address."


Configuration

All the firewall capabilities available are next to useless if the configuration is inaccessible or overly complicated. The new nVidia on-chip firewall is configured through your browser.



nForce3-250Gb: On-Chip Gigabit LAN nForce3-250Gb: 4-Drive SATA RAID and IDE RAID
POST A COMMENT

71 Comments

View All Comments

  • arswihart - Monday, April 5, 2004 - link

    In response to #19 sprockkets, sorry this is such a late response, I just checked for responses to my original post. The reason I want Firewire is for Audio Interface purposes, everything from the new Hercules Firewire audio device to Yamaha's MLAN 01X use fireware. Not everything of course, but Firewire is getting very pervasive in pro audio. Reply
  • draven31 - Saturday, March 27, 2004 - link

    note that the S/PDIF spec says that a 'fiber'interface is available... that is a optical S/PDIF. TOSLINK is a type od S/PDIF optical connector. Reply
  • Reflex - Saturday, March 27, 2004 - link

    It really depends on if gaming is your primary use of sound. An Audigy is good for gaming, PEROID. Music affecianado's need not apply. Furthermore, Creative has never really fixed their PCI bus bandwidth issues(possibly will become irrelevant with PCI Express), and can be problematic with other devices due to a crappy ACPI implementation.

    Your diss on the Envy also pretty much ignores its roots in the high end. It is not software audio. It does not do everything that the Audigy does for *gaming* in hardware, but for other functions its all in hardware. It is the ONLY card on the market that not only meets its specs, it exceeds them. The Audigy falls significantly short in several areas(signal to noise, and remember the original Audigy only had 19bit sound despite their 24bit claims, no idea if they fixed that on the Audigy 2 or not).

    For someone serious about sound, an Audigy is not a choice. For a pure gamer, it is an option(although honestly the difference between it and a Envy based solution is negligible). In gaming the Audigy has slightly less CPU utilization and a few more effects, but the sound quality is mediocre at best.

    Personally I do not find that the few effects it adds are worth the downsides of Creative cards. Also, I am more likely to listen to music on my PC than play games, although I do game occasionally. Soooooo....Creative is a poor choice in *my* situation. Your mileage may vary.
    Reply
  • Odeen - Saturday, March 27, 2004 - link

    In the great words of Woody Paige, "How many times do I have to straighten you guys out?"

    Soundstorm:
    Great DSP (which only matters for 3d sound rendering), and has absolutely NO impact on the audio quality, that's the job of the codec chip. Since ALL motherboard manufacturers insist on using the piss-poor Realtek ALC650 chip to do the sound output, the sound quality suffers.

    To see what Soundstorm can REALLY do, check out the Asus A7N266-C, which put 5.1 out on an ACR card that featured a Sigmatel codec, not the ALC650. By moving the analog part of the implementation away from the motherboard, and using quality analog parts, the sound quality (i.e. noise / frequency response / dynamic range)was greatly improved.

    Dolby Digital encoding:
    Don't forget that DD is COMPRESSED. You can't fit six channels of even 16bit/44.1khz audio into a single SPDIF stream. By utilizing DD, you're taking this nice audio generated for you and mp3'ing it on the fly.

    3DSoundSurge.com reviewed the Soundstorm APU and found that the Dolby Digital generated was just six independent streams compressed and "wrapped into" a DD stream. Things like joint stereo weren't utilized at all to share audio information between channels in order to raise the effective bitrate (i.e. if I use 1/2 the bandwidth to describe what's common between two channels, and 1/4 the bandwidth to describe the differences for each channel, then each channel uses an effective 75% bandwidth, instead of just 50%. Ceteris paribus, bitrate = kwalitee. So, DD encoding is a neat idea, but it's a flawed one.
    That said, why not just integrate six or eight digital outputs on a soundcard using VersaJacks? That way, we harness just the 3D audio rendering power of Soundstorm but leave the analog part to external DACs and amplifiers that are chosen by the user.

    It would eliminate the single-cable convinience, but you'd be getting bit-perfect digital output, and it'd be up to the user to pick the DACs and amps he likes. Unfortunately, there don't seem to be any receivers with multichannel digital inputs, but a man can dream of optimal solutions, can't he? :)

    That said, a gamer should still have an Audigy. Since every game out there now uses some form of EAX, you get the best results from using hardware that was designed to support that API, not third-party hardware using someone else's drivers (e.g. Sensaura)

    Speaking of 3D audio rendering, the Via Envy SUCKS. You guys need to realize that Via Envy is just a C-Media 8738 with 7.1 and nice DACs. It's SOFTWARE AUDIO, people, it's AC'97 that sounds a little better than most. It's an eight channel, 24/192- and 24/96-supporting Sound Blaster freakin' Pro! Not that there's anything wrong with that, but, again, all things being equal, playing an EAX-supporting game will have an Audigy2-equipped machine in front, followed by the Soundstorm-equipped machine, followed by a Via Envy-equipped machine.

    Finally, firewire.
    Firewire = good. Chipset-level firewire = gooder. Keep in mind that Firewire has bus-mastering capability, whereas with USB and USB2, the CPU has to handhold every bit going across the bus. Do you really want your shiny new Athlon64 playing crossing guard with USB2 streams, or would you rather have the bits maneuver themselves across independently? Thought so :)

    Chipset-level firewire is good for a simple reason that you only have 133MB/sec maximum theoretical bandwidth. A 400Mb/sec (or 50MB/sec) can eat up to half of your practical PCI bandwidth. Whereas, if it IS integrated, you're only taxing the intra-chipset bandwidth, which is plentiful on A64 boards, and has been plentiful ever since we've gone away from using the PCI bus as the NB/SB interconnect (i.e. the AMD 760 chipset on the AMD side and the Intel BX, which were the last two chipsets to do that).

    WHEW.
    Reply
  • Reflex - Saturday, March 27, 2004 - link

    Whoops, you are correct, I was getting SPDIF mixed up with Toslink cables. My mistake. Heh, I do make those occasionally it seems.

    My point was about the optical Toslink cables, not the digital output itself. However, all that aside, the Soundstorm is still a very low quality integrated sound solution...
    Reply
  • Foxbat121 - Friday, March 26, 2004 - link

    Please check this link for S/PDIF information:
    http://www.mtsu.edu/~dsmitche/rim420/materials/Int...
    Reply
  • Foxbat121 - Friday, March 26, 2004 - link

    #64,

    I don't know what you're talking about. SPDIF is not an optical output. And you don't use optical cable at all. There is also no converter. You ran a coax cable directly from sound card to your receiver's coax input. And it's all digital. There will be no signal loss even if you convert them. However, if you're talking about the different sample rate that causes sound quality issue due to the re-sampling, that is true for most SPDIF ports on board or on sound cards. But that has much to do with the design of the sound card rather than anything else.
    Reply
  • Reflex - Friday, March 26, 2004 - link

    #62: If you are going from an optical output to a coax input, you *are* converting the signal. In a straight optical to optical link, it is being converted first inside the source device and again on the reciever. So yes you are converting the signal. Reply
  • Foxbat121 - Friday, March 26, 2004 - link

    #56,

    While it is true that most people do not base their mobo purchase decision on APU capability, however when it comes to use the PC as HTPC or simply want to play games on your big screen HDTV, the DD real-time encoding plays a big role on chose which mobo to be in your HTPC. Instead of have to connect 3 analog sound wires and pay big $$ to have a receiver to support multi-channel analog input, you can use a SPDIF/Coax digital connection to get all your sound (desktop, game and DVDs) from PC to the HT.
    Reply
  • Foxbat121 - Friday, March 26, 2004 - link

    #58,

    SPDIF is compatible with coax and all you need is a mono mini-jack to RCA adapter so that you can connect it directly to your coax input on the receiver. There is no double conversion needed. I believe that how most people connect their PC to the receiver.
    Reply

Log in

Don't have an account? Sign up now