250Gb and the Hardware Firewall
NVIDIA's Gigabit Ethernet MAC - remember, you still need a physical interface, NVIDIA choosing SimpliPHY's CICADA CIS8201 part for the reference board, a 10/100/1000Mbit/sec PHY for a variety of Ethernet implementations - is the first Gigabit part to be integrated onto a main core logic bridge in a consumer chipset. With Dell about to start shipping more GigE-enabled systems than not, it appears to be an astutely timed entrance into the market. Given that the bridge has been ready for months now, it seems that timing is everything.They've also done something rather clever with their Ethernet implementation this time around with nForce3 250, integrating a hardware firewall and hardware offload of certain expensive TCP/IP functions, onto the bridge. The first revision of this article mentioned it was probable that the networking technology was licensed from 3Com. In a recent conference call, NVIDIA were keen to stress that wasn't the case. The networking controller is an NVIDIA product, using valuable experience gleaned from their work on nForce2.
And they are all the better for it. Initially sceptical, I can now appreciate its inclusion, especially since by virtue of NVIDIA's market share, it'll hit a huge number of people. There's a massive need for easy to use, 'free' firewall products that are OS agnostic, to teach people basic network and system security. Anything that helps stop the proliferation of worms and the like should get the thumbs up. The key however is in the implementation. Too hard to activate, configure and maintain and it'll be worthless.
Pointing a web browser (or using the supplied shortcut when you install the network management software) at loopback on port 3746 gets you started initially, at the screen above. Clicking on each section makes it focus, a tree-based navigation bar on the left hand side following your choices and giving you easy shortcuts to each section, like Windows Explorer and other popular multi-pane applications.
You've got two main categories to choose from, Ethernet and Firewall. Configuring the Ethernet section of things, the controller itself, runs to things like speed, VLAN/VPN settings, how much the driver uses the CPU for optimisation and what parts of the TCP/IP protocol you'd like offloaded onto the bridge. It's mostly limited to hardware checksumming of packets, both TCP and UDP, which are expensive to perform on the CPU. When enabled, the bridge is theoretically capable of impressive throughput increases, over a similarly configured controller that needs the CPU for the same task.
It works best when you're really hammering the interface and the CPU is involved to increasing degrees with what's happening. The more you can get the bridge to do in those situations, especially with the firewall on the bridge and not the CPU, the more attractive it becomes. Simple wake-on-LAN, a great little technology, is something that's usually missing from consumer Ethernet hardware, whether possible by the hardware and motherboard or not. It's a focus with nForce3, the needed parts of WOL all there for you to make use of.
Hardware Firewall
The hardware firewall is the second main section. It's comprehensive, yet surprisingly easy to setup, even for cack-handed networking dunces like me. Out of the box, it's enabled; when you install the driver you choose whether to install the firewall section and if you do, it's on by default. Then your next best course of action is to choose a profile and configure it. The driver and administration application supply four such profiles, Low, Medium, High and Lockdown, each offering differing degrees of protection out of the box. You've then got three custom profiles for your own configuration, each of which you can base from one of the four default profiles.I chose to create a new custom profile based on the Lockdown setting. It's better to batten down the hatches from the start, opening up holes only as needed, than to let a majority of stuff in and hope for the best. While you can leave things open and keep an eye on the impressive logs the software can generate, if you're keen, using the firewall to teach yourself a little basic network security is a good thing.
The interface lists loads of common ports and their descriptions, so you can easily open port ranges for things like MSN, single ports for things like HTTP servers and email, along with allowing or denying on both incoming and outgoing traffic to those ports.
Port forwarding and NAT seemed absent, I'm not sure they are within the remit of the firewall in nForce3, but I may just have missed the settings in the interface. If I find them or they're due to be enabled in future revisions of the driver and configuration software, I'll be sure to update this page with details.
You can also block access to the machine by protocol type (also called EtherType) and you can also add your own protocol types to be filtered.
The hardware firewall is an article in itself, but I will say that, initially at least, it appears to be rediculously easy to active and setup. I don't think even networking eejits like me should be scared, it's a good inclusion into mainstream computing hardware.
