Related Articles

The NVIDIA Firewall

The 250Gb implementation of the NVIDIA firewall was hardware optimized, not strictly hardware based. The big advantage was that it was well integrated with the GbE controller and that the firewall was initialized like a driver, leaving no window where the computer is vulnerable unlike software firewalls which are loaded after Windows starts out. Here's a small quote describing the firewall on the 250Gb -

The NVIDIA Firewall is a "native" hardware-optimized solution and an integrated component of NVIDIA nForce media and communications processors (MCPs) with NVIDIA Gigabit Ethernet technology. This design feature eliminates potential conflicts with third-party drivers, BIOS, or hardware. And because it is native, NVIDIA Firewall eliminates interoperability issues, improves throughput and protection, and lowers CPU utilization.

The processor is still responsible for processing the network information. Regardless, NVIDIA claims a lower CPU utilization and a higher data throughput with this setup constrasted with a software firewall. This same basic hardware optimized solution is found on the basic nForce 4. With the Ultra and SLI versions however, NVIDIA will introduce ActiveArmor.

ActiveArmor is more than just a hardware optimized firewall. This time around, there is memory on the MCP unit which allows for parsing of firewall rules to take place on the MCP unit of the nForce 4 Ultra and SLI. In addition to the same superior throughput offered by the original NVIDIA firewall, there should be a significant reduction in CPU processors usage by the firewall as there is a full firewall table parser implementation in the chipset.

NVIDIA claims roughly a 65% reduction in processor usage with ActiveArmor compared to a software solution. TCP/IP, the networking protocol backbone of the Internet, works by applications requesting ports on which to communicate on. Examples include port 80 for your basic webpage (HTTP) connection, port 21 for FTP or port 27015 for everyone's favorite online game, Counter-Strike.

From the diagrams that NVIDIA has provided it looks like any connection that is not defined in the firewall will get passed to the CPU where a check is done and the firewall rules table is subsequently updated.

There are also limits to the number of offloaded connections that the MCP unit can handle, meaning that at a certain point, some of the ports will need to be handled by the CPU. NVIDIA was not specific on exactly how many connections the MCP can handle before it starts off-loading to the CPU but I imagine that most desktop users should not run into this problem.

Any reduction in CPU overhead is a good thing. In real world usage scenarios, the benefits of the hardware parser should be apparent in very high traffic situations. There is no doubt that the 250Gb firewall was an attractive feature for the end user and ActiveArmor should be as popular as its predecessor.