After being a hardware tech for nearly ten years, I’ve seen plenty of hardware debates over hardware vs. software solutions, Dizzy. And just because something wasn’t done earlier doesn’t mean it’s something to be skeptical of; in 1890, horseless carriages “hadn’t been done earlier”. Technology advances, and new products appear. Memory technology for example, has increased leaps and bounds in the past decade, and so have CPU’s. Why weren’t they done earlier? At least in part, because the fab technology wasn’t available to create such a complex design on such a small surface area, and software wasn’t complex enough to drive demand. In the case of firewalls, up until the late 90’s, broadband internet was a rarity at home, and people didn’t need security the way they need it now.
Truth be told, people have done hardware firewalls earlier, just not in the way NVidia does. The Cisco PIX for example, is just one version of a hardware firewall, and there are others, though up until now, they have been restricted to enterprise due to being cost prohibitive for a small home network. Plenty of people build a box running Linux just to serve as a router/firewall/etc. . If one built this same self-contained OS and firewall into a chip, or an intelligent box (and of course, this has already been done), what would there be to be skeptical of, as they have already been proven? Firewalls after all, are no longer rocket science, used mainly as intelligent port blockers under user control, more advanced firewalls also being able to detect types of malformed packets and specific types of web attacks.
Since not all of us have dedicated hardware to make into a firewall (or limitless funds to pay for the electrical bills that the additional hardware provides), a hardware firewall built onto a mainboard is a pretty doggone good idea, IMO. Done properly, it can be OS independent, either administered through having a remote web interface, or through other configuration means (possibilities including through BIOS setup, or multiplatform software, such as a Java applet). This part only being for the administration of course, which is how many enterprise web appliances are today (web content filters, proxy servers, and the like), as the firewall would operate independently of them once configured. Since the firewall is not dependent on the OS, it is on regardless of whether the OS is fully loaded or not. Those of us who have had to cure several hundred machines of Sasser, MSBlast.32, or the Nachi worm know how big a deal this is, as these worms can strike the moment they find an open machine, when a software firewall may not have fully loaded up (note: Windows XP Service Pack 2 is supposed to improve upon this flaw, but I’ll wait to see how well it works in practice). Because the firewall is in hardware, it also will not take up CPU time or memory resources, another big plus. It is less likely that a hacker could design a trojan to defeat it as well, something that happened recently to ISS’s BlackIce Defender when a former disgruntled employee coded a program to kill it (patches were subsequently released).
I haven’t seen a whole lot of testing on software firewall solutions, let alone NVidia’s hardware firewall, however you can bet any vulnerability would be quite a bit of bad press for NVidia. No matter how good any firewall is, there is no perfect firewall. But, I’d rather have one implemented in hardware for all the reasons listed above.
P.S. None of this is a knock on you Dizzy…I hope if anything, you consider this a debate, not an argument.