This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cores or Clock speed important in a CPU for IPS (snort) with a 1GBPS Internet Bandwith?

So I have recently moved to a fiber internet connection with 1 GBPS internet speed, and I am facing issues with the internet being throttled/capped if I enable IPS. I do get a good 900mbps+ up and down if i turn off IPS. Its only throttling when i turn it on. I have it turned off for now, and feel very unsafe. Hence willing to spend to get this back on.

I understand that I will need a powerful CPU (probably quad core or more)? Some places I've read it should be 8 cores? And infact a few threads here recommend better clockspeed.

I am so confused.. Whats the final verdict... what kind of CPU do i need if I need to keep the IPS enabled, and still be able to obtain 1gbps bandwith at home.

Please note.. this is a home connection, at anytime only One or two users are connected. Hence I'd like to have the entire 1gbps bandwith on one PC not distributed over other users (as there's none).

I was looking at these three cpu's with 8 or more cores with a decent 3.2+ ghs speed (if thats what will make it work),

its the Intel Core i7-5960X or i7-7820X or the expensive i7-6900K. I understand AMD doesnt go well for this kind of setup.

Are these my only options? ANything else?

 

P.S. I have Sophos installed on a dedicated hardware, and dont plan to virtualize it... so no VM for me for Sophos

 

I was reading...
"Snort is essentially single-threaded, which means that out of the box it doesn’t make effective use of multiple CPUs (technically there is more than one thread in a snort process, but the others are used for housekeeping tasks that don’t require much CPU power, not for scaling traffic analysis across multiple CPUs). As of August 2011, Snort on a single-CPU can be tuned to examine 200-500Mbits/sec, depending on the size of the ruleset used."

So 4 or 8 cores doesnt make sense, right? How do i get 1gbps on a single connection then with IPS enabled?



This thread was automatically locked due to age.
  • Indeed, Snort is single core so every connection will only ever use 1 thread. Multiple sessions at the same time can use multiple threads tough.

    What you need for the best possible single-core performance is a processor with the highest possible clockspeed, so not the number of cores is important but the individual core speed is important for snort. I don't know if there is a CPU that will effectively handle 1Gbps IPS-throughput on a single session tough.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Try this..

     

    su root

    cat /proc/cpuinfo  (this confirms the number of installed CPUs).

    cc get ips num_instances  (this confirms the current setting).

    cc set ips num_instances x  (where x is the number of CPUs installed in your UTM).

    /var/mdw/scripts/snort restart  (the command to restart Snort).

  • Jens Heidling said:

    Try this..

     

    su root

    cat /proc/cpuinfo  (this confirms the number of installed CPUs).

    cc get ips num_instances  (this confirms the current setting).

    cc set ips num_instances x  (where x is the number of CPUs installed in your UTM).

    /var/mdw/scripts/snort restart  (the command to restart Snort).

     

    Still even if you have 4 (or 8) cores enabled, every session will only ever use 1 core. For this to have maximum speed, the highest possible clockspeed is necessary.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks for your reply apijnappels

    So i need to go with a CPU that is over 3.5ghz or even 4ghz speed? Dont think Xeon's are capable of that, but yes there's a few Skylakes and Haswell that are even beyond 4Ghz.

    Its wierd, Sophos is not doing anything about Snort, as in adding multi thread support etc.. 1gbps internet bandwith is getting so mainstream now.

  • ClockSpeed is only important if you have 1Gbits Internetaccess and only 1 User uses the whole bandwith.

    Otherwise it's the amount of cores.

  • You've already gotten good advice here.  I would only add that if you are the only person on your ISP connection you would want a single core and to use Exceptions to facilitate streaming and downloading from known-safe locations.  If it's just two of you, a dual core will suffice.  Even if you have more that four devices that will be doing streaming or high-volume downloading simultaneously, a quad core 3+GHz will let you fill the pipe.  I don't have personal experience with this, it's just information I've gathered from posts here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok, So i will try to grab an i3 processor, with quad core and 3.3Ghz above clockspeed.. will fill ya'll back with the results.