Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 5110 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need Some Hardware Advice for Advanced Home Network

Frank Lesniak

Hello,

I am new to the Sophos XG platform and looking for some advice. Here is my situation:

·         Usage will be in a home. But I work in IT and use my home as a lab / PoC environment, mostly to further my own knowledge about IT systems

·         I am planning to add several IoT devices over the next year

·         Previous two bullets will put me up near 50 devices at times, but I can potentially get creative (e.g., double-NAT some of them so that Sophos XG does not see the IP address on the network)

·         Current Internet connection is 50/10. Looking to upgrade this as soon as I have a more-scalable router/firewall in place

·         AT&T is installing fiber in my neighborhood, and so I want a firewall/router that can scale to at least 1 Gbps. As I understand it, to guarantee decent real-world speeds of 1 Gbps, you should find a router/firewall that states “on paper” that it can push at least twice that – 2 Gbps

·         I have a site-to-site VPN connection with a coworker’s house, to extend the lab/PoC environment when needed. I may also want to set up a site-to-site VPN with Azure soon

·         I use client-to-site VPN (Cisco AnyConnect) and need similar functionality

·         I am interested in the next-gen firewall features of the Sophos XG platform, but I do not necessarily consider them “required”. The most interesting feature would be blocking of ads/malware/phishing sites through web proxy/content filtering. But I do not have these kinds of features today

·         I have a cellular modem, intended for back-up Internet. I have some home security stuff and just trying to ensure that if someone cuts my Internet line, they cannot take out my security system

·         I am not afraid to spend some money (to a point). BUT, this is a home environment

·         I worry about hardware failure and need some amount of protection/assurance against it. If the Internet goes down while I am out of town and my wife cannot watch TV, it is a “Sev A outage” :)

So, to summarize, my must-have features are:

·         Can reliably scale to 1 Gbps (i.e., without packet loss or jitter on real-time communications)

·         Supports site to site VPN

·         Supports client to site VPN

·         Supports failover to a backup Internet connection

·         Rudimentary firewall

Nice-to-have features are:

·         Web proxy/content filtering (removal of ads and malware)

 

I guess my first question is whether the home license can meet all my functionality requirements (e.g., site to site VPN, client to site VPN, etc.).

Second, I am worried that 4 CPU cores + 6 GB of RAM may not scale to 1 Gbps Internet. Has anyone tried this? Are there any test results that show the scalability of the platform?

Third, to protect myself from hardware failure, I am considering running XG as a VM. If I do this, I will place it on dedicated hardware. To avoid any chance of a slowdown due to the hypervisor, I was considering buying a Xeon E5 with six cores (I would assign four to the XG VM, leaving two for the hypervisor). And I would buy the E5 that has 6+ cores and the highest clock speed available. Then I could use the hypervisor features to back up and/or replicate the VM to another host, so that I could quickly recover if there was a problem. I considered running the XG on “bare metal”, but I do not think it would afford me much protection from hardware failure with the home license and I am worried because there is no published hardware compatibility list that I have been able to find.

If I use a VM (or roll my own hardware), how much storage should I plan to give to the XG? I need room for logs, etc. and do not want to cut myself short.

Alternatively, I would not mind buying Sophos XG hardware (the XG 210?), but then I would be spending cash on warranty coverage, or would need to be willing to re-order hardware when a failure occurs.

Finally, I am assuming that the home license of Sophos XG does not allow me to configure a redundant XG for high availability. But let me know if I am mistaken about that… or maybe it’s possible to get a second home license for active/passive high availability?

Again, I do not mind throwing Sophos some cash or buying hardware for what seems to be a high-quality product. Just trying to spend wisely (considering that this is a home environment and not a business) and trying to manage risks.

 

Thanks in advance!

Frank



This thread was automatically locked due to age.
  • 0

    Just so no one thinks I did not do my own homework, I put together a spreadsheet that I think would reasonably estimate the expected performance of XG Home Edition running as a VM:

    https://1drv.ms/x/s!AorzyvT5zskorL1CifWgNfVg0HCMWA

    The estimates are summarized for my scenario here:

    Firewall max (Mbps): 23607
    IPS max (Mbps): 5325
    IPS Realworld (Mbps): 494
    Web Proxy - AV (Mbps): 3327
    Web Proxy - AV Realworld (Mbps): 994
    IPS + Web Proxy - AV Realworld (Mbps): 172
    IPS + App Ctrl + WebFilter Realworld: 311
    VPN AES max (Mbps): 2196
    VPN AES Realworld (Mbps): 549
    New TCP connections/sec: 186660
    Concurrent TCP connections: 14109300
    Concurrent IPsec VPN tunnels: 2145
    Concurrent Access Points: 124
    Concurrent REDs (UTM): 49
    Concurrent REDs (FW): 192

    See the spreadsheet for my assumptions, calculations, etc. I welcome comments or suggestions.

    If I am interpreting these results correctly, it looks like I could get gigabit performance only by turning off IPS, web proxy - AV, App Ctrl, and Web Filter.

Unfiltered HTML