Hardware recommendations for Home license - exaggerated?

Hi,

The thing is, I have been going through some of the threads here and elsewhere and it seems that if one really wants to use what Sophos UTM can offer, people recommend beefy hardware, nothing short of an Core i3 to run the system on. I wonder why this is. A quick check of Sophos' own offers indicates, an up to date Atom or BayTrail should do just fine.  For example: 


  • SG105 --> Intel Atom E3826 1.46GHz | 2GB RAM
  • SG135 --> Rangeley C2558 2.4GHz | 6GB RAM
  • SG210 --> Celeron 2.7GHz | 8GB RAM
  • SG 310 --> Core i3 3.5GHz | 12GB RAM


when I look at what throughput Sophos rates these babies at (including VPN, IPS, all >>100Mbit/s) I can't fathom how even a PowerUser at home would have the need to get beefier hardware to run this. 
I didn't think I'd open a new thread since there is tons on home user hardware already but the fact that so many posts claim one needs an Intel core i3 processor to run the full feature-set of UTM buffles me a bit. Are Sophos' hardware appliances running on some different version, somehow way more optimized to the hardware, multi-threaded... while the home user edition is not?

I have been running an astaro and now Sophos UTM at home for four years now on an Atom Dualcore N450 with 2GB of RAM. Switching on all the gimmicks slows things down substantially ( WAN & LAN) for a DMZ/guest net and a Cloudserver but VLANs could do the trick too. 
We constantly use IPsec and SSL VPN on our private laptops, phones and tablets. We might upgrade our provider bandwith to 100Mbit/s down and hopefully >10Mbit/s up at some point but I doubt it could get any faster anytime soon.

I'm happy for any tips and recommendations.

My current pick for a new setup (excluding SSD & 8GB RAM) would be:

  • Supermicro J1900 board (X10SBA) 2x Intel NIC  180€
  • Supermicro C2558 board (A1SRi-2558F ) 4x Intel NIC - 350€ (cheapest I could find with >2 NICs [:(]

would that not suffice?
Parents
  • I have a Rangeley C2758F (8 cores at 2.4Ghz). When in the firewall I exclude lots of countries (africa, arab countries, north korea etc), I keep rules against windows, linux and FTP attacks 24 months old and I put in the blacklist a list of domains taken from malwaredomainlist.com, my speedtest sign 50Mbps. On wireless I have 30Mbps.

    I have 2 lines of 100Mbps each + 1 backup line on VDSL with 5Mbps. My sophos UTM 9 do load balancing between the 2 lines 100Mbps and failover on the 5Mbps.

    my network is composed by a 48 port Gigabit Switch UBIQUITI + a 48 port Gigabit POE Switch Ubiquiti interconnected at 10Gbps through SFP+ multimode and a patch cord OM4 

    Access points are Ubiquiti AC AP PRO directly connected on the ubiquiti switches through cable CAT 7A 1500Mhz at an average distance from the switches of 30 metres.

    The poor speed is due to the fact that Sophos UTM use SNORT which is single threaded and require lots of GHz in the CPU to allow good transfer rate. (good = 100Mbps and more)

    Unfortunately when I built my appliance I had in mind to install pfSense which take advantage of an elevated number of cores and doesn't care much about clock speed.

    i like Sophos UTM better, but I will need to change soon my mainboard and CPU if I want to use a lot of rules and in the same time not be forced to use just the 15% of the bandwidth that I pay.

     

    If you are happy with a J1900 good for you....I work as telecom engineer, routers and hardware are my passion and for me is normal to have 30000 euros of equipment at home and I want great performances....Other give 10.000 euros for a bike made of carbon and are happy with 256Kbps internet and 50 euro android phones...

     

  • Hello,

    I have been reading through most of this post from the beginning.  From the time of the original post to now we have had a few years and many new CPUs have come on the market, for both home systems and the server world. 

    Just thought to give you some other ideas you might want to think about for your UTM configuration. I still run the UTM version 9.7. I have it running as a VM machine on VMWare ESXi 6.7. Running on an old Dell R510. UTM VM given 4 CPUs, and 6gig RAM with 4 network ports. It runs well for my Home network. I do I.T. work so I need a reliable system for remote access into my employer's network.  I am planning to go back to a physical box just because I want it as it's own appliance. No issues or any performance issues with the VM. I can take snapshots and also back up the VM image.  If you do use several computers at home, and or for a "Learning Lab" if they can be VM Machines, it might be worth the money to build a single larger machine and VM  some of your systems as well as UTM or XG. One System to run production as well as test machines. You might want to look into VMWare, Virtual Box or similar hypervisor and maybe on E-bay or other sources find a used well equipped server  with Dual CPU (6 or 8 cores) and and run UTM/XG virtually and add resources to the VM as needed. So as your network / firewall needs grow you can easily add CPU and Ram to the UTM VM. You need to have 4 to 8 Physical network ports on the VM Server because depending on your WAN,LAN, DMZ or other networks on the UTM you will want a interface for each to assign to the UTM / XG.

    I have 6 VMs on my ESXi system, dual 6 core CPUs, hyper threading and 48 gigs ram, and plenty of disk storage. VMWare offers a free ESXI license that has most features / functions you would need. Beside that I run several Windows 2016 servers and some Linux systems on the ESXi server.  Saves space, and maybe in the log run power, since having one well equipped machine. And can have many computer systems in one box. So just a thought.

    I use to run the UTM on old Servers, again my VM  configuration of Sophos UTM is using only 3% CPU 44% of the 6 Gig ram. Firewall, Intrusion Prevention, Web Filtering, SMTP & POP3 Proxy, Wireless Protection, Antivirus Antispam, Antispyware, DHCP, DNS are currently enabled. My ISP provider is  MediaCom with their fastest Internet package, I think it is up to 1 gig download and 100 meg upload. I do alot of streaming and large file sync transfers with my web site on GoDaddy.

    Hope this idea is of some use, best of luck finding the best hardware solution for your firewall.

    My home Network / Computer system looks more like what you would find in a small to medium business. I.T. is my profession and I use what one would find in a business more than a typical home or small home office. I do this to keep my I.T. skill set current.

    Chad

  • Hi,

    there a re many MBs out there that run low power. If you are using MS products on VMs then you are not really saving much in the way of power because they don't allow the server to sleep. A VM should  have dedicated cores and memory running at close to max speed if you are planning on any decent performance or throughput. SNORT will not ramp up the CPU unless there are multiple users and will then become your bottle next.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hello,  Yes I agree. At this point, Power with the ESXi is not as much of a concern for me. I can see for others it is a good factor to look at. I live alone so there are not multi users, maybe at times between all the VMS hitting Microsoft for updates all at the same time, while I am streaming or working on some VMS that need Internet access, it is a little hard for me to really tax the Sophos I suppose. My HP Gen 7 server should be arriving in a week's time, that will pull more power Than the UTM VM on that server. For my home use and lab use, I try to configure and run do things as one might find in the average to medium business, and do run of sorts my own small data center.  I know I am more of the exception than the norm. So in that respect, as far as power goes, I am not saving. But thought to just put that idea out there for anyone who might not have thought about such a possible configuration. I am thinking of doing more with the ESXi system and the VMs on it where they are getting used more and are Internet facing for e-mail and web server.  I Appreciate your thoughts and thank you for the post.

     

    Chad

  • I know very well ESxI and I actually run pfsense and after that Endian in a virtualized environment based on ESXI 5.5 for more than a year before passing to Sophos UTM. For testing purposes it's great, but running a firewall in a virtual environment when in production (even at home) is not a good idea because it augment the "surface" of possible attacks.

    Moreover, a server like you have, represent a single point of failure for the whole network : it's enough that your power supply gets hosed and all your network and services are down. Idem when you decide to power it off for replacing or upgrading components.

    And also : unless built on reliable server grade material in a airconditioned room and in an IT rack with UPS (as I have at home) your network is at risk.   

    I took the path of separating my appliances many years ago and I do regulars backup on a FREENAS server with 72TB raw space with 2 pools of 6 disks in RAIDZ2 on redundant UPS and closed in a 42" rack in a controlled temperature/humidity room.

    For the Firewall I plan soon to pass on an I3 9100F with 8 ECC RAM on a Supermicro X11CSL-IF  (I ALWAYS buy supermicro and server grade material even for my everyday use PC's) just because I'm not in the mood to change the case SUPERMICRO SC505-203B that I already have.

    The heatsink will be of course a supermicro SNK-P0049A4 which both adapt to the case and to the max TDP of 65W allowed by the case and reached by the I3-9100F (which I wanted to replace with an I3-9350KF but it draw 130W)

    To compensate the lack of NIC on the mainboard (only two) I'll use an Intel Quad NIC like the 350 mounted using a riser cable

    i tend to stay away from servers purchased on ebay at low budget and with powerful processors but with astronomical power requirement: they are out of warranty and in the long period they will cost more to run. Don't get me wrong: I often purchase components on Ebay and Amazon...but just the ones that are non critical (case, monitors) or that you know from the beginning that if they work, they work (CPU and RAM)....but i would not buy a whole server..unless new or unless is just for "play" or for not important stuff.

    I like to assembly my servers myself and pick each component exactly tailored for the task... as an Example on my FREENAS I have a 58€ cpu Pentium G3220 that never got used more than 40% since 2013, but I have an HBA adapter SAS3 9305-24i 12Gb/s which I paid 600€ and 12 DISK 6 TB Western Digital GOLD WD6002FRYZ which represents 2750€ in disks....and that's make all the difference in transfer rate.

    Hardware balance must be applied only to PCs which are MULTIPURPOSE , a server is UNBALANCED by nature as it need to do a SINGLE JOB

    An EsxI server it will never be hardware tailored for every possible machine inside, this is why in datacenters they tend to virtualize the same class of servers (all firewalls in one, all windows server in another) and not a single Esxi Server which contain firewall, database, windows, server, MAME emulator, SYSLOG Server, NAS and PLEX....this is called masochism.

Reply
  • I know very well ESxI and I actually run pfsense and after that Endian in a virtualized environment based on ESXI 5.5 for more than a year before passing to Sophos UTM. For testing purposes it's great, but running a firewall in a virtual environment when in production (even at home) is not a good idea because it augment the "surface" of possible attacks.

    Moreover, a server like you have, represent a single point of failure for the whole network : it's enough that your power supply gets hosed and all your network and services are down. Idem when you decide to power it off for replacing or upgrading components.

    And also : unless built on reliable server grade material in a airconditioned room and in an IT rack with UPS (as I have at home) your network is at risk.   

    I took the path of separating my appliances many years ago and I do regulars backup on a FREENAS server with 72TB raw space with 2 pools of 6 disks in RAIDZ2 on redundant UPS and closed in a 42" rack in a controlled temperature/humidity room.

    For the Firewall I plan soon to pass on an I3 9100F with 8 ECC RAM on a Supermicro X11CSL-IF  (I ALWAYS buy supermicro and server grade material even for my everyday use PC's) just because I'm not in the mood to change the case SUPERMICRO SC505-203B that I already have.

    The heatsink will be of course a supermicro SNK-P0049A4 which both adapt to the case and to the max TDP of 65W allowed by the case and reached by the I3-9100F (which I wanted to replace with an I3-9350KF but it draw 130W)

    To compensate the lack of NIC on the mainboard (only two) I'll use an Intel Quad NIC like the 350 mounted using a riser cable

    i tend to stay away from servers purchased on ebay at low budget and with powerful processors but with astronomical power requirement: they are out of warranty and in the long period they will cost more to run. Don't get me wrong: I often purchase components on Ebay and Amazon...but just the ones that are non critical (case, monitors) or that you know from the beginning that if they work, they work (CPU and RAM)....but i would not buy a whole server..unless new or unless is just for "play" or for not important stuff.

    I like to assembly my servers myself and pick each component exactly tailored for the task... as an Example on my FREENAS I have a 58€ cpu Pentium G3220 that never got used more than 40% since 2013, but I have an HBA adapter SAS3 9305-24i 12Gb/s which I paid 600€ and 12 DISK 6 TB Western Digital GOLD WD6002FRYZ which represents 2750€ in disks....and that's make all the difference in transfer rate.

    Hardware balance must be applied only to PCs which are MULTIPURPOSE , a server is UNBALANCED by nature as it need to do a SINGLE JOB

    An EsxI server it will never be hardware tailored for every possible machine inside, this is why in datacenters they tend to virtualize the same class of servers (all firewalls in one, all windows server in another) and not a single Esxi Server which contain firewall, database, windows, server, MAME emulator, SYSLOG Server, NAS and PLEX....this is called masochism.

Children
  • Just for info:

    I did migrate toward a i3-9100F on Supermicro X11SCL-IF with 16GB RAM ECC in a case SUPERMICRO SC505-203B + nic card 4 port GIGABIT with a riser, the lot assembled by me.

    I have two coaxial internet lines that provide each 200Mbps in Download and 10Mbps in upload.

    Using a blacklist taken from https://www.malwaredomainlist.com/hostslist/hosts.txt, another personalized blacklist added to it with around 50 entries, rules windows and linux 24 months old + country blocking and bundling together the lines I have a download speed of 335Mbps out of 400Mbps (2 x 200Mbps) 

    Performaces are basically equivalent to the Sophos SG 450 rev 2 that use a Xeon Quad Core E3-1275v5 @3.6Ghz  (for a fraction of the price)

     

    https://askgeek.io/en/cpus/vs/Intel_Core-i3-9100F-vs-Intel_Xeon-E3-1275-v5

    https://www.avanet.com/assets/pdf/sophos-xg-firewall-xg-sg-all-models-tech-specs-en.pdf

     

    For the same type of case, (that doesn't allow for more than 65W CPU because of heat) we could consider the Xeon E-2234 (71W) that it's slightly powerful

    https://technical.city/en/cpu/Core-i3-9100F-vs-Xeon-E-2234

    But honestly the i3-9100F it's at 80 dollars on Amazon versus the Xeon E-2234 that costs 389 dollars... so I choose the I3 9100F

     

    I can improve the speeds using a feature in the supermicro motherboard "X11SCL-IF" that allow me to put the CPU in "ALWAYS TURBO" and of course reducing the rules for windows and linux to <12 months

    I will test this as soon as possible and I will share the results here.

     

    Passing from the Atom C2758 to the I3-9100F increased my download speed between 3 and 5 times (before I was doing around 70Mbps or 100Mbps at best).

    If somebody is interested in buying a SUPERMICRO A1SRi-2758F equipped already with 8GB ECC for 300 euros just let me know :)

  • which features you turned on?

    I am using 2x Sophos SG330 (put a xeon e3-1235v3 inside) here (HA cluster, active-passive) and I had no problem to use my 500mbit/s fully (single threaded download) with all features activated? when antivirus engine is downloading and checking the file, the cpu usage is about 30%...

    Same thing before with my old server used as firewall (xeon x3450), 500mbits was no problem...cpu usage little bit higher.

     

    BUT I have installed and tested here some sophos SG105 and SG115 (rev2) over the time and with activated IPS the bottle neck was really the CPU.

    SG105 ~80 Mbit/s

    SG115 ~110Mbit/s

  • I was also looking to get that cpu and motherboard combo and I was wondering what memory did you get?

  • I have A LOT of features on:

     

    In Network Protection > Firewall I block all IPV6, a scanner list of around 200 IP adresses (in and out)

    In Intrusion prevention > Attack Patterns I have rule age "no time limit" for Windows, Linux and Others , 24 months for Attack against servers (DNS, FTP, SSH, SNMP, RADIUS, CVS) and 12 months for attacks against client software and no time limit for Protocol anomaly and malware

    In web protection - > Web filtering profiles > filter actions  I block WEAPONS, CRIMINAL ACTIVITIES, GAMBLES, DRUGS, EXTREMISTIC SITES, NUDITY, and then I add this list : http://mirror1.malwaredomains.com/files/justdomains

  • I bought 2 modules of 8GB DDR4 2666Mhz ECC 19 DIMM KSM26ES8/8ME , for a total of 16GB of ECC ram (it's overkill but I didn't found  2x 4GB DDR4 ECC ...I doubt that ram so little is still sold on DDR4)

  • Hoi,

    You're not paying me for advice, but the following is aimed at others just as much as at you...

    I doubt you can do anything to speed up your UTM with your current configuration.  Adding a list of over 26 thousand sites is not the best way to use the UTM.

    At Check Single URL, you can get a free membership that allows you to check 100 sites at a time.  That should give you the additional categories you might want to block instead of blocking a list like the one in the TrustedSource database.

    A well-cared for environment shouldn't need IPS rules older than 12 months.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA