Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 13297 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hardware Recmendations for 10Gb WAN Connection

technitect

Hi all,

I really need some straight talk to see if what I want is even possible. We currently have a 10Gb WAN connection to our home, and I'm currently utilizing a Microtik RouterBoard with ACL's for marginal security. I'm not comfortable with that level of protection, for obvious reasons, so I really want to get a true firewall with IPS in line. The problem is, I don't have $30,000+ to spend on a solution for my home(SG 450 or 550). I also don't want to lose throughput either, otherwise, what's the point of having the massive pipe.

So, my question is, can the UTM9 Home edition even be scaled to accommodate 10Gb throughput on the IPS module? I know having a lot of CPU cores clocked high is important, as is ample RAM, so I was planning on the following as a baseline:

AMD Threadripper 1950x (4Ghz, 16 cores - 32 threads)
64GB of DDR4 RAM
M.2 SSD for boot speed
(2) Intel X520 SFP+ (2 ports each)


All that to say, is it even possible on UTM9 Home Edition? Do I need a multi-socket rig even?



This thread was automatically locked due to age.
  • 0

    Hi,

    I think you have to go for maximum speed of the cpu instead a lot of cores. Because IPS is single threaded, so it utilises only one core. And that throughput is not possible with UTM I think. But some guys with more knowledge to ips will explain this I hope.

    But what raised my interesst, what do you pay for a 10GB internet connection? And in which Country?

    Best

    Alex

    -

  • 0 in reply to Alexander Busch

    Alexander Busch said:

     

    But what raised my interesst, what do you pay for a 10GB internet connection? And in which Country?

    Best

    Alex

     

    Hey Alex - I'm actually in the United States, living in the Chattanooga, TN area. I'm paying $300/month for EPB's 10GB fiber service (I might be one of only a dozen customers who've opted for it), and its freaking amazing. I only have one computer that can actually utilize the whole pipe thus far, which is a server/VM host I have connected directly to my network stack with SFP+'s, but I'm getting consistent 9+ speed tests. Couldn't be happier, I'm just concerned about my network being vulnerable since I don't have a true firewall in place on the perimeter. 

    Thanks!

  • 0

    Hi, and a belated welcome to the UTM Community!  (I guess I missed your first post 5 months ago.)

    I'll move this thread to the Hardware forum and recommend that you look at recent posts in the "Unofficial HCL" pinned to the top of that forum.

    The SSD is overkill with that amount of RAM.  I'm not much of a hardware guy, but you should google site:community.sophos.com/products/unified-threat-management/f william AMD to see William's comments, this one, for example.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    IPS with full 10Gb WAN will be a huge challenge, and depending what you are running might not be needed except for certain servers and services. 

    IPS works against vulnerabilitys of certain services (some cases unpatched systems) and will be most usefull if you are, for example, run an exchange server or database server exposted to the internet. 

    Having a Packetfilter (Firewall) in Front is of course a good way to keep certain threads out or control exactly what services you allow for your clients to connect to other networks.

    In my opinion for some security you should put a Firewall in #1 after your ISP termination. Than for websurfing you could either use the web security feature with AV scanning, which will be limited by a single cpu core, or allow clients to connect directly to the internet via firewall rule.

    Depending on what services you are running at your home, you could setup one or more DMZ zones and define IPS rules to filter for certain threats (i.e. only linux attack patters for linux servers, not all microsoft things too) - Depending on the services i would also limit outgoing traffic bandwith, so incase you "get hacked" your infected system wouldn't be shooting with a 10Gb line.

    If your goal is to put a single 10Gb transfer through IPS i think that you will be disappointed.

    ---

    Sophos UTM 9.3 Certified Engineer

  • 0 in reply to Ben

    "If your goal is to put a single 10Gb transfer through IPS i think that you will be disappointed."

    Amen!  I think the fastest processors today would get you a little over 300Mbps for a single user through IPS.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML