This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hardware Recmendations for 10Gb WAN Connection

Hi all,

I really need some straight talk to see if what I want is even possible. We currently have a 10Gb WAN connection to our home, and I'm currently utilizing a Microtik RouterBoard with ACL's for marginal security. I'm not comfortable with that level of protection, for obvious reasons, so I really want to get a true firewall with IPS in line. The problem is, I don't have $30,000+ to spend on a solution for my home(SG 450 or 550). I also don't want to lose throughput either, otherwise, what's the point of having the massive pipe.

So, my question is, can the UTM9 Home edition even be scaled to accommodate 10Gb throughput on the IPS module? I know having a lot of CPU cores clocked high is important, as is ample RAM, so I was planning on the following as a baseline:

AMD Threadripper 1950x (4Ghz, 16 cores - 32 threads)
64GB of DDR4 RAM
M.2 SSD for boot speed
(2) Intel X520 SFP+ (2 ports each)


All that to say, is it even possible on UTM9 Home Edition? Do I need a multi-socket rig even?



This thread was automatically locked due to age.
Parents
  • IPS with full 10Gb WAN will be a huge challenge, and depending what you are running might not be needed except for certain servers and services. 

    IPS works against vulnerabilitys of certain services (some cases unpatched systems) and will be most usefull if you are, for example, run an exchange server or database server exposted to the internet. 

    Having a Packetfilter (Firewall) in Front is of course a good way to keep certain threads out or control exactly what services you allow for your clients to connect to other networks.

    In my opinion for some security you should put a Firewall in #1 after your ISP termination. Than for websurfing you could either use the web security feature with AV scanning, which will be limited by a single cpu core, or allow clients to connect directly to the internet via firewall rule.

    Depending on what services you are running at your home, you could setup one or more DMZ zones and define IPS rules to filter for certain threats (i.e. only linux attack patters for linux servers, not all microsoft things too) - Depending on the services i would also limit outgoing traffic bandwith, so incase you "get hacked" your infected system wouldn't be shooting with a 10Gb line.

    If your goal is to put a single 10Gb transfer through IPS i think that you will be disappointed.

    ---

    Sophos UTM 9.3 Certified Engineer

Reply
  • IPS with full 10Gb WAN will be a huge challenge, and depending what you are running might not be needed except for certain servers and services. 

    IPS works against vulnerabilitys of certain services (some cases unpatched systems) and will be most usefull if you are, for example, run an exchange server or database server exposted to the internet. 

    Having a Packetfilter (Firewall) in Front is of course a good way to keep certain threads out or control exactly what services you allow for your clients to connect to other networks.

    In my opinion for some security you should put a Firewall in #1 after your ISP termination. Than for websurfing you could either use the web security feature with AV scanning, which will be limited by a single cpu core, or allow clients to connect directly to the internet via firewall rule.

    Depending on what services you are running at your home, you could setup one or more DMZ zones and define IPS rules to filter for certain threats (i.e. only linux attack patters for linux servers, not all microsoft things too) - Depending on the services i would also limit outgoing traffic bandwith, so incase you "get hacked" your infected system wouldn't be shooting with a 10Gb line.

    If your goal is to put a single 10Gb transfer through IPS i think that you will be disappointed.

    ---

    Sophos UTM 9.3 Certified Engineer

Children
  • "If your goal is to put a single 10Gb transfer through IPS i think that you will be disappointed."

    Amen!  I think the fastest processors today would get you a little over 300Mbps for a single user through IPS.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA