Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Hardware and Performance
»
Hardware for 10GBE IPS questions
« previous
next »
Print
Pages: [
1
]
Author
Topic: Hardware for 10GBE IPS questions (Read 2254 times)
seed
Full Member
Posts: 174
Karma: 12
Hardware for 10GBE IPS questions
«
on:
May 13, 2022, 11:52:46 am »
Hello all,
Are any of you running Suricata with 10Gb throughput in intrusion prevention mode?
If yes..:
How many rules are used?
What hardware is used? (CPU, NIC...)
Which OPNsense version is used in the setup?
Logged
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:
AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance
private user, no business use
seed
Full Member
Posts: 174
Karma: 12
Re: Hardware for 10GBE IPS questions
«
Reply #1 on:
May 26, 2022, 08:33:09 pm »
Looks like classic CPUs are not able to process the traffic. FPGAs or Smart NICs should process the traffic. It will probably take a few more years until such hardware is widely available.
Logged
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:
AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance
private user, no business use
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Hardware for 10GBE IPS questions
«
Reply #2 on:
May 26, 2022, 08:53:24 pm »
I never saw more than 3,5Gbit .. but I also didnt test against FreeBSD 13 yet
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
seed
Full Member
Posts: 174
Karma: 12
Re: Hardware for 10GBE IPS questions
«
Reply #3 on:
May 26, 2022, 09:58:10 pm »
I had wondered why firewall manufacturers like Sophos and Fortigate quote such high intrusion prevention throughput rates for their hardware.
It looks like they are using a co processor for this task. It must be an FPGA. Or they cheat and create firewall rules dynamically and kill the state when the IDS sends an alert.
Napatech is already allowing Suricata offloading:
https://suricata.readthedocs.io/en/suricata-6.0.0/capture-hardware/napatech.html
«
Last Edit: May 26, 2022, 10:06:37 pm by seed
»
Logged
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:
AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance
private user, no business use
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Hardware and Performance
»
Hardware for 10GBE IPS questions