Opnsense and intel CPUs

Started by eponymous, January 03, 2021, 04:47:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 03, 2021, 04:47:59 PM
Hi all,

This is my first post to the forum - I've just learned about Opnsense and am very excited to get up and running!

I had a question regarding hardware.

I've got an old Netgate SG-2440 lying around which I intend to put Opnsense on.

I think for all intents and puposes it should be a perfect machine for it.

The important specs are:

Code Select

CPU Intel "Rangeley" Atom C2358 1.7 GHz with QuickAssist
CPU Cores 2
Memory Options 4GB DDR3L Non ECC
Storage Options 32GB eMMC Flash on board (I'll be putting a larger disk in)
Network Interfaces 4x Intel 1GbE
USB Ports 2x 2.0 ports
Console Port Mini USB


My question is more about using Intel CPUs in general on a router. It's clear Opnsense takes security very seriously (using HardenedBSD and all).

There have been a number of issues with Intel CPUs - in particular, exploits in the ME firmware and so on.

Is it a good idea for me to use an Intel Atom C2358 based machine to run Opnsense? Or should I be looking for another platform to run this on?

Are there any actual exploits that I'd need to be aware of that haven't or can't be patched via Opnsense/BSD?

Am I just being overly paranoid? (wouldn't be the first time)

The SG-2440 is spare so it'd be a shame not to use it. I've also got one of the boards which luckily doesn't have the Intel C2358 clock signal component issue.

(and sorry if my question seems a little esoteric!)

Best!

E.



January 03, 2021, 10:21:34 PM #1
Ark says you're ok for 64-bit: https://ark.intel.com/content/www/us/en/ark/products/77978/intel-atom-processor-c2358-1m-cache-1-70-ghz.html

However, it may be a bit thin to do a lot of the fancier stuff, performance-wise.

In answer to your security concern - the best way to mitigate security issues with your firewall is to block any traffic going to your firewall rather than through it. Don't run DNS, web proxy, VPN, or anything else on the firewall itself.

Also, security issues are not particular to Intel hardware. Any CPU design since the 1970's uses features that reduce security in some degree. Spectre is a good example: https://spectreattack.com/

Bart...
January 28, 2021, 06:02:30 PM #2
Thanks Bart for the response (sorry for the late reply!).

Yes I like your answer and it's made me also re-think my stategy towards how I'll set up my network moving forwards - i.e. moving some services off the router and keeping it simple.

Cheers.
January 31, 2021, 09:19:17 PM #3
Additional remark: side channel attacks like Spectre and Meltdown are really only relevant if you run applications on a system for multiple untrusted tenants. Like in Webhosting. For appliances that run most services as root and have no users that can logon remotely, the issue is next to irrelevant. IMHO.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 02, 2021, 09:22:42 AM #4
To avoid any problems with Intel CPUs just use AMD.
AMD now is  technologically very in front and Intel is left behind.
There are lots of news from AMD and they have very good and powerfull CPUs and for better price then Intel.
If you look at AMD Ryzen, Ryzen Pro, EPYC, embedded Epyc and that big players like Dell, HP and other have strong server platforms based on AMD...
There are of course lots of people who are "locked" and "encrypted" (I do not know how to explain it) with Intel and did not realized that winner is AMD for last 2-3 years.

Pavel
February 04, 2021, 08:54:17 AM #5
People use Atom a lot to run OPNsense (and other BSDs too): https://bsd-hardware.info/?view=search&name=Atom&typeid=cpu
Print
Go Up Pages1
User actions