Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Powerful router for gigabit ISP + IDS/IPS

JCBiggs
 Share

like the title says.  trying to find a new router for the new gigabit connetion.  I have a ubituiti pro, but it throttles to around 300mbps with intrusion detection on.  They do have one thats powerful enough but its $2500.   Anyone got any suggestions?   Maybe  Just offload intrusion detection to another Server?

Link to comment
Share on other sites

Link to post
Share on other sites

12 minutes ago, JCBiggs said:

like the title says.  trying to find a new router for the new gigabit connetion.  I have a ubituiti pro, but it throttles to around 300mbps with intrusion detection on.  They do have one thats powerful enough but its $2500.   Anyone got any suggestions?   Maybe  Just offload intrusion detection to another Server?

Most (all?) consumer routers will not even have IDS/IPS at all, so you're basically looking at SOHO at the low end. You're going to be paying a lot for something that can handle IDS/IPS at Gigabit speeds.

 

Example, the entry level Meraki MX65 is ~$850 retail, plus another ~$565 for a 1-year Advanced Security license (You can save about half the cost by going with an Enterprise license instead, but the Enterprise license doesn't have the full IPS features). So this is ~$1400, and the MX65 only has 200 Mbps throughput with all security features enabled.

 

Let's take another example: The FortiGate 90E, which is a high-end SOHO firewall. This guy is around ~$2200 to start, and he tops out at 270 Mbps with all security features enabled. If you are just using IPS and not the other features, he can hit 450 Mbps. If you turn off all NGFW features, and just use it as a "old school" ACL firewall, it can hit 4Gbps.

 

So, honestly, the $2500 router that you can get seems like a decent deal.

 

EDIT: So the lowest end FortiGate NGFW (Next Generation Firewall) that could handle Gigabit is the FortiGate 200E - this guy starts at $5500.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

Any Gigabit router would provide that speed.
But I'm assuming you're talking about WIFI speed here? You'd need 802.11ac at the very minimum, there's plenty of consumer ones out there that can do that speed just fine.

 

Is this the WiFi solution you have right now? (Guessing not since you mention it max out at N speed?)
https://www.amazon.com/Ubiquiti-Networks-802-11ac-Dual-Radio-UAP-AC-PRO-US/dp/B015PRO512
If not, well that's basically what you need. AC.

CPU: AMD Ryzen 3600 / GPU: Radeon HD7970 GHz 3GB with Noctua Fans / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 11 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, dalekphalm said:

Most (all?) consumer routers will not even have IDS/IPS at all, so you're basically looking at SOHO at the low end. You're going to be paying a lot for something that can handle IDS/IPS at Gigabit speeds.

 

Example, the entry level Meraki MX65 is ~$850 retail, plus another ~$565 for a 1-year Advanced Security license (You can save about half the cost by going with an Enterprise license instead, but the Enterprise license doesn't have the full IPS features). So this is ~$1400, and the MX65 only has 200 Mbps throughput with all security features enabled.

 

Let's take another example: The FortiGate 90E, which is a high-end SOHO firewall. This guy is around ~$2200 to start, and he tops out at 270 Mbps with all security features enabled. If you are just using IPS and not the other features, he can hit 450 Mbps. If you turn off all NGFW features, and just use it as a "old school" ACL firewall, it can hit 4Gbps.

 

So, honestly, the $2500 router that you can get seems like a decent deal.

Sounds like PF Sense/Snort it is then!   Thanks for the reply

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, TetraSky said:

Any Gigabit router would provide that speed.
But I'm assuming you're talking about WIFI speed here? You'd need 802.11ac at the very minimum, there's plenty of consumer ones out there that can do that speed just fine.

 

Is this the WiFi solution you have right now? (Guessing not since you mention it max out at N speed?)
https://www.amazon.com/Ubiquiti-Networks-802-11ac-Dual-Radio-UAP-AC-PRO-US/dp/B015PRO512
If not, well that's basically what you need. AC.

Nah it sounds like he's talking about NGFW features, like Intrusion Detection/Prevention, etc. These are features that a normal router doesn't even have. I have listed some basic specs and prices above, just to demonstrate the kind of money we're talking about here.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, JCBiggs said:

Sounds like PF Sense/Snort it is then!   Thanks for the reply

Yeah lol we're actually in the middle of doing a Firewall replacement at work, so I've got these details in mind! (Mind you, we're looking at a significantly higher end device...)

 

Just make sure to do some research on specs for the Server, since you'll need enough processor power and RAM to ensure you actually hit the throughput you want.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, dalekphalm said:

Yeah lol we're actually in the middle of doing a Firewall replacement at work, so I've got these details in mind! (Mind you, we're looking at a significantly higher end device...)

 

Just make sure to do some research on specs for the Server, since you'll need enough processor power and RAM to ensure you actually hit the throughput you want.

You know i think it would probably be cheaper to buy another USG and split the traffic.  What would you  think abou that?  I could just use router 0 for vlan 0 and send the rest of the traffic, unchecked  to the second router.  That would get me up to about 700 which .i'm good with. I think that would work and I can get another pro for 250.    

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, JCBiggs said:

You know i think it would probably be cheaper to buy another USG and split the traffic.  What would you  think abou that?  I could just use router 0 for vlan 0 and send the rest of the traffic, unchecked  to the second router.  That would get me up to about 700 which .i'm good with. I think that would work and I can get another pro for 250.    

As long as it supports load balancing, sure - unless you're gonna do the load balancing before the router, which would also work.

 

Though I have no idea if that'll be a good setup or not. Could work well enough though, yeah.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

21 hours ago, dalekphalm said:

As long as it supports load balancing, sure - unless you're gonna do the load balancing before the router, which would also work.

 

Though I have no idea if that'll be a good setup or not. Could work well enough though, yeah.

I would just use V lan Tags, and send v lan 1 through router 0 without being filtered. that way router 0 only checks vlan 0 traffic, and forwards the rest. 

Link to comment
Share on other sites

Link to post
Share on other sites

On 12/10/2018 at 8:14 PM, dalekphalm said:

Most (all?) consumer routers will not even have IDS/IPS at all, so you're basically looking at SOHO at the low end. You're going to be paying a lot for something that can handle IDS/IPS at Gigabit speeds.

 

Example, the entry level Meraki MX65 is ~$850 retail, plus another ~$565 for a 1-year Advanced Security license (You can save about half the cost by going with an Enterprise license instead, but the Enterprise license doesn't have the full IPS features). So this is ~$1400, and the MX65 only has 200 Mbps throughput with all security features enabled.

 

Let's take another example: The FortiGate 90E, which is a high-end SOHO firewall. This guy is around ~$2200 to start, and he tops out at 270 Mbps with all security features enabled. If you are just using IPS and not the other features, he can hit 450 Mbps. If you turn off all NGFW features, and just use it as a "old school" ACL firewall, it can hit 4Gbps.

 

So, honestly, the $2500 router that you can get seems like a decent deal.

 

EDIT: So the lowest end FortiGate NGFW (Next Generation Firewall) that could handle Gigabit is the FortiGate 200E - this guy starts at $5500.

We got a quote for a Fortigate 900D skew? I think? which could handle packet inspection and IPSEC at a gig and it was around $30,000 and I am a Fortinet partner with 15% off. 

 

The 5 gbps model was almost 6 figures. 

 

Honestly 300mbps for $2000 is a steal depending on usage, but there are features that are enabled that people dont need that can double throughput. Especially fine tuning DPI and rules

Link to comment
Share on other sites

Link to post
Share on other sites

On 12/10/2018 at 8:37 PM, JCBiggs said:

You know i think it would probably be cheaper to buy another USG and split the traffic.  What would you  think abou that?  I could just use router 0 for vlan 0 and send the rest of the traffic, unchecked  to the second router.  That would get me up to about 700 which .i'm good with. I think that would work and I can get another pro for 250.    

Its not reliable though. Sure in perfect conditions you could load balance but the way load balancing works its going to fluctuate constantly. 

Link to comment
Share on other sites

Link to post
Share on other sites

On 12/10/2018 at 7:37 PM, JCBiggs said:

You know i think it would probably be cheaper to buy another USG and split the traffic.  What would you  think abou that?  I could just use router 0 for vlan 0 and send the rest of the traffic, unchecked  to the second router.  That would get me up to about 700 which .i'm good with. I think that would work and I can get another pro for 250.    

If I remember right, the USG gets crippled to 85 Mb/s if enabling IPS/IDS. I think the USG Pro does 250 Mb/s. Only USG capable of it at gigabit speed is the USG-XG.

 

The cheap option would be to go for pfsense (or untangle / other software)

Link to comment
Share on other sites

Link to post
Share on other sites

Unless you're hosting something that's accessable outside your network, I don't see a need for IDS/IPS personally. Most of your outbound connections are going to be encrypted this day and age.

 

If you do have a service that's accessable outside your network - you can put an inline IDS/IPS like suricata between it and your router. That way you won't have to mess around with double NAT.

Link to comment
Share on other sites

Link to post
Share on other sites

If you are building a PC for it, Sophos offer a free home version of their UTM. This includes IPS functionality. The only limitation is number of internal IP's protected (50). May be worth a look or jump on their forums to determine what type of system you would need to handle the volume of bandwidth you need.

https://www.sophos.com/en/products/free-tools/sophos-utm-home-edition.aspx

 

Also, it's worth noting that when security solutions reference throughput speeds, they are talking continuous traffic volumes a lot of the time. For example, for a 1gb connection, they may recommend a unit capable of 500mb (random numbers here for example purposes). With almost every connection, you rarely saturate the bandwidth consistently. This is usually more true the higher the bandwidth. So an appliance with 500mb capabilities would usually be suitable for a 1gb link. 

Further to this, if it is performing actions like SSL inspection, this can be extremely CPU intensive and can dramatically reduce the potential throughput depending on the complexity of the cipher suites it supports. Companies with large bandwidth connections usually are better off having a dedicated device handling SSL visibility that hands the traffic off to other security solutions so that they aren't bottlenecked. 

Link to comment
Share on other sites

Link to post
Share on other sites

For the gigabit we got,

 

I ended up just building a Pfsense system that I just purchased the hardware for from RE-PC here in Seattle. Just a $60 Dell Opteron  i3 system and I added a TP-Link card that's like $14 to start out with. It deals with everything like a champion and normal operation of full speed downloads still only gets it to 3% utilization. 

 

so that's my recommendation, I went that bath because I still wanted some Qos type setting available due to the ~60 devices we run all together.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×