Powerful router for gigabit ISP + IDS/IPS

[JCBiggs]

like the title says.  trying to find a new router for the new gigabit connetion.  I have a ubituiti pro, but it throttles to around 300mbps with intrusion detection on.  They do have one thats powerful enough but its $2500.   Anyone got any suggestions?   Maybe  Just offload intrusion detection to another Server?

[dalekphalm]

12 minutes ago, JCBiggs said:

like the title says.  trying to find a new router for the new gigabit connetion.  I have a ubituiti pro, but it throttles to around 300mbps with intrusion detection on.  They do have one thats powerful enough but its $2500.   Anyone got any suggestions?   Maybe  Just offload intrusion detection to another Server?

Most (all?) consumer routers will not even have IDS/IPS at all, so you're basically looking at SOHO at the low end. You're going to be paying a lot for something that can handle IDS/IPS at Gigabit speeds.

 

Example, the entry level Meraki MX65 is ~$850 retail, plus another ~$565 for a 1-year Advanced Security license (You can save about half the cost by going with an Enterprise license instead, but the Enterprise license doesn't have the full IPS features). So this is ~$1400, and the MX65 only has 200 Mbps throughput with all security features enabled.

 

Let's take another example: The FortiGate 90E, which is a high-end SOHO firewall. This guy is around ~$2200 to start, and he tops out at 270 Mbps with all security features enabled. If you are just using IPS and not the other features, he can hit 450 Mbps. If you turn off all NGFW features, and just use it as a "old school" ACL firewall, it can hit 4Gbps.

 

So, honestly, the $2500 router that you can get seems like a decent deal.

 

EDIT: So the lowest end FortiGate NGFW (Next Generation Firewall) that could handle Gigabit is the FortiGate 200E - this guy starts at $5500.

[Crunchy Dragon]

-Moved to Networking-

[TetraSky]

Any Gigabit router would provide that speed.
But I'm assuming you're talking about WIFI speed here? You'd need 802.11ac at the very minimum, there's plenty of consumer ones out there that can do that speed just fine.

 

Is this the WiFi solution you have right now? (Guessing not since you mention it max out at N speed?)
https://www.amazon.com/Ubiquiti-Networks-802-11ac-Dual-Radio-UAP-AC-PRO-US/dp/B015PRO512
If not, well that's basically what you need. AC.

[JCBiggs]

2 minutes ago, dalekphalm said:

Most (all?) consumer routers will not even have IDS/IPS at all, so you're basically looking at SOHO at the low end. You're going to be paying a lot for something that can handle IDS/IPS at Gigabit speeds.

 

Example, the entry level Meraki MX65 is ~$850 retail, plus another ~$565 for a 1-year Advanced Security license (You can save about half the cost by going with an Enterprise license instead, but the Enterprise license doesn't have the full IPS features). So this is ~$1400, and the MX65 only has 200 Mbps throughput with all security features enabled.

 

Let's take another example: The FortiGate 90E, which is a high-end SOHO firewall. This guy is around ~$2200 to start, and he tops out at 270 Mbps with all security features enabled. If you are just using IPS and not the other features, he can hit 450 Mbps. If you turn off all NGFW features, and just use it as a "old school" ACL firewall, it can hit 4Gbps.

 

So, honestly, the $2500 router that you can get seems like a decent deal.

Sounds like PF Sense/Snort it is then!   Thanks for the reply

[dalekphalm]

1 minute ago, TetraSky said:

Any Gigabit router would provide that speed.
But I'm assuming you're talking about WIFI speed here? You'd need 802.11ac at the very minimum, there's plenty of consumer ones out there that can do that speed just fine.

 

Is this the WiFi solution you have right now? (Guessing not since you mention it max out at N speed?)
https://www.amazon.com/Ubiquiti-Networks-802-11ac-Dual-Radio-UAP-AC-PRO-US/dp/B015PRO512
If not, well that's basically what you need. AC.

Nah it sounds like he's talking about NGFW features, like Intrusion Detection/Prevention, etc. These are features that a normal router doesn't even have. I have listed some basic specs and prices above, just to demonstrate the kind of money we're talking about here.

[dalekphalm]

Just now, JCBiggs said:

Sounds like PF Sense/Snort it is then!   Thanks for the reply

Yeah lol we're actually in the middle of doing a Firewall replacement at work, so I've got these details in mind! (Mind you, we're looking at a significantly higher end device...)

 

Just make sure to do some research on specs for the Server, since you'll need enough processor power and RAM to ensure you actually hit the throughput you want.

[JCBiggs]

13 minutes ago, dalekphalm said:

Yeah lol we're actually in the middle of doing a Firewall replacement at work, so I've got these details in mind! (Mind you, we're looking at a significantly higher end device...)

 

Just make sure to do some research on specs for the Server, since you'll need enough processor power and RAM to ensure you actually hit the throughput you want.

You know i think it would probably be cheaper to buy another USG and split the traffic.  What would you  think abou that?  I could just use router 0 for vlan 0 and send the rest of the traffic, unchecked  to the second router.  That would get me up to about 700 which .i'm good with. I think that would work and I can get another pro for 250.    

[dalekphalm]

1 hour ago, JCBiggs said:

You know i think it would probably be cheaper to buy another USG and split the traffic.  What would you  think abou that?  I could just use router 0 for vlan 0 and send the rest of the traffic, unchecked  to the second router.  That would get me up to about 700 which .i'm good with. I think that would work and I can get another pro for 250.    

As long as it supports load balancing, sure - unless you're gonna do the load balancing before the router, which would also work.

 

Though I have no idea if that'll be a good setup or not. Could work well enough though, yeah.

[JCBiggs]

21 hours ago, dalekphalm said:

As long as it supports load balancing, sure - unless you're gonna do the load balancing before the router, which would also work.

 

Though I have no idea if that'll be a good setup or not. Could work well enough though, yeah.

I would just use V lan Tags, and send v lan 1 through router 0 without being filtered. that way router 0 only checks vlan 0 traffic, and forwards the rest. 

[mynameisjuan]

On 12/10/2018 at 8:14 PM, dalekphalm said:

Most (all?) consumer routers will not even have IDS/IPS at all, so you're basically looking at SOHO at the low end. You're going to be paying a lot for something that can handle IDS/IPS at Gigabit speeds.

 

Example, the entry level Meraki MX65 is ~$850 retail, plus another ~$565 for a 1-year Advanced Security license (You can save about half the cost by going with an Enterprise license instead, but the Enterprise license doesn't have the full IPS features). So this is ~$1400, and the MX65 only has 200 Mbps throughput with all security features enabled.

 

Let's take another example: The FortiGate 90E, which is a high-end SOHO firewall. This guy is around ~$2200 to start, and he tops out at 270 Mbps with all security features enabled. If you are just using IPS and not the other features, he can hit 450 Mbps. If you turn off all NGFW features, and just use it as a "old school" ACL firewall, it can hit 4Gbps.

 

So, honestly, the $2500 router that you can get seems like a decent deal.

 

EDIT: So the lowest end FortiGate NGFW (Next Generation Firewall) that could handle Gigabit is the FortiGate 200E - this guy starts at $5500.

We got a quote for a Fortigate 900D skew? I think? which could handle packet inspection and IPSEC at a gig and it was around $30,000 and I am a Fortinet partner with 15% off. 

 

The 5 gbps model was almost 6 figures. 

 

Honestly 300mbps for $2000 is a steal depending on usage, but there are features that are enabled that people dont need that can double throughput. Especially fine tuning DPI and rules

[mynameisjuan]

On 12/10/2018 at 8:37 PM, JCBiggs said:

You know i think it would probably be cheaper to buy another USG and split the traffic.  What would you  think abou that?  I could just use router 0 for vlan 0 and send the rest of the traffic, unchecked  to the second router.  That would get me up to about 700 which .i'm good with. I think that would work and I can get another pro for 250.    

Its not reliable though. Sure in perfect conditions you could load balance but the way load balancing works its going to fluctuate constantly. 

[scottyseng]

On 12/10/2018 at 7:37 PM, JCBiggs said:

You know i think it would probably be cheaper to buy another USG and split the traffic.  What would you  think abou that?  I could just use router 0 for vlan 0 and send the rest of the traffic, unchecked  to the second router.  That would get me up to about 700 which .i'm good with. I think that would work and I can get another pro for 250.    

If I remember right, the USG gets crippled to 85 Mb/s if enabling IPS/IDS. I think the USG Pro does 250 Mb/s. Only USG capable of it at gigabit speed is the USG-XG.

 

The cheap option would be to go for pfsense (or untangle / other software)

[Mikensan]

Unless you're hosting something that's accessable outside your network, I don't see a need for IDS/IPS personally. Most of your outbound connections are going to be encrypted this day and age.

 

If you do have a service that's accessable outside your network - you can put an inline IDS/IPS like suricata between it and your router. That way you won't have to mess around with double NAT.

[DogKnight]

If you are building a PC for it, Sophos offer a free home version of their UTM. This includes IPS functionality. The only limitation is number of internal IP's protected (50). May be worth a look or jump on their forums to determine what type of system you would need to handle the volume of bandwidth you need.

https://www.sophos.com/en/products/free-tools/sophos-utm-home-edition.aspx

 

Also, it's worth noting that when security solutions reference throughput speeds, they are talking continuous traffic volumes a lot of the time. For example, for a 1gb connection, they may recommend a unit capable of 500mb (random numbers here for example purposes). With almost every connection, you rarely saturate the bandwidth consistently. This is usually more true the higher the bandwidth. So an appliance with 500mb capabilities would usually be suitable for a 1gb link. 

Further to this, if it is performing actions like SSL inspection, this can be extremely CPU intensive and can dramatically reduce the potential throughput depending on the complexity of the cipher suites it supports. Companies with large bandwidth connections usually are better off having a dedicated device handling SSL visibility that hands the traffic off to other security solutions so that they aren't bottlenecked. 

[BakugoHero]

For the gigabit we got,

 

I ended up just building a Pfsense system that I just purchased the hardware for from RE-PC here in Seattle. Just a $60 Dell Opteron  i3 system and I added a TP-Link card that's like $14 to start out with. It deals with everything like a champion and normal operation of full speed downloads still only gets it to 3% utilization. 

 

so that's my recommendation, I went that bath because I still wanted some Qos type setting available due to the ~60 devices we run all together.