Are Xeon chips (example 5160 3GHz) good for IDS/IPS vs I3 or i5



  • I am looking forward to upgrading my router with a used 1u from ebay and wanted to know if some of the older chips like Xeon 5160 3GHz are good for IDS/IPS vs i3 or i5? The cost difference between a 1U in China is 500-700 for I3/i5 vs an older 1u on eBay with Xeon for 100.

    I have a fiber line to my house with 1GB up, and 1GB down but want to do Suricata, pfblockNG and OpenVPN and maintain as much as the throughput as possible.



  • Pretty much any Intel CPU will be more than enough. If you want to future-proof the box for hardware encryption/decryption that is eventually coming to pfSense, be sure the CPU you choose supports AES-NI. The more important thing is to be sure the box has genuine Intel NICs (no Realtek network cards!). You also want at least 4 GB of RAM for an IDS/IPS, and more is even better. My box has 16 GB of RAM. Finally, you want plenty of disk space for logging.



  • Thanks,

    The Xeon 5160 does not support AES_NI but the e56xx chips do. Does # of Cores and or # of Threads vs clock speed matter here?

    https://ark.intel.com/content/www/us/en/ark/products/47924/intel-xeon-processor-e5630-12m-cache-2-53-ghz-5-86-gt-s-intel-qpi.html

    0_1551192857901_ca6f3fdd-3930-4ace-91d6-69c7df5034be-image.png



  • CPU clock speed is going to be most important. Snort 2.9.x is single-threaded, thus it can't do much with multiple cores. Suricata is multi-threaded and supports multiple cores, but a number of independent tests of its multi-core multi-thread performance don't indicate huge gains across the board (at least not what most folks would expect).

    One thing to consider with high core count processors (if you use Suricata) is the need for larger amounts of RAM. Suricata bases its initial TCP Stream memory buffer setups on the number of CPU cores. So, for example, with an 8-core CPU, Suricata will usually fail to start and throw a Stream Memcap memory error with the default package configuration. You have to greatly increase the Stream Memcap settings with high core count CPUs. There are some threads about that here in the IDS/IPS sub-forum.

    For home use, any dual-core or quad-core CPU is plenty of horsepower. I would suggest 2.5 GHz or higher for the clock speed. Higher is better of course better.


Log in to reply