Detecting intrusion is a very expensive operation. Powerful hardware will be required to perform it in realtime or higher latencies or packet drops will happen.
The IPS in IPFire is optimised to take as much load off of the processor as possible. That comes as a trade-off with memory. At the startup of the IPS, all selected rules will be compiled and optimised into something that can easily be matched onto the packet flow.
We therefore use as much RAM as we need to make this process as efficient as possible. The more rules, the more RAM will be used and of course the more rules have to be matched against the packet flow.
However, there is a limit to that at which we cannot compensate missing CPU resources with memory any more. So if you are buying new hardware, rather invest into a fast processor than RAM.
The IPS also load-balances packets over all available processor cores. That, however, works best when good network adapter are in use that have multiple queues and also spread receiving and transmitting packets across multiple cores.
Due to the virtualisation overhead that is especially high when processing many packets and due to Spectre/Meltdown mitigations, performance of the IPS in virtual environments is very low and only a fraction of what the hardware would be able to reach in throughput.
We have benchmarked a couple of commonly used systems to find out what the IPS throughput is with a standard rule set.
|IPFire Enterprise Appliance||>8 GBit/s|
|IPFire Business Appliance||~1 GBit/s|
|IPFire Mini Appliance||~130 MBit/s|