This page is supposed to give users some guidance and examples to consider when purchasing new hardware for use with IPFire.
This is not supposed to give any direct recommendations on what to buy. Rather this is about what not to buy to avoid having a poor experience with IPFire. Networks have to function all of the time because our lives rely on it. In the office, the data centre, the home. The firewall is the most essential part if every network. Without it, nothing works any more. To avoid any frustration, consider this...
Obviously the most important to consider it the security of the hardware. There can be backdoors in the worst case, or hardware vulnerabilities in a slightly better case. If a system is being compromised in such way, there is not much the software can do because it is no longer running on trustworthy hardware and an attacker could perform arbitrary actions like reading or changIng key material in memory or change running code.
Most recent hardware vulnerabilities were Intel’s CPU vulnerabilities also known as Meltdown, Spectre, Fallout, MDS, etc. In IPFire, those are being mitigated by upgrading to the latest version of microcode or mitigations in software. Another famous case was Intel’s Management Engine which allowed remote attackers to take control of the system.
Hardware vendors have introduced a whole new layer of software underneath the operating system which is now exploitable, too. If you can avoid buying something with such vulnerabilities, your system will be substantially more secure.
Unfortunately there are not many systems without this out there any more. So make sure that if your hardware has a management engine or IPMI interface that you disable it, or connect it to a separate network that is dedicated and not accessible from anywhere else.
Many things we use are being updated and replaced after very few years. Firewalls usually live a very long life. Therefore we recommend to invest a little bit more money and get something that is ready for 24/7 use for a long time. That won’t always be cheap, but replacing a system too early isn’t cheap either.
Pay attention to safety standards. Some cheap imports are not allowed to be used everywhere and might break and cause damage.
Many users oversize their hardware.
We are used to buy servers with half a terabyte of memory and run bloated applications in it that will eat a lot of CPU and memory. A firewall doesn’t store data but moves it. It does not need a lot of memory. 4GB is plenty. If you run a web proxy and IPS for many hundreds of users, then go up to 8 or 16GB. You are unlikely to need more.
The same goes for CPU. A high single core performance is helpful, since a large number of cores requires to parallelise operations which brings more overhead. Make sure the processor does not use a lot of power when idle because most of the time it will be waiting for new packets to process.
16GB of storage is plenty - even with a couple of popular add-ons installed. For larger networks there is no need to have more than 256GB unless you want a really large proxy cache.
Let’s have a closer look at some components:
The network adapter is one of the most important components in a good appliance. It will handle every single packet going in or out. At millions of packets per second, it has to be as efficient as possible.
Some network adapters can pre-process packets. They can generate or check checksums and discard corrupted packets that won’t bother the CPU which usually is the bottleneck when it comes to throughput. We call these active network adapters.
Passive network adapters simply receive packets and cause an interrupt telling the processor that data has been received leaving all that work to the processor. Usually even only the first processor in the systems.
Therefore another important characteristic for active network adapters is that they support multiple queues for sending and receiving packets - ideally one per processor core. That allows to load-balance across multiple processor cores which drastically increases throughout.
Most systems are now powerful enough to run cryptography in software. To encrypt or decrypt large amounts of data, acceleration can be helpful to reach throughput of many Gigabit/s.
AES is the most commonly used cipher. Almost no modern processor does not have acceleration for it. Usually it is called
AES-NI and used automatically.
If you are running IPFire with a large number of VPNs or with VPNs with high throughput, you should have this.
On top of the cipher comes the cipher mode. Most common is CBC, but GCM is more secure and should be preferred. It is even much faster because it already provides integrity with it and no longer makes hashing packets with SHA2 or any other hash required.
Processors can have acceleration for GCM which can be found out about searching for the
pclmulqdq flag in
/proc/cpuinfo. It will be a necessity to reach VPN throughput of over 10 GBit/s1.
IPFire has recently been improved to support systems without HWRNGs. All random numbers, even for generating keys are now generated in software.
The system, however, needs to be seeded at boot time which is achieved by a few different methods:
After the system has been booted up, it will only use the CSPRNG and won't use the HWRNG any more.
The past has shown that many HWRNGs are broken (or the software accessing them) and they were unsuitable for use. Therefore we do not recommend to add your own HWRNG if your system does not already have something builtin like Intel's RDRAND.