Buying Considerations

This page is supposed to give users some guidance and examples to consider when purchasing new hardware for use with IPFire.

This is not supposed to give any direct recommendations on what to buy. Rather this is about what not to buy to avoid having a poor experience with IPFire. Networks have to function all of the time because our lives rely on it. In the office, the data centre, the home. The firewall is the most essential part if every network. Without it, nothing works any more. To avoid any frustration, consider this...

Security

Obviously the most important to consider it the security of the hardware. There can be backdoors in the worst case, or hardware vulnerabilities in a slightly better case. If a system is being compromised in such way, there is not much the software can do because it is no longer running on trustworthy hardware and an attacker could perform arbitrary actions like reading or changIng key material in memory or change running code.

Most recent hardware vulnerabilities were Intel’s CPU vulnerabilities also known as Meltdown, Spectre, Fallout, MDS, etc. In IPFire, those are being mitigated by upgrading to the latest version of microcode or mitigations in software. Another famous case was Intel’s Management Engine which allowed remote attackers to take control of the system.

Hardware vendors have introduced a whole new layer of software underneath the operating system which is now exploitable, too. If you can avoid buying something without such things, your system will be substantially more secure.

Unfortunately there are not many systems without this out there any more. So make sure that if your hardware has a management engine or IPMI interface that you disable it, or connect it to a separate network that is dedicated and not accessible from anywhere else.

Durability & Longevity

Many things we use are being updated and replaced after very few years. Firewalls usually live a very long life. Therefore we recommend to invest a little bit more money and get something that is ready for 24/7 use for a long time. That won’t always be cheap, but replacing a system too early isn’t cheap either.

  • Buy a modern architecture and not the left overs for a cheap price. You will need BIOS & microcode updates for a long time. If your system is already discontinued the vendor won’t publish those for much longer. Modern systems also tend to use less power which saves electricity, produces less heat which results in small or even no fans which saves noise and wear and tear will be lower.
  • Replace any broken or (even slightly) damaged cables. This will save you a lot of time when debugging network problems.

Pay attention to safety standards. Some cheap imports are not allowed to be used everywhere and might break and cause damage.

Size Matters

Many users oversize their hardware.

We are used to buy servers with half a terabyte of memory and run bloated applications in it that will eat a lot of CPU and memory. A firewall doesn’t store data but moves it. It does not need a lot of memory. 4GB is plenty. If you run a web proxy and IPS for many hundreds of users, then go up to 8 or 16GB. You are unlikely to need more.

The same goes for CPU. A high single core performance is helpful, since a large number of cores requires to parallelise operations which brings more overhead. Make sure the processor does not use a lot of power when idle because most of the time it will be waiting for new packets to process.

16GB of storage is plenty - even with a couple of popular add-ons installed. For larger networks there is no need to have more than 256GB unless you want a really large proxy cache.

Components

Let’s have a closer look at some components:

Network Adapters

The network adapter is one of the most important components in a good appliance. It will handle every single packet going in or out. At millions of packets per second, it has to be as efficient as possible.

Some network adapters can pre-process packets. They can generate or check checksums and discard corrupted packets that won’t bother the CPU which usually is the bottleneck when it comes to throughput. We call these active network adapters.

Passive network adapters simply receive packets and cause an interrupt telling the processor that data has been received leaving all that work to the processor. Usually even only the first processor in the systems.

Therefore another important characteristic for active network adapters is that they support multiple queues for sending and receiving packets - ideally one per processor core. That allows to load-balance across multiple processor cores which drastically increases throughout.

Acceleration for Cryptographic Operations

Most systems are now powerful enough to run cryptography in software. To encrypt or decrypt large amounts of data, acceleration can be helpful to reach throughput of many Gigabit/s.

AES

AES is the most commonly used cipher. Almost no modern processor does not have acceleration for it. Usually it is called AES-NI and used automatically.

If you are running IPFire with a large number of VPNs or with VPNs with high throughput, you should have this.

GCM

On top of the cipher comes the cipher mode. Most common is CBC, but GCM is more secure and should be preferred. It is even much faster because it already provides integrity with it and no longer makes hashing packets with SHA2 or any other hash required.

Processors can have acceleration for GCM which can be found out about searching for the pclmulqdq flag in /proc/cpuinfo. It will be a necessity to reach VPN throughput of over 10 GBit/s1.

Hardware Random Number Generators (HWRNGs)

IPFire has recently been improved to support systems without HWRNGs. All random numbers, even for generating keys are now generated in software.

The system, however, needs to be seeded at boot time which is achieved by a few different methods:

  • If a hardware random number generator is available, it is being used to seed the kernel's CSPRNG
  • If not, the system will try to generate entropy through other measures (keystrokes, timing of network packets arriving, etc.)
  • If that is not successful, it will pause for a moment and wait until enough entropy is available

After the system has been booted up, it will only use the CSPRNG and won't use the HWRNG any more.

The past has shown that many HWRNGs are broken (or the software accessing them) and they were unsuitable for use. Therefore we do not recommend to add your own HWRNG if your system does not already have something builtin like Intel's RDRAND.

Edit Page ‐ Yes, you can edit!

Older Revisions • Tuesday at 8:47 am • Michael Tremer