This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Circumventing processor throughput limitation on UTM using DMZ?

I have a home office with a SG-105. After recently upgrading to a 1Gbps broadband circuit, I am trying to figure out how to use that bandwidth for my home purposes, without the limitations of the UTM.

If I configure a port for a DMZ, can I shut off packet inspection for that port and then have access to the full internet bandwidth, understanding that I won't have security on that port? Or will the throughput limitation of this sized UTM still apply?

Thanks for any input on this subject.

Steve

This thread was automatically locked due to age.

Parents

0 Emile Belcourt over 5 years ago

Hi Steve,

The SG105 is by and far not suitable for a gigabit connection, let alone for just iptables.

Just for perspective, Sophos official recommendation is an SG430 for a gigabit internet connection with IPS enabled, you could maybe get away with an SG330 for just AV.

The processor of an SG430 rev. 2 is an e3-1225v3 (iirc) and the sg105 is a dual core atom or a celery stick if i remember correctly.

Unfortunately, you can only either turn off IPS for your DMZ for iptables security only or you will have to upgrade (considerably).

Sorry for the bad news.

Emile
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Emile Belcourt over 5 years ago

Hi Steve,

The SG105 is by and far not suitable for a gigabit connection, let alone for just iptables.

Just for perspective, Sophos official recommendation is an SG430 for a gigabit internet connection with IPS enabled, you could maybe get away with an SG330 for just AV.

The processor of an SG430 rev. 2 is an e3-1225v3 (iirc) and the sg105 is a dual core atom or a celery stick if i remember correctly.

Unfortunately, you can only either turn off IPS for your DMZ for iptables security only or you will have to upgrade (considerably).

Sorry for the bad news.

Emile
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Steve Garson1 over 5 years ago in reply to Emile Belcourt

Emile:

My thinking is to have zero security on the DMZ port. Would that prevent the throughput limitation?

Steve
Cancel
Vote Up 0 Vote Down

Cancel
0 Emile Belcourt over 5 years ago in reply to Steve Garson1

Hi Steve,

Frankly, i don't think that little CPU would be very good at handling gigabit switching even at best. If it were just dmz and the internet, maybe.

But anything that causes a cpu spike coukd drop your switching traffic throughput immediately. For just FW switching i would do a minimum of an SG135. Those 105s are really only designed for SOHOs with ADSL speeds with security applied.

Emile
Cancel
Vote Up 0 Vote Down

Cancel