How old of CPU is too old for firewalls and VM hosts security wise?

[Mithril]

Want to get thoughts on where the cutoff for Meltdown, Spectre are assuming up to date microcode and OS patches when deploying something as a firewall, or a VM host with guests possibly running hostile code. I'm more thinking about security than performance, I'd rather nail down what is secure "enough", and then go from there. I've done a bunch of reading but it's hard to get a feel for "things good enough for a SOHO" as I imagine if I were ever under targeted attack, I'd have an issue no matter what. But what I don't want to do is run something *so* vulnerable that I'm easily hit by less targeting things. I know people regularly hit the subnet of my ISP looking for easy vulnerabilities due to my firewall logs.


And perhaps a more important question and harder to nail down: Where is the cutoff if you have to assume you WONT get any bios/microcode update and must rely on hardware mitigation and/or OS patches.

 

[ReturnedSword]

CFL-R is generally the baseline. It will have most of the mitigations baked into the CPU itself, but not all.

As a general matter, I rarely, if ever, have seen vendors support hardware beyond a few generations. My Jetway mobo used for my pfSense has not been updated since 2014, I believe. I am relying on the software mitigations implemented in BSD but it doesn’t affect my performance enough to cause any throughput issues at the moment.

The main issue really, is finding a suitable motherboard or platform for a homelab/SOHO router. I’m looking into upgrading my internet to 2 or 5 Gbps, and it’s tough deciding what hardware to run on that will provide reasonable power usage.

 

[Mithril]

CFL-R is generally the baseline. It will have most of the mitigations baked into the CPU itself, but not all.

As a general matter, I rarely, if ever, have seen vendors support hardware beyond a few generations. My Jetway mobo used for my pfSense has not been updated since 2014, I believe. I am relying on the software mitigations implemented in BSD but it doesn’t affect my performance enough to cause any throughput issues at the moment.

The main issue really, is finding a suitable motherboard or platform for a homelab/SOHO router. I’m looking into upgrading my internet to 2 or 5 Gbps, and it’s tough deciding what hardware to run on that will provide reasonable power usage.

Yeah on the Intel side that seems accurate, but boy do I see a bunch of "this is perfect for pfsense/a firewall!" posts for much older CPUs. And idea for AMD, or just aim for the same year of release?

For homelab use, how good are pure software mitigations?

 

[ReturnedSword]

My Jetway mobo has an embedded N2930 which is pretty pokey slow by today’s standards. It doesn’t even have AES-NI and certainly none of the hardware or microcode mitigations. All mitigations are in software (BSD). It handles a 400 Mbps internet link, 4 separate networks, and a few VLANs just fine at 1 Gbps line speed. I have a bunch of stuff running on top, notably PfBlockerNG/DNSBL, Suricata, both which are “heavier” services and CPU utilization is quite low in the 30%s. It has 8GB DDR3 and memory utilization rarely goes above 40% as well.

AMD didn’t have as many CPU deficiencies as Intel, so mostly you should be fine there. The main issue with AMD is the lack of suitable motherboards for router/firewall usage, unless you go mITX (or perhaps a HP T740 Plus).

I’d like to mostly upgrade to get AES-NI for faster VPN purposes, and to handle a faster internet speed, but for the the most part it is more than sufficient. I am considering a T740 Plus with a x710-T4L for the future router, though that NIC is quite pricey, and I’m worried about heat issues as most corporate mini PCs only have a single fan.

 

[Evan]

I think the answer depends a lot on what your doing, if running a vpn of some type you want a cpu that supports the encryption in a hardware accelerated way.

I am a long way from understanding the finer details of security but it the specter and meltdown buys are concerning you I think it depends what is running on your system, if it’s a shared host or a desktop with programs being execute the risk is shall we say real. How much risk for a dedicated appliance I don’t know because first you essentially need to get access to or run something on the host and that’s not as easy to manage.