We are pleased to announce the addition of the Netgate® SG-5100 Netgate® Security Gateway appliance with pfSense® software, our latest Intel C3000 based appliance, which provides significant performance and engineering improvements relative to the SG-4860.

The SG-5100 is a versatile appliance ideal for managing edge security deployments in multiple segments including:

  • Small and medium business (SMB)
  • Managed Service Providers (MSPs) supporting SMB clients
  • Work-at-home or remote Enterprise users.

Aligned to fit each of these market segments, the SG-5100 delivers amazing performance with pfSense stateful packet filtering, routing and high VPN throughput on a platform with excellent cost-to-benefit ratio.

SG-5100

The SG-5100 uses an embedded Intel® Atom® C3558 processor, enabling gigabit filtering performance and high VPN throughput with plenty of power left for resource intensive pfSense packages such as Snort® IDS / IPS.

The SG-5100 base model is configured with 4GB DDR4 RAM on a SODIMM and can be field-upgraded to 8GB or 16GB. The unit provides 8GB eMMC storage onboard, and supports the addition of M.2 2242 storage or 2.5” SATA storage, enhancing the capabilities of the system when used with applications such as Squid web caching.

Pre-order now!

The SG-5100 Netgate Security Gateway with pfSense software is a great successor to our SG-4860 appliance, bringing vast performance and engineering improvements. From pure filtering and cryptographic acceleration to VPN throughput, the SG-5100 brings improved performance and is a worthy addition to our SG desktop product line.

The SG-5100 is priced at $799 USD. We are now taking pre-orders with an expected ship date of mid-September 2018.

Engineering benefits

The SG-5100 comes in a fanless desktop form-factor, and provides six individual gigabit interfaces, each providing 4 send and 4 receive queues. These serve to improve system performance relative to a single hardware queue solution by allowing flows to be assigned to individual cores using a hashing algorithm known as Receive Side Scaling (RSS). When combined with message signaled interrupts (MSI-X), this provides the ability for each NIC to interrupt the correct CPU for a flow, greatly improving performance.

Cryptographic acceleration improvements

When it comes to encryption, the SG-5100 provides a huge gain in performance relative to the SG-4860. Comparing the encryption acceleration of the quad-core C2558 CPU on a SG-4860, to the quad-core C3558 CPU powering the SG-5100 you will find the following:

  • a 50%-100% faster AES-NI implementation
  • the introduction of instructions which accelerate the Secure Hash Algorithm (SHA)
  • and a new generation of QuickAssist for encryption acceleration.

Looking first at AES-GCM, as implemented by OpenSSL, and relative to the SG-4860 as a baseline, we see speedups between 1.7X at 16 byte buffers, up to 2.4X at 1KB buffers, topping out at 2.5X when using 8KB buffers when using a pre-release version of pfSense software version 2.4.4.

SG-4860-SG-5100-Comparison-aes128

In use cases that require an Hashed Message Authentication Code (HMAC), such as using AES-128-CBC + HMAC-SHA2 on an OpenVPN connection or when using TLS 1.2 (or higher) to secure HTTPS connections with similar encryption and HMAC transforms, the HMAC has traditionally been the limiting factor on speed. The C3000 series of CPUs are the first Intel CPUs to implement new instructions supporting hardware acceleration of the Secure Hash Algorithm. Relative again to the C2558, we see speedups between 2.43X using 16 byte buffers, up to 4.53X using 8K buffers.

SG-4860-SG-5100-Comparison-sha256

These results translate to improved performance for both OpenVPN and IPsec. Using a pre-release version of 2.4.4, we have seen sustained transfer rates in our lab as follows:

VPN-Comparison-Chart

These benchmarks are not using the QuickAssist unit, though we are actively developing the requisite drivers, firmware and other software to enable QuickAssist in pfSense.

Further reading: