Best IDS/IPS for small datacenter with 10Gbps uplink?
We're looking to upgrade our security stack at our small colo facility. Currently running basic iptables rules but need proper IDS/IPS protection.
Requirements:
- 10Gbps throughput minimum
- Compatible with Pfsense or open-source solutions
- Low latency (<5ms impact)
- Budget: ~$5-8k hardware
Considering Suricata vs Snort 3 on a dedicated appliance. Has anyone deployed Netgate 6100 or similar for this workload? Looking for real latency numbers and CPU utilization data.
Also open to enterprise solutions if cost-justified. Thanks!
Edited at 26 Mar 2026, 19:34
Suricata will handle 10Gbps better than Snort 3 in my experience—it's built for multi-threading from the ground up. The 6100 is solid but honestly underpowered for inline IPS at that throughput; you're looking at 40-60% CPU with full rule inspection.
Better move: bare metal Suricata on a dual-socket Xeon with 25G NICs (~$6k) in IPS mode, or consider Zeek + Suricata split (Zeek for logging, Suricata for blocking). Latency should stay under 3ms with proper tuning. YMMV depending on your ruleset complexity though.
Thanks for the heads up on Suricata—yeah, the threading advantage makes sense. So you're saying the 6100 would bottleneck at 10Gbps for inline IPS? What hardware were you running instead, or did you end up going with a separate Suricata box?
We went with Suricata on a beefy x86 box instead of the 6100, handles our 10G passthrough without breaking a sweat. YMMV but worth the extra hardware spend IMO.
Agreed on the x86 route—we ditched Netgate gear for 10G too, went with Suricata on a dual Xeon box and latency stayed under 3ms. Hardware's cheap compared to dropping packets.
Have you considered just running Suricata in IDS mode (tap/passive) instead of inline IPS? Keeps latency near-zero and you can still catch threats. Then use pfSense rules as your actual blocking layer—simpler stack, less chance of the IPS becoming your bottleneck. We did this at our 10G facility and it's been rock solid.
Yeah the passive IDS tap mode is underrated—we do that with Suricata and it's literally zero latency impact while still giving you threat visibility.