Kaspersky Anti Targeted Attack Platform

Calculations for the Central Node component

Deploying the application on a virtual platform requires 10 percent more CPU resources than deploying the application on a physical server. In virtual disk settings, a Thick Provision disk type must be selected.

To avoid possible performance degradation when deploying the application on a virtual platform, you need to do the following:

  • Set Latency Sensitivity to High.
  • Reserve all memory.
  • Reserve all CPU.

Hardware requirements for a Central Node server with Embedded Sensor

Hardware requirements for a Central Node server with Embedded Sensor depend on the following conditions:

  • Volume of processed traffic

    To determine the volume of processed decrypted traffic for calculating the load on the server, use the following formula:

    <volume of decrypted traffic transmitted by ArtX TLSProxy 1.9.1> = 5 * <volume of unencrypted traffic>

    To determine the volume of traffic processed on the ICAP server for calculating the load on the server, use the following formula:

    <volume of traffic processed on the ICAP server> = 5 * <volume of traffic that is not processed on the ICAP server>

  • Number of email messages processed per second
  • Number of Endpoint Agent hosts

    The Endpoint Agent component can be installed on a workstation, terminal server, file server, or network attached storage (NAS).

    Information about the compatibility of versions of applications that represent the Endpoint Agent component with versions of Kaspersky Anti Targeted Attack Platform is provided in the following Help sections: Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac.

    Kaspersky Endpoint Agent for Windows can also be installed on a SCADA server.

    To determine the effective number of hosts with the Endpoint Agent component for calculating the server load, you can use the following formula:

    K = A+3*B+20*C

    where

    • 'K' is the maximum number of hosts with the Endpoint Agent component.
    • 'A' is the number of workstations and users of terminal servers running a Windows operating system with the Endpoint Agent component installed.
    • 'B' is the number of workstations and users of terminal servers running a Linux or macOS operating system with the Endpoint Agent component installed.
    • "C" is the number of servers.

If the volume of processed traffic is greater than 1 Gbps, you must install Central Node and Sensor components on standalone servers.

The hardware requirements for the Central Node server depending on the functionality being used are listed in the tables below.

Note that with the event chain scanning feature enabled, different hardware requirements apply to the Central Node server. Please refer to the Hardware requirements for the Central Node server with the event chain scanning feature enabled section.

Hardware requirements of the Central Node server when using KEDR functionality

Maximum number of hosts with the Endpoint Agent component

Minimum RAM (GB)

Minimum number of logical cores at 3 GHz

First disk subsystem (RAID 1 or RAID 10)

Second disk subsystem (RAID 10)

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

The number of disks in the array

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

1000

80

10

100

250

1

4

300

250

Up to 12 TB

3000

96

16

100

500

1

4

500

500

5000

112

20

100

500

1

4

700

600

10,000

160

32

100

500

1

4

1000

800

15,000

208

44

100

500

1

4

1500

1000

Hardware requirements for the server with the Central Node component when using KATA and KEDR functionality

Maximum number of hosts with the Endpoint Agent component

Maximum number of email messages per second

Maximum volume of traffic from SPAN ports on the server with the Central Node component

Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps)

Minimum RAM (GB)

Minimum number of logical cores at 3 GHz

First disk subsystem (RAID 1 or RAID 10)

Second disk subsystem (RAID 10)

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

The number of disks in the array

ROPS (read operations per second)

WOPS (write operations per second)

1000

1

200

Not processed

128

24

100

1000

1.9

4

300

300

2000

2

500

Not processed

144

32

100

1000

2

4

500

500

5000

1

1000

Not processed

192

48

100

1000

2

4

1000

600

10,000

2

1000

Not processed

240

60

100

1000

2

4

2000

800

5000

5

Not processed

2000

176

60

100

1000

1.9

4

1000

600

10,000

20

Not processed

4000

240

96

100

1000

1.9

4

2000

800

15,000

20

Not processed

4000

288

108

100

1000

1.9

4

2000

800

15,000

20

Not processed

7000

320

144

100

1000

1.9

4

2000

800

15,000

20

Not processed

10,000

336

180

100

1000

1.9

4

2000

800

If you want to install the Central Node component on the "Brest" or "RED Virtualization" virtual platform and use the KEDR or KATA+KEDR functionality, you need to increase the minimum number of logical cores by 20%. If you want to mitigate Spectre or Meltdown type vulnerabilities at the level of the hypervisor OS, you need to additionally increase the minimum number of logical cores by 1.5 times. The other hardware requirements for virtual servers are similar to the requirements for physical servers, listed in the tables above.

Hardware requirements for the server with the Central Node component when using КАТА functionality

Maximum number of email messages per second

Maximum volume of traffic from SPAN ports on the server with the Central Node component

Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps)

Minimum RAM (GB)

Minimum number of logical cores at 3 GHz

First disk subsystem (RAID 1 or RAID 10)

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

The number of disks in the array

2

500

Not processed

72

24

100

1000

2

4

2

1000

Not processed

88

36

100

1000

2

4

5

Not processed

2000

80

44

100

1000

2

4

20

Not processed

4000

96

72

100

1000

2

2

20

Not processed

7000

128

108

100

1000

2

2

20

Not processed

10,000

144

144

100

1000

2

2

If you want to install the Central Node component on the "Brest" or "RED Virtualization" virtual platform and use the KATA functionality, you need to increase the minimum number of logical cores by 30%. If you want to mitigate Spectre or Meltdown type vulnerabilities at the level of the hypervisor OS, you need to additionally increase the minimum number of logical cores by 1.5 times. The other hardware requirements for virtual servers are similar to the requirements for physical servers, listed in the table above.

Hardware requirements for the server with the Central Node component when using KATA, KEDR, and NDR functionality

Maximum number of Endpoint Agent hosts (integration with the KEDR functionality)

Maximum number of email messages per second

Maximum volume of traffic from SPAN ports on the server with the Central Node component

Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps)

Minimum RAM (GB)

Minimum number of logical cores at 3 GHz

First disk subsystem (RAID 1 or RAID 10)

Second disk subsystem (RAID 10)

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

The number of disks in the array

ROPS (read operations per second)

WOPS (write operations per second)

1000

1

200

Not processed

160

28

100

1000

2

4

400

500

2000

2

500

Not processed

176

40

100

1000

2

4

600

800

5000

1

1000

Not processed

224

56

100

1200

2

4

1200

1000

10,000

2

1000

Not processed

272

68

100

1200

2

4

2200

1200

5000

5

Not processed

2000

208

64

100

1200

2

4

1200

1000

10,000

20

Not processed

4000

272

104

100

1500

2

4

2200

1200

15,000

20

Not processed

4000

320

116

100

1500

2

4

2200

1200

15,000

20

Not processed

7000

352

152

200

2000

2

4

2300

1200

15,000

20

Not processed

10,000

384

188

200

2000

2

4

2300

1200

These calculations apply if up to 1000 Endpoint Agent components are connected to one Central Node component when integrating with the NDR functional block. To calculate the hardware requirements for the Central Node server when using more Endpoint Agent NDR components, please contact Technical Support.

Hardware requirements for the server with the Central Node component when using KATA and NDR functionality

Maximum number of email messages per second

Maximum volume of traffic from SPAN ports on the server with the Central Node component

Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps)

Minimum RAM (GB)

Minimum number of logical cores at 3 GHz

First disk subsystem (RAID 1 or RAID 10)

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

The number of disks in the array

2

500

Not processed

96

32

100

1000

2

4

2

1000

Not processed

128

44

200

2000

2

4

5

Not processed

2000

112

52

200

2000

2

4

20

Not processed

4000

128

80

200

2000

2

4

20

Not processed

7000

160

116

300

2500

2

4

20

Not processed

10,000

192

152

300

2500

2

4

These calculations apply if up to 1000 Endpoint Agent components are connected to one Central Node component when integrating with the NDR functional block. To calculate the hardware requirements for the Central Node server when using more Endpoint Agent NDR components, please contact Technical Support.

Kaspersky Anti Targeted Attack Platform does not support operation with software RAID array.

The CPU must support the BMI2, AVX, and AVX2 instruction sets.

Disk space requirements on the Central Node server

For the Central Node server, we recommend having 2000 GB of free space on the first disk subsystem and 2400 GB on the second disk subsystem. The amount of space required on the second disk subsystem depends on the preferred storage policy and can be calculated using the following formula:

150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (400 GB + 460 GB * <number of days to store data>)/0.65, but no more than 12 TB.

If you want to use the event chain scanning feature, use the following formula to calculate the space requirement on the second disk subsystem:

150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (600 GB + 460 GB * <number of days to store data>)/0.65, but no more than 12 TB.

When using the NDR functionality, you must allocate additional space on the second disk subsystem in accordance with the following formula:

(<number of Endpoint Agent components connected to the NDR functional block> * 0.02 GB + <volume of traffic from SPAN ports (Gbps)> * 10 GB) * <how many days of data you want to store>.

These formulas can be used to roughly estimate the required disk space. The actual amount of stored data depends on the traffic profile of the organization and may differ from the calculated result.

If you did not install Central Node as a high availability cluster, you must calculate the disk space for the Events database, GB and Storage, GB parameters using the following formula:

A = F - R, GB.

where

  • 'A' is the space used by the events database and the Storage.
  • 'F' is the size of the hard drive on which the Central Node component is installed.
  • 'R' is the reserved amount of free space (GB) on the second disk subsystem in accordance with the number of connected hosts with the Endpoint Agent component; this parameter is taken from the table below.

If the number of hosts connected to Central Node is in between the listed values, use the larger number in your calculations.

If you have configured integration for scanning external system objects using the REST API, the hardware requirements of the Central Node server must be increased. Additional hardware requirements are presented in the table below.

Hardware requirements for the Central Node server with integrated external systems

Maximum number of processed objects per second

Number of additional logical cores

Number of additional Sandbox servers

8

2

1

16

4

2

24

7

3

If you configured integration to send events to an external system using the REST API, you must increase the hardware requirements of the Central Node server by 1 logical core and 6 GB of RAM.

If you are saving network traffic, the hardware requirements of the Central Node server must be increased. For more details on hardware requirements, see Calculations for the Sensor componentHardware requirements of the Sensor when saving raw network traffic.

Requirements for the PCN server in distributed solution mode

If you are using distributed solution mode, to calculate the hardware requirements, you must take into account that the hardware requirements of the PCN server are 10% higher in terms of RAM and the number of logical cores than the hardware requirements of the server with the Central Node component. The hardware requirements of the Central Node server are listed in the following tables: Hardware requirements for the Central Node server when using KEDR functionality; Hardware requirements for the Central Node server when using KATA+KEDR functionality; Hardware requirements for the Central Node server when using КАТА functionality (see above).

You can connect up to 150 SCN servers to one PCN server.

Communication channel requirements

You must make sure that sufficient communication channel bandwidth is available between the Central Node server and each network segment, depending on the number of Endpoint Agent hosts in the segment. The bandwidth requirements depending on the number of Endpoint Agent hosts is listed in the table below.

Communication channel bandwidth depending on the number of Endpoint Agent hosts

Maximum number of Endpoint Agent hosts

Required bandwidth of the communication channel reserved for Endpoint Agent hosts (Mbps)

10

1

50

2

100

3

1000

20

10,000

200

Minimum requirements for the communication channel between the PCN and SCN servers in distributed solution mode are listed in the table below.

Minimum requirements for the communication channel between the PCN and SCN servers

Maximum number of Endpoint Agent hosts

Maximum number of email messages per second

Maximum volume of traffic from SPAN ports (Mbps)

Required communication channel bandwidth (Mbps)

5000

5

2000

20

10,000

20

4000

30

Hardware requirements for Central Node cluster servers

A cluster must include at least 4 servers: 2 storage servers and 2 processing servers. If you have up to 15,000 connected Endpoint Agent hosts, you need at least 2 storage servers and 2 processing servers. If you have from 15,000 to 30,000 connected Endpoint Agent hosts, you need at least 2 storage servers and 3 processing servers.

Each cluster server must have two network adapters to configure cluster and external subnet. The cluster subnet must be capable of up to 10 Gbps.

The cluster subnet must also meet the following requirements:

  • A cluster subnet must include only the cluster servers and network switches.
  • The cluster subnet must be isolated.
  • The cluster servers must all be in the same L1 or L2 segment. To do this, you can connect all the servers in the cluster to a single network switch or use software tunneling. For example, L2TPv3 or Overlay Transport Virtualization (OTV).
  • The "network latency" value must meet the "single digit latency" requirement, that is, the value must be less than 10 milliseconds.

The hardware requirements for cluster servers when using KEDR functionality are listed in the table below.

Hardware requirements for processing servers when using KEDR functionality

Minimum RAM (GB)

Minimum number of logical cores

RAID disk array type

The number of disks in a RAID disk array

Single HDD volume (GB)

256

48

RAID 1

2

1200

Hardware requirements for storage servers when using KEDR functionality

Minimum RAM (GB)

Minimum number of logical cores

First disk subsystem

Second disk subsystem

RAID disk array type

The number of disks in a RAID disk array

Single HDD volume (GB)

Number of disks

Single HDD volume (GB)

128

16

RAID 1

2

1200

at least 6

at least 1200

We recommend using disks of the same size for the two disk subsystems. For the second disk subsystem, you must use disks that are not combined into a RAID array.

The performance requirements for disk subsystems are equivalent to those specified in the table Hardware requirements for a Central Node server when using KEDR functionality (see above).

See also

Calculations for the Sensor component

Calculations for the Central Node component with event chain scanning enabled

Calculations for the Sandbox component

Calculations for the Central Node component deployed on the KVM virtualization platform