Calculations for the Central Node component
Deploying the application on a virtual platform requires 10 percent more CPU resources than deploying the application on a physical server. In virtual disk settings, a Thick Provision disk type must be selected.
To avoid possible performance degradation when deploying the application on a virtual platform, you need to do the following:
- Set Latency Sensitivity to High.
- Reserve all memory.
- Reserve all CPU.
Hardware requirements for a Central Node server with Embedded Sensor
Hardware requirements for a Central Node server with Embedded Sensor depend on the following conditions:
- Volume of processed traffic
To determine the volume of processed decrypted traffic for calculating the load on the server, use the following formula:
<volume of decrypted traffic transmitted by ArtX TLSProxy 1.9.1> = 5 * <volume of unencrypted traffic>
To determine the volume of traffic processed on the ICAP server for calculating the load on the server, use the following formula:
<volume of traffic processed on the ICAP server> = 5 * <volume of traffic that is not processed on the ICAP server>
- Number of email messages processed per second
- Number of Endpoint Agent hosts
The Endpoint Agent component can be installed on a workstation, terminal server, file server, or network attached storage (NAS).
Information about the compatibility of versions of applications that represent the Endpoint Agent component with versions of Kaspersky Anti Targeted Attack Platform is provided in the following Help sections: Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac.
Kaspersky Endpoint Agent for Windows can also be installed on a SCADA server.
To determine the effective number of hosts with the Endpoint Agent component for calculating the server load, you can use the following formula:
K = A+3*B+20*C
where
- 'K' is the maximum number of hosts with the Endpoint Agent component.
- 'A' is the number of workstations and users of terminal servers running a Windows operating system with the Endpoint Agent component installed.
- 'B' is the number of workstations and users of terminal servers running a Linux or macOS operating system with the Endpoint Agent component installed.
- "C" is the number of servers.
If the volume of processed traffic is greater than 1 Gbps, you must install Central Node and Sensor components on standalone servers.
The hardware requirements for the Central Node server depending on the functionality being used are listed in the tables below.
Note that with the event chain scanning feature enabled, different hardware requirements apply to the Central Node server. Please refer to the Hardware requirements for the Central Node server with the event chain scanning feature enabled section.
Hardware requirements of the Central Node server when using KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
|||||
---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
|||
1000 |
80 |
10 |
100 |
250 |
1 |
4 |
300 |
250 |
Up to 12 TB |
3000 |
96 |
16 |
100 |
500 |
1 |
4 |
500 |
500 |
|
5000 |
112 |
20 |
100 |
500 |
1 |
4 |
700 |
600 |
|
10,000 |
160 |
32 |
100 |
500 |
1 |
4 |
1000 |
800 |
|
15,000 |
208 |
44 |
100 |
500 |
1 |
4 |
1500 |
1000 |
Hardware requirements for the server with the Central Node component when using KATA and KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
||||
---|---|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
||||||
1000 |
1 |
200 |
Not processed |
128 |
24 |
100 |
1000 |
1.9 |
4 |
300 |
300 |
2000 |
2 |
500 |
Not processed |
144 |
32 |
100 |
1000 |
2 |
4 |
500 |
500 |
5000 |
1 |
1000 |
Not processed |
192 |
48 |
100 |
1000 |
2 |
4 |
1000 |
600 |
10,000 |
2 |
1000 |
Not processed |
240 |
60 |
100 |
1000 |
2 |
4 |
2000 |
800 |
5000 |
5 |
Not processed |
2000 |
176 |
60 |
100 |
1000 |
1.9 |
4 |
1000 |
600 |
10,000 |
20 |
Not processed |
4000 |
240 |
96 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
4000 |
288 |
108 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
7000 |
320 |
144 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
10,000 |
336 |
180 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
If you want to install the Central Node component on the "Brest" or "RED Virtualization" virtual platform and use the KEDR or KATA+KEDR functionality, you need to increase the minimum number of logical cores by 20%. If you want to mitigate Spectre or Meltdown type vulnerabilities at the level of the hypervisor OS, you need to additionally increase the minimum number of logical cores by 1.5 times. The other hardware requirements for virtual servers are similar to the requirements for physical servers, listed in the tables above.
Hardware requirements for the server with the Central Node component when using КАТА functionality
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
|||
---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
|||||
2 |
500 |
Not processed |
72 |
24 |
100 |
1000 |
2 |
4 |
2 |
1000 |
Not processed |
88 |
36 |
100 |
1000 |
2 |
4 |
5 |
Not processed |
2000 |
80 |
44 |
100 |
1000 |
2 |
4 |
20 |
Not processed |
4000 |
96 |
72 |
100 |
1000 |
2 |
2 |
20 |
Not processed |
7000 |
128 |
108 |
100 |
1000 |
2 |
2 |
20 |
Not processed |
10,000 |
144 |
144 |
100 |
1000 |
2 |
2 |
If you want to install the Central Node component on the "Brest" or "RED Virtualization" virtual platform and use the KATA functionality, you need to increase the minimum number of logical cores by 30%. If you want to mitigate Spectre or Meltdown type vulnerabilities at the level of the hypervisor OS, you need to additionally increase the minimum number of logical cores by 1.5 times. The other hardware requirements for virtual servers are similar to the requirements for physical servers, listed in the table above.
Hardware requirements for the server with the Central Node component when using KATA, KEDR, and NDR functionality
Maximum number of Endpoint Agent hosts (integration with the KEDR functionality) |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
||||
---|---|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
||||||
1000 |
1 |
200 |
Not processed |
160 |
28 |
100 |
1000 |
2 |
4 |
400 |
500 |
2000 |
2 |
500 |
Not processed |
176 |
40 |
100 |
1000 |
2 |
4 |
600 |
800 |
5000 |
1 |
1000 |
Not processed |
224 |
56 |
100 |
1200 |
2 |
4 |
1200 |
1000 |
10,000 |
2 |
1000 |
Not processed |
272 |
68 |
100 |
1200 |
2 |
4 |
2200 |
1200 |
5000 |
5 |
Not processed |
2000 |
208 |
64 |
100 |
1200 |
2 |
4 |
1200 |
1000 |
10,000 |
20 |
Not processed |
4000 |
272 |
104 |
100 |
1500 |
2 |
4 |
2200 |
1200 |
15,000 |
20 |
Not processed |
4000 |
320 |
116 |
100 |
1500 |
2 |
4 |
2200 |
1200 |
15,000 |
20 |
Not processed |
7000 |
352 |
152 |
200 |
2000 |
2 |
4 |
2300 |
1200 |
15,000 |
20 |
Not processed |
10,000 |
384 |
188 |
200 |
2000 |
2 |
4 |
2300 |
1200 |
These calculations apply if up to 1000 Endpoint Agent components are connected to one Central Node component when integrating with the NDR functional block. To calculate the hardware requirements for the Central Node server when using more Endpoint Agent NDR components, please contact Technical Support.
Hardware requirements for the server with the Central Node component when using KATA and NDR functionality
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
|||
---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
|||||
2 |
500 |
Not processed |
96 |
32 |
100 |
1000 |
2 |
4 |
2 |
1000 |
Not processed |
128 |
44 |
200 |
2000 |
2 |
4 |
5 |
Not processed |
2000 |
112 |
52 |
200 |
2000 |
2 |
4 |
20 |
Not processed |
4000 |
128 |
80 |
200 |
2000 |
2 |
4 |
20 |
Not processed |
7000 |
160 |
116 |
300 |
2500 |
2 |
4 |
20 |
Not processed |
10,000 |
192 |
152 |
300 |
2500 |
2 |
4 |
These calculations apply if up to 1000 Endpoint Agent components are connected to one Central Node component when integrating with the NDR functional block. To calculate the hardware requirements for the Central Node server when using more Endpoint Agent NDR components, please contact Technical Support.
Kaspersky Anti Targeted Attack Platform does not support operation with software RAID array.
The CPU must support the BMI2, AVX, and AVX2 instruction sets.
Disk space requirements on the Central Node server
For the Central Node server, we recommend having 2000 GB of free space on the first disk subsystem and 2400 GB on the second disk subsystem. The amount of space required on the second disk subsystem depends on the preferred storage policy and can be calculated using the following formula:
150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (400 GB + 460 GB * <number of days to store data>)/0.65, but no more than 12 TB.
If you want to use the event chain scanning feature, use the following formula to calculate the space requirement on the second disk subsystem:
150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (600 GB + 460 GB * <number of days to store data>)/0.65, but no more than 12 TB.
When using the NDR functionality, you must allocate additional space on the second disk subsystem in accordance with the following formula:
(<number of Endpoint Agent components connected to the NDR functional block> * 0.02 GB + <volume of traffic from SPAN ports (Gbps)> * 10 GB) * <how many days of data you want to store>
.
These formulas can be used to roughly estimate the required disk space. The actual amount of stored data depends on the traffic profile of the organization and may differ from the calculated result.
If you did not install Central Node as a high availability cluster, you must calculate the disk space for the Events database, GB and Storage, GB parameters using the following formula:
A = F - R, GB.
where
- 'A' is the space used by the events database and the Storage.
- 'F' is the size of the hard drive on which the Central Node component is installed.
- 'R' is the reserved amount of free space (GB) on the second disk subsystem in accordance with the number of connected hosts with the Endpoint Agent component; this parameter is taken from the table below.
If the number of hosts connected to Central Node is in between the listed values, use the larger number in your calculations.
If you have configured integration for scanning external system objects using the REST API, the hardware requirements of the Central Node server must be increased. Additional hardware requirements are presented in the table below.
Hardware requirements for the Central Node server with integrated external systems
Maximum number of processed objects per second |
Number of additional logical cores |
Number of additional Sandbox servers |
---|---|---|
8 |
2 |
1 |
16 |
4 |
2 |
24 |
7 |
3 |
If you configured integration to send events to an external system using the REST API, you must increase the hardware requirements of the Central Node server by 1 logical core and 6 GB of RAM.
If you are saving network traffic, the hardware requirements of the Central Node server must be increased. For more details on hardware requirements, see Calculations for the Sensor component → Hardware requirements of the Sensor when saving raw network traffic.
Requirements for the PCN server in distributed solution mode
If you are using distributed solution mode, to calculate the hardware requirements, you must take into account that the hardware requirements of the PCN server are 10% higher in terms of RAM and the number of logical cores than the hardware requirements of the server with the Central Node component. The hardware requirements of the Central Node server are listed in the following tables: Hardware requirements for the Central Node server when using KEDR functionality; Hardware requirements for the Central Node server when using KATA+KEDR functionality; Hardware requirements for the Central Node server when using КАТА functionality (see above).
You can connect up to 150 SCN servers to one PCN server.
Communication channel requirements
You must make sure that sufficient communication channel bandwidth is available between the Central Node server and each network segment, depending on the number of Endpoint Agent hosts in the segment. The bandwidth requirements depending on the number of Endpoint Agent hosts is listed in the table below.
Communication channel bandwidth depending on the number of Endpoint Agent hosts
Maximum number of Endpoint Agent hosts |
Required bandwidth of the communication channel reserved for Endpoint Agent hosts (Mbps) |
---|---|
10 |
1 |
50 |
2 |
100 |
3 |
1000 |
20 |
10,000 |
200 |
Minimum requirements for the communication channel between the PCN and SCN servers in distributed solution mode are listed in the table below.
Minimum requirements for the communication channel between the PCN and SCN servers
Maximum number of Endpoint Agent hosts |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports (Mbps) |
Required communication channel bandwidth (Mbps) |
---|---|---|---|
5000 |
5 |
2000 |
20 |
10,000 |
20 |
4000 |
30 |
Hardware requirements for Central Node cluster servers
A cluster must include at least 4 servers: 2 storage servers and 2 processing servers. If you have up to 15,000 connected Endpoint Agent hosts, you need at least 2 storage servers and 2 processing servers. If you have from 15,000 to 30,000 connected Endpoint Agent hosts, you need at least 2 storage servers and 3 processing servers.
Each cluster server must have two network adapters to configure cluster and external subnet. The cluster subnet must be capable of up to 10 Gbps.
The cluster subnet must also meet the following requirements:
- A cluster subnet must include only the cluster servers and network switches.
- The cluster subnet must be isolated.
- The cluster servers must all be in the same L1 or L2 segment. To do this, you can connect all the servers in the cluster to a single network switch or use software tunneling. For example, L2TPv3 or Overlay Transport Virtualization (OTV).
- The "network latency" value must meet the "single digit latency" requirement, that is, the value must be less than 10 milliseconds.
The hardware requirements for cluster servers when using KEDR functionality are listed in the table below.
Hardware requirements for processing servers when using KEDR functionality
Minimum RAM (GB) |
Minimum number of logical cores |
RAID disk array type |
The number of disks in a RAID disk array |
Single HDD volume (GB) |
---|---|---|---|---|
256 |
48 |
RAID 1 |
2 |
1200 |
Hardware requirements for storage servers when using KEDR functionality
Minimum RAM (GB) |
Minimum number of logical cores |
First disk subsystem |
Second disk subsystem |
|||
---|---|---|---|---|---|---|
RAID disk array type |
The number of disks in a RAID disk array |
Single HDD volume (GB) |
Number of disks |
Single HDD volume (GB) |
||
128 |
16 |
RAID 1 |
2 |
1200 |
at least 6 |
at least 1200 |
We recommend using disks of the same size for the two disk subsystems. For the second disk subsystem, you must use disks that are not combined into a RAID array.
The performance requirements for disk subsystems are equivalent to those specified in the table Hardware requirements for a Central Node server when using KEDR functionality (see above).