Contents
Sizing calculator
After you have selected the deployment scenario that is most appropriate for your IT infrastructure, you must calculate the hardware requirements for servers used for installing application components.
The hardware requirements for 7.0, 7.0.1, and 7.0.3 Central Node servers are different from the hardware requirements of version 6.1. We strongly recommend making sure that your server configuration satisfies the requirements listed in the Calculations for the Central Node component section.
Calculations for the Sensor component
When calculating the hardware requirements for the Sensor component, consider that the maximum traffic volume that can be processed is 10 Gbps. This maximum traffic volume can be processed on one Sensor installed on a standalone server or on multiple Sensors installed on standalone servers which are connected to one Central Node. The total traffic volume from all Sensors connected to one Central Node may not exceed 10 Gbps.
If the network includes more than one 10 Gbps segment and you need to process traffic in these segments, you must use the distributed solution mode.
You can use a server hosting the Sensor as a proxy server during data exchange between workstations with Endpoint Agent and the Central Node (when integrated with the KEDR functionality) to simplify configuration of network rules. For example, if workstations with Endpoint Agent are in a separate segment of the network, it is sufficient to configure a connection between Central Node and Sensor servers.
When using the Sensor as a proxy server for communication between Endpoint Agent components and the Central Node component, consider the following limitations:
- A maximum of 15,000 workstations with the Endpoint Agent component can connect to a single Central Node component.
- The maximum allowed packet loss between Sensor servers and the Central Node is 10% with a packet delay of up to 100 ms.
The required bandwidth of the link between Central Node and Sensor servers depends on the traffic volume that must be processed and is calculated as follows:
10% SPAN port traffic at typical load or 20% of the SPAN port traffic at peak load + email traffic + ICAP traffic + requirement for the link between the Central Node and the Endpoint Agent
Hardware requirements for the Sensor server
The Sensor component can be integrated with the IT infrastructure of an organization as follows:
- Receive mirrored traffic from network devices from SPAN ports.
- Connect to a mail server over the POP3 protocol.
- Connect to a mail server over the SMTP protocol.
- Receive traffic from a proxy server over the ICAP protocol.
- Receive data from the Endpoint Agent component.
The hardware requirements for the Sensor server are listed in the tables below. The calculations are provided for a case in which the Sensor processes email messages and mirrored traffic from SPAN ports. If the Sensor is used as a proxy server for communication between Endpoint Agent workstations and the Central Node, you must also take into account the link requirements.
The Sensor component was tested on virtual platforms with a load of up to 1000 Mbit/s inclusive; however, virtual platforms support greater loads. If you want to deploy the Sensor component on a virtual platform and plan to process up to 1000 Mbps of traffic, you can use the table below to calculate the hardware requirements for the Sensor server. If you plan to process more traffic, please contact your account manager to get a calculation of hardware requirements.
Hardware requirements of the Sensor server depending on the volume of processed traffic from SPAN ports when using the KATA and KEDR functionality
Number of Endpoint Agent components (integration with the KEDR functionality) |
Volume of processed traffic (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores |
|---|---|---|---|
10000 |
100 |
24 |
6 |
15000 |
500 |
32 |
10 |
15000 |
1000 |
40 |
14 |
15000 |
2000 |
64 |
24 |
15000 |
4000 |
96 |
36 |
15000 |
7000 |
152 |
56 |
15000 |
10000 |
200 |
76 |
Hardware requirements of the Sensor server depending on the volume of processed traffic from SPAN ports when using the KATA and NDR functionality
Volume of processed traffic (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores |
Minimum number of logical cores when saving mirrored traffic dumps |
|---|---|---|---|
100 |
32 |
6 |
8 |
500 |
40 |
10 |
12 |
1000 |
48 |
14 |
16 |
2000 |
72 |
24 |
24 |
4000 |
112 |
36 |
40 |
7000 |
160 |
56 |
60 |
10000 |
208 |
76 |
80 |
The CPU must support the BMI2, AVX, and AVX2 instruction sets.
If you want to process only email messages, but not mirrored traffic from SPAN ports, we recommend using a Sensor installed on the same server as the Central Node. For more details about the hardware requirements, see the Calculations for the Central Node component section → Hardware requirements for the Central Node and Sensor server.
If one Sensor server processes traffic via multiple protocols, to calculate the server hardware, you must consider that mail server or mail sensor integration requires disabling SMTP traffic processing.
Disk space requirements on a Sensor server
It is recommended to use a RAID 1 disk array. The total disk space must be at least 600 GB.
Hardware requirements of the Sensor when saving dumps of mirrored traffic from SPAN ports
If you are saving dumps of mirrored traffic from SPAN ports, the following hardware requirements of the Sensor server are higher:
- Install separate disk storage in the form of a RAID array or DAS pool with the maximum bandwidth calculated using the following formula:
<disk storage bandwidth> = 3 * <maximum throughput of recorded traffic> - The capacity of disk storage is determined by the expected storage duration and the maximum throughput of traffic being saved, with filters taken into account. According to approximate calculations, to store recorded traffic with a maximum throughput of 10 Gbps for 7 days, you need 750 TiB of disk storage.
Calculations for the Central Node component
Deploying the application on a virtual platform requires 10 percent more CPU resources than deploying the application on a physical server. In virtual disk settings, a Thick Provision disk type must be selected.
To avoid possible performance degradation when deploying the application on a virtual platform, you need to do the following:
- Set Latency Sensitivity to High.
- Reserve all memory.
- Reserve all CPU.
Hardware requirements for a Central Node server with Embedded Sensor
Hardware requirements for a Central Node server with Embedded Sensor depend on the following conditions:
- Volume of processed traffic
To determine the volume of processed decrypted traffic for calculating the load on the server, use the following formula:
<volume of decrypted traffic transmitted by ArtX TLSProxy 1.9.1> = 5 * <volume of unencrypted traffic>To determine the volume of traffic processed on the ICAP server for calculating the load on the server, use the following formula:
<volume of traffic processed on the ICAP server> = 5 * <volume of traffic that is not processed on the ICAP server> - Number of email messages processed per second
- Number of Endpoint Agent hosts
The Endpoint Agent component can be installed on a workstation, terminal server, file server, or network attached storage (NAS).
Information about the compatibility of versions of applications that represent the Endpoint Agent component with versions of Kaspersky Anti Targeted Attack Platform is provided in the following Help sections: Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac.
Kaspersky Endpoint Agent for Windows can also be installed on a SCADA server.
To determine the effective number of hosts with the Endpoint Agent component for calculating the server load, you can use the following formula:
K = A+3*B+20*Cwhere
- 'K' is the maximum number of hosts with the Endpoint Agent component.
- 'A' is the number of workstations and users of terminal servers running a Windows operating system with the Endpoint Agent component installed.
- 'B' is the number of workstations and users of terminal servers running a Linux or macOS operating system with the Endpoint Agent component installed.
- "C" is the number of servers.
If the volume of processed traffic is greater than 1 Gbps, you must install Central Node and Sensor components on standalone servers.
The hardware requirements for the Central Node server depending on the functionality being used are listed in the tables below.
Note that with the event chain scanning feature enabled, different hardware requirements apply to the Central Node server. Please refer to the Hardware requirements for the Central Node server with the event chain scanning feature enabled section.
Hardware requirements of the Central Node server when using KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
|||||
|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
|||
1000 |
80 |
10 |
100 |
250 |
1 |
4 |
300 |
250 |
Up to 12 TB |
3000 |
96 |
16 |
100 |
500 |
1 |
4 |
500 |
500 |
|
5000 |
112 |
20 |
100 |
500 |
1 |
4 |
700 |
600 |
|
10,000 |
160 |
32 |
100 |
500 |
1 |
4 |
1000 |
800 |
|
15,000 |
208 |
44 |
100 |
500 |
1 |
4 |
1500 |
1000 |
|
Hardware requirements for the server with the Central Node component when using KATA and KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
||||
|---|---|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
||||||
1000 |
1 |
200 |
Not processed |
128 |
24 |
100 |
1000 |
1.9 |
4 |
300 |
300 |
2000 |
2 |
500 |
Not processed |
144 |
32 |
100 |
1000 |
2 |
4 |
500 |
500 |
5000 |
1 |
1000 |
Not processed |
192 |
48 |
100 |
1000 |
2 |
4 |
1000 |
600 |
10,000 |
2 |
1000 |
Not processed |
240 |
60 |
100 |
1000 |
2 |
4 |
2000 |
800 |
5000 |
5 |
Not processed |
2000 |
176 |
60 |
100 |
1000 |
1.9 |
4 |
1000 |
600 |
10,000 |
20 |
Not processed |
4000 |
240 |
96 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
4000 |
288 |
108 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
7000 |
320 |
144 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
10,000 |
336 |
180 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
If you want to install the Central Node component on the "Brest" or "RED Virtualization" virtual platform and use the KEDR or KATA+KEDR functionality, you need to increase the minimum number of logical cores by 20%. If you want to mitigate Spectre or Meltdown type vulnerabilities at the level of the hypervisor OS, you need to additionally increase the minimum number of logical cores by 1.5 times. The other hardware requirements for virtual servers are similar to the requirements for physical servers, listed in the tables above.
Hardware requirements for the server with the Central Node component when using КАТА functionality
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
|||
|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
|||||
2 |
500 |
Not processed |
72 |
24 |
100 |
1000 |
2 |
4 |
2 |
1000 |
Not processed |
88 |
36 |
100 |
1000 |
2 |
4 |
5 |
Not processed |
2000 |
80 |
44 |
100 |
1000 |
2 |
4 |
20 |
Not processed |
4000 |
96 |
72 |
100 |
1000 |
2 |
2 |
20 |
Not processed |
7000 |
128 |
108 |
100 |
1000 |
2 |
2 |
20 |
Not processed |
10,000 |
144 |
144 |
100 |
1000 |
2 |
2 |
If you want to install the Central Node component on the "Brest" or "RED Virtualization" virtual platform and use the KATA functionality, you need to increase the minimum number of logical cores by 30%. If you want to mitigate Spectre or Meltdown type vulnerabilities at the level of the hypervisor OS, you need to additionally increase the minimum number of logical cores by 1.5 times. The other hardware requirements for virtual servers are similar to the requirements for physical servers, listed in the table above.
Hardware requirements for the server with the Central Node component when using KATA, KEDR, and NDR functionality
Maximum number of Endpoint Agent hosts (integration with the KEDR functionality) |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
||||
|---|---|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
||||||
1000 |
1 |
200 |
Not processed |
160 |
28 |
100 |
1000 |
2 |
4 |
400 |
500 |
2000 |
2 |
500 |
Not processed |
176 |
40 |
100 |
1000 |
2 |
4 |
600 |
800 |
5000 |
1 |
1000 |
Not processed |
224 |
56 |
100 |
1200 |
2 |
4 |
1200 |
1000 |
10,000 |
2 |
1000 |
Not processed |
272 |
68 |
100 |
1200 |
2 |
4 |
2200 |
1200 |
5000 |
5 |
Not processed |
2000 |
208 |
64 |
100 |
1200 |
2 |
4 |
1200 |
1000 |
10,000 |
20 |
Not processed |
4000 |
272 |
104 |
100 |
1500 |
2 |
4 |
2200 |
1200 |
15,000 |
20 |
Not processed |
4000 |
320 |
116 |
100 |
1500 |
2 |
4 |
2200 |
1200 |
15,000 |
20 |
Not processed |
7000 |
352 |
152 |
200 |
2000 |
2 |
4 |
2300 |
1200 |
15,000 |
20 |
Not processed |
10,000 |
384 |
188 |
200 |
2000 |
2 |
4 |
2300 |
1200 |
These calculations apply if up to 1000 Endpoint Agent components are connected to one Central Node component when integrating with the NDR functional block. To calculate the hardware requirements for the Central Node server when using more Endpoint Agent NDR components, please contact Technical Support.
Hardware requirements for the server with the Central Node component when using KATA and NDR functionality
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
|||
|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
|||||
2 |
500 |
Not processed |
96 |
32 |
100 |
1000 |
2 |
4 |
2 |
1000 |
Not processed |
128 |
44 |
200 |
2000 |
2 |
4 |
5 |
Not processed |
2000 |
112 |
52 |
200 |
2000 |
2 |
4 |
20 |
Not processed |
4000 |
128 |
80 |
200 |
2000 |
2 |
4 |
20 |
Not processed |
7000 |
160 |
116 |
300 |
2500 |
2 |
4 |
20 |
Not processed |
10,000 |
192 |
152 |
300 |
2500 |
2 |
4 |
These calculations apply if up to 1000 Endpoint Agent components are connected to one Central Node component when integrating with the NDR functional block. To calculate the hardware requirements for the Central Node server when using more Endpoint Agent NDR components, please contact Technical Support.
Kaspersky Anti Targeted Attack Platform does not support operation with software RAID array.
The CPU must support the BMI2, AVX, and AVX2 instruction sets.
Disk space requirements on the Central Node server
For the Central Node server, we recommend having 2000 GB of free space on the first disk subsystem and 2400 GB on the second disk subsystem. The amount of space required on the second disk subsystem depends on the preferred storage policy and can be calculated using the following formula:
150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (400 GB + 460 GB * <number of days to store data>)/0.65, but no more than 12 TB.
If you want to use the event chain scanning feature, use the following formula to calculate the space requirement on the second disk subsystem:
150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (600 GB + 460 GB * <number of days to store data>)/0.65, but no more than 12 TB.
When using the NDR functionality, you must allocate additional space on the second disk subsystem in accordance with the following formula:
(<number of Endpoint Agent components connected to the NDR functional block> * 0.02 GB + <volume of traffic from SPAN ports (Gbps)> * 10 GB) * <how many days of data you want to store>.
These formulas can be used to roughly estimate the required disk space. The actual amount of stored data depends on the traffic profile of the organization and may differ from the calculated result.
If you did not install Central Node as a high availability cluster, you must calculate the disk space for the Events database, GB and Storage, GB parameters using the following formula:
A = F - R, GB.
where
- 'A' is the space used by the events database and the Storage.
- 'F' is the size of the hard drive on which the Central Node component is installed.
- 'R' is the reserved amount of free space (GB) on the second disk subsystem in accordance with the number of connected hosts with the Endpoint Agent component; this parameter is taken from the table below.
If the number of hosts connected to Central Node is in between the listed values, use the larger number in your calculations.
If you have configured integration for scanning external system objects using the REST API, the hardware requirements of the Central Node server must be increased. Additional hardware requirements are presented in the table below.
Hardware requirements for the Central Node server with integrated external systems
Maximum number of processed objects per second |
Number of additional logical cores |
Number of additional Sandbox servers |
|---|---|---|
8 |
2 |
1 |
16 |
4 |
2 |
24 |
7 |
3 |
If you configured integration to send events to an external system using the REST API, you must increase the hardware requirements of the Central Node server by 1 logical core and 6 GB of RAM.
If you are saving network traffic, the hardware requirements of the Central Node server must be increased. For more details on hardware requirements, see Calculations for the Sensor component → Hardware requirements of the Sensor when saving raw network traffic.
Requirements for the PCN server in distributed solution mode
If you are using distributed solution mode, to calculate the hardware requirements, you must take into account that the hardware requirements of the PCN server are 10% higher in terms of RAM and the number of logical cores than the hardware requirements of the server with the Central Node component. The hardware requirements of the Central Node server are listed in the following tables: Hardware requirements for the Central Node server when using KEDR functionality; Hardware requirements for the Central Node server when using KATA+KEDR functionality; Hardware requirements for the Central Node server when using КАТА functionality (see above).
You can connect up to 150 SCN servers to one PCN server.
Communication channel requirements
You must make sure that sufficient communication channel bandwidth is available between the Central Node server and each network segment, depending on the number of Endpoint Agent hosts in the segment. The bandwidth requirements depending on the number of Endpoint Agent hosts is listed in the table below.
Communication channel bandwidth depending on the number of Endpoint Agent hosts
Maximum number of Endpoint Agent hosts |
Required bandwidth of the communication channel reserved for Endpoint Agent hosts (Mbps) |
|---|---|
10 |
1 |
50 |
2 |
100 |
3 |
1000 |
20 |
10,000 |
200 |
Minimum requirements for the communication channel between the PCN and SCN servers in distributed solution mode are listed in the table below.
Minimum requirements for the communication channel between the PCN and SCN servers
Maximum number of Endpoint Agent hosts |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports (Mbps) |
Required communication channel bandwidth (Mbps) |
|---|---|---|---|
5000 |
5 |
2000 |
20 |
10,000 |
20 |
4000 |
30 |
Hardware requirements for Central Node cluster servers
A cluster must include at least 4 servers: 2 storage servers and 2 processing servers. If you have up to 15,000 connected Endpoint Agent hosts, you need at least 2 storage servers and 2 processing servers. If you have from 15,000 to 30,000 connected Endpoint Agent hosts, you need at least 2 storage servers and 3 processing servers.
Each cluster server must have two network adapters to configure cluster and external subnet. The cluster subnet must be capable of up to 10 Gbps.
The cluster subnet must also meet the following requirements:
- A cluster subnet must include only the cluster servers and network switches.
- The cluster subnet must be isolated.
- The cluster servers must all be in the same L1 or L2 segment. To do this, you can connect all the servers in the cluster to a single network switch or use software tunneling. For example, L2TPv3 or Overlay Transport Virtualization (OTV).
- The "network latency" value must meet the "single digit latency" requirement, that is, the value must be less than 10 milliseconds.
The hardware requirements for cluster servers when using KEDR functionality are listed in the table below.
Hardware requirements for processing servers when using KEDR functionality
Minimum RAM (GB) |
Minimum number of logical cores |
RAID disk array type |
The number of disks in a RAID disk array |
Single HDD volume (GB) |
|---|---|---|---|---|
256 |
48 |
RAID 1 |
2 |
1200 |
Hardware requirements for storage servers when using KEDR functionality
Minimum RAM (GB) |
Minimum number of logical cores |
First disk subsystem |
Second disk subsystem |
|||
|---|---|---|---|---|---|---|
RAID disk array type |
The number of disks in a RAID disk array |
Single HDD volume (GB) |
Number of disks |
Single HDD volume (GB) |
||
128 |
16 |
RAID 1 |
2 |
1200 |
at least 6 |
at least 1200 |
We recommend using disks of the same size for the two disk subsystems. For the second disk subsystem, you must use disks that are not combined into a RAID array.
The performance requirements for disk subsystems are equivalent to those specified in the table Hardware requirements for a Central Node server when using KEDR functionality (see above).
Calculations for the Central Node component with event chain scanning enabled
The hardware requirements for the Central Node server with the event chain scanning feature enabled are listed in the tables below.
Hardware requirements for the server with the Central Node component when using KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
|||||
|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
|||
1000 |
96 |
12 |
100 |
250 |
1 |
4 |
300 |
300 |
Up to 12 TB |
3000 |
96 |
16 |
100 |
500 |
1 |
4 |
700 |
750 |
|
5000 |
112 |
20 |
100 |
500 |
1 |
4 |
1000 |
900 |
|
10,000 |
160 |
34 |
100 |
500 |
1 |
4 |
1500 |
1200 |
|
15,000 |
224 |
48 |
100 |
750 |
1 |
4 |
1500 |
1600 |
|
Hardware requirements for a Central Node server with the when using the KEDR functionality and 2.1 GHz CPUs
Maximum number of hosts with the Endpoint Agent component |
Minimum RAM (GB) |
Minimum number of logical cores at 2.1 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
|||||
|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
|||
1000 |
96 |
16 |
100 |
250 |
1 |
4 |
300 |
250 |
Up to 12 TB |
3000 |
96 |
24 |
100 |
500 |
1 |
4 |
700 |
750 |
|
5000 |
112 |
28 |
100 |
500 |
1 |
4 |
1000 |
900 |
|
10,000 |
160 |
48 |
100 |
500 |
1 |
4 |
1500 |
1200 |
|
15,000 |
224 |
64 |
100 |
750 |
1 |
4 |
1500 |
1600 |
|
Hardware requirements for the server with the Central Node component when using KATA and KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
||||
|---|---|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
||||||
1000 |
1 |
200 |
Not processed |
144 |
24 |
100 |
1000 |
1.9 |
4 |
300 |
300 |
2000 |
2 |
500 |
Not processed |
160 |
32 |
100 |
1000 |
2 |
4 |
700 |
700 |
5000 |
1 |
1000 |
Not processed |
192 |
48 |
100 |
1000 |
2 |
4 |
1000 |
900 |
10,000 |
2 |
1000 |
Not processed |
240 |
64 |
100 |
1000 |
2 |
4 |
1500 |
1200 |
5000 |
5 |
Not processed |
2000 |
192 |
60 |
100 |
1000 |
1.9 |
4 |
1000 |
900 |
10,000 |
20 |
Not processed |
4000 |
256 |
100 |
100 |
1000 |
1.9 |
4 |
1500 |
1200 |
15,000 |
20 |
Not processed |
4000 |
304 |
112 |
100 |
1000 |
1.9 |
4 |
1500 |
1600 |
15,000 |
20 |
Not processed |
7000 |
320 |
148 |
100 |
1000 |
1.9 |
4 |
1500 |
1600 |
15,000 |
20 |
Not processed |
10,000 |
336 |
184 |
100 |
1000 |
1.9 |
4 |
1500 |
1600 |
If you want to install the Central Node component on the "Brest" or "RED Virtualization" virtual platform and use the KEDR or KATA+KEDR functionality, you need to increase the minimum number of logical cores by 20%. If you want to mitigate Spectre or Meltdown type vulnerabilities at the level of the hypervisor OS, you need to additionally increase the minimum number of logical cores by 1.5 times. The other hardware requirements for virtual servers are similar to the requirements for physical servers, listed in the tables above.
Page topCalculations for the Sandbox component
The hardware requirements for a server with the Sandbox component depend on the type and volume of processed traffic and on the permissible object scan time.
By default, the permissible object scan time is 1 hour. To reduce this time, you need a more powerful server or more servers with the Sandbox component.
It is recommended to calculate the configuration of the Sandbox component as follows:
- Install the Central Node and Sensor components on one server and the Sandbox component on a different server for pilot operation of the application.
To receive sufficient statistical data, the application must process traffic of the organization for a week.
- Run the data recording script by executing the following commands:
sudo kata-run.sh kata-collect --output-dir path-to-folder--output-dir <path to directory>When the script finishes running, the collect.tar.gz archive will be moved to the specified directory.
- Forward this archive to Kaspersky Lab staff for analysis.
If multiple virtual machines are started simultaneously, the speed of processing objects from the queue is increased.
The Sandbox component is not supported on AMD processors.
Hardware requirements for the server hosting the Sandbox component
The calculation of the number of servers with the Sandbox component when using preset images of operating systems is shown in the table below.
Hardware requirements for the Sandbox component when using preset images of operating systems
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports (Mbps) |
Maximum number of computers with the Endpoint Agent component |
Number of physical servers with the Sandbox component |
|
|---|---|---|---|---|
When using |
When using |
|||
1 |
200 |
1000 |
1 |
1 |
2 |
500 |
3000 |
1 |
1 |
1 |
1000 |
5000 |
1 |
1 |
5 |
2000 |
5000 |
1 |
1 |
20 |
4000 |
10,000 |
2 |
1 |
20 |
7000 |
15,000 |
4 |
2 |
20 |
10,000 |
15,000 |
5 |
2 |
If you want to install the Sandbox component on a VMware ESXi virtual machine, you need 5 times more virtual servers to get the same performance you would get from a physical server. When installing the Sandbox component on the "Brest", "RED Virtualization", or zVirt Node virtual platform, you need 13 times as many servers. The estimate for the number of servers is given with the need to configure the object scan duration in mind.
Additional capacity may be required if you are using custom images for Sandbox servers. To calculate the number of physical Sandbox servers required when using custom operating system images, you can use the following formula:
<number of files that need to be processed per hour in accordance with to user-defined Sandbox rules> * <number of custom operating system images> / 1000
To calculate the number of VMware ESXi virtual machines with the Sandbox component required when using custom operating system images, you can use the following formula:
<number of files that need to be processed per hour in accordance with to user-defined Sandbox rules> * <number of custom operating system images> / 200
When installing the Sandbox component on the "Brest" or zVirt Node virtualization platforms, you can use the following formula to calculate the number of virtual machines required when using custom operating systems images:
<Number of physical servers with the Sandbox component> * 5 * 2.6
When installing the Sandbox component on the RED Virtualization platform, you can use the following formula to calculate the number of virtual machines required when using custom operating systems images:
<Number of physical servers with the Sandbox component> * 5 * 2.5
For the number of physical servers with the Sandbox component, see the Hardware requirements for the Sandbox component when using preset images of operating systems table above.
The estimation of the number of Sandbox servers is listed for servers with the following configuration:
- When installing the Sandbox component on a physical server:
- 2 CPUs: Intel Xeon 8 Core (HT) at 2.6 GHz or higher.
- 80 GB of RAM.
- 2 HDDs, 300 GB each, combined into a RAID 1 array.
- When installing the Sandbox component on a virtual machine:
- Intel Xeon 15 Core (HT) CPU at 2.1 GHz or higher.
When installing the Sandbox component on "Brest", zVirt Node, or RED Virtualization platforms, we recommend using Intel processors of the Ice Lake generation or later.
- 32 GB of RAM.
- 300 GB HDD.
On the virtual machine:
- Nested virtualization enabled.
- High Latency Sensitivity settings are enabled (only when installing on a VMware ESXi virtual machine).
- Entire RAM is reserved.
- Entire CPU frequency is reserved.
When installing the Sandbox component on a virtual machine, you must set the limit for simultaneously running virtual machines to 12.
If you plan to use custom operating system images, we recommend increasing the disk space to 600 GB or more.
- Intel Xeon 15 Core (HT) CPU at 2.1 GHz or higher.
Calculations for the Central Node component deployed on the KVM virtualization platform
To deploy the Central Node component in a virtual infrastructure, you must install the KVM hypervisor based on the Debian GNU/Linux 12 operating system using the QEMU 8.0.2 emulator.
When deploying the Central Node component in a virtual infrastructure, you must keep in mind the following limitations:
- It is possible to install the application with the installation files of the Ubuntu operating system only.
- Only the non-high-availability version of the application can be installed.
- You can only use the Sensor component deployed on the same server as the Central Node component.
- You can only connect a Sandbox component deployed outside the KVM virtualization platform on a physical server or on another supported virtualization platform.
- For each Central Node server deployed in a virtual infrastructure, a separate network interface must be used for receiving mirrored SPAN traffic.
- You cannot use the API to inform external systems about alerts generated by the application or the API for informing external systems about application events.
- Support for KVM virtualizations used in cloud solutions is not guaranteed.
- In the virtual machine settings, the host value must be set for the type parameter in the CPU settings and the VMware vmxnet3 value for the model parameter in the network adapter settings.
The hardware requirements for the Central Node server depending on the functionality being used are listed in the table below.
Hardware requirements of the Central Node server when using KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Maximum number of email messages per minute |
Maximum volume of traffic from SPAN ports on the server with the Central Node component (Mbps) |
Minimum number of logical cores at 3 GHz |
Minimum RAM (GB) |
|---|---|---|---|---|
50 |
0 |
0 |
4 |
31 |
100 |
0 |
0 |
4 |
31 |
150 |
0 |
0 |
6 |
31*/32 |
250 |
0 |
0 |
6 |
31/32 |
500 |
0 |
0 |
8 |
31/34 |
750 |
0 |
0 |
10 |
31/38 |
* The value before the slash represents the amount of RAM required to install the Central Node component. After installation, the amount of RAM must be brought up to the value after the slash.
Hardware requirements of the Central Node server when using KATA and KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Maximum number of email messages per minute |
Maximum volume of traffic from SPAN ports on the server with the Central Node component (Mbps) |
Minimum number of logical cores at 3 GHz |
Minimum RAM (GB) |
|---|---|---|---|---|
100 |
1 |
20 |
6 |
31*/32 |
250 |
5 |
50 |
6 |
31/32 |
500 |
30 |
100 |
12 |
31/40 |
750 |
30 |
100 |
12 |
31/46 |
* The value before the slash represents the amount of RAM required to install the Central Node component. After installation, the amount of RAM must be brought up to the value after the slash.