Calculations for the Sensor component
When calculating the hardware requirements for the Sensor component, consider that the maximum traffic volume that can be processed is 10 Gbps. This maximum traffic volume can be processed on one Sensor installed on a standalone server or on multiple Sensors installed on standalone servers which are connected to one Central Node. The total traffic volume from all Sensors connected to one Central Node may not exceed 10 Gbps.
If the network includes more than one 10 Gbps segment and you need to process traffic in these segments, you must use the distributed solution mode.
You can use a server hosting the Sensor as a proxy server during data exchange between workstations with Endpoint Agent and the Central Node (when integrated with the KEDR functionality) to simplify configuration of network rules. For example, if workstations with Endpoint Agent are in a separate segment of the network, it is sufficient to configure a connection between Central Node and Sensor servers.
When using the Sensor as a proxy server for communication between Endpoint Agent components and the Central Node component, consider the following limitations:
- A maximum of 15,000 workstations with the Endpoint Agent component can connect to a single Central Node component.
- The maximum allowed packet loss between Sensor servers and the Central Node is 10% with a packet delay of up to 100 ms.
The required bandwidth of the link between Central Node and Sensor servers depends on the traffic volume that must be processed and is calculated as follows:
10% SPAN port traffic at typical load or 20% of the SPAN port traffic at peak load + email traffic + ICAP traffic + requirement for the link between the Central Node and the Endpoint Agent
Hardware requirements for the Sensor server
The Sensor component can be integrated with the IT infrastructure of an organization as follows:
- Receive mirrored traffic from network devices from SPAN ports.
- Connect to a mail server over the POP3 protocol.
- Connect to a mail server over the SMTP protocol.
- Receive traffic from a proxy server over the ICAP protocol.
- Receive data from the Endpoint Agent component.
The hardware requirements for the Sensor server are listed in the tables below. The calculations are provided for a case in which the Sensor processes email messages and mirrored traffic from SPAN ports. If the Sensor is used as a proxy server for communication between Endpoint Agent workstations and the Central Node, you must also take into account the link requirements.
The Sensor component was tested on virtual platforms with a load of up to 1000 Mbit/s inclusive; however, virtual platforms support greater loads. If you want to deploy the Sensor component on a virtual platform and plan to process up to 1000 Mbps of traffic, you can use the table below to calculate the hardware requirements for the Sensor server. If you plan to process more traffic, please contact your account manager to get a calculation of hardware requirements.
Hardware requirements of the Sensor server depending on the volume of processed traffic from SPAN ports when using the KATA and KEDR functionality
Number of Endpoint Agent components (integration with the KEDR functionality) |
Volume of processed traffic (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores |
|---|---|---|---|
10000 |
100 |
24 |
6 |
15000 |
500 |
32 |
10 |
15000 |
1000 |
40 |
14 |
15000 |
2000 |
64 |
24 |
15000 |
4000 |
96 |
36 |
15000 |
7000 |
152 |
56 |
15000 |
10000 |
200 |
76 |
Hardware requirements of the Sensor server depending on the volume of processed traffic from SPAN ports when using the KATA and NDR functionality
Volume of processed traffic (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores |
Minimum number of logical cores when saving mirrored traffic dumps |
|---|---|---|---|
100 |
32 |
6 |
8 |
500 |
40 |
10 |
12 |
1000 |
48 |
14 |
16 |
2000 |
72 |
24 |
24 |
4000 |
112 |
36 |
40 |
7000 |
160 |
56 |
60 |
10000 |
208 |
76 |
80 |
The CPU must support the BMI2, AVX, and AVX2 instruction sets.
If you want to process only email messages, but not mirrored traffic from SPAN ports, we recommend using a Sensor installed on the same server as the Central Node. For more details about the hardware requirements, see the Calculations for the Central Node component section → Hardware requirements for the Central Node and Sensor server.
If one Sensor server processes traffic via multiple protocols, to calculate the server hardware, you must consider that mail server or mail sensor integration requires disabling SMTP traffic processing.
Disk space requirements on a Sensor server
It is recommended to use a RAID 1 disk array. The total disk space must be at least 600 GB.
Hardware requirements of the Sensor when saving dumps of mirrored traffic from SPAN ports
If you are saving dumps of mirrored traffic from SPAN ports, the following hardware requirements of the Sensor server are higher:
- Install separate disk storage in the form of a RAID array or DAS pool with the maximum bandwidth calculated using the following formula:
<disk storage bandwidth> = 3 * <maximum throughput of recorded traffic> - The capacity of disk storage is determined by the expected storage duration and the maximum throughput of traffic being saved, with filters taken into account. According to approximate calculations, to store recorded traffic with a maximum throughput of 10 Gbps for 7 days, you need 750 TiB of disk storage.