Sizing Guide

This section provides information about Kaspersky Security Center sizing.

About this Guide

Kaspersky Security Center 13.1 (also referred to as Kaspersky Security Center) Sizing Guide is intended for professionals who install and administer Kaspersky Security Center, as well as for those who provide technical support to organizations that use Kaspersky Security Center.

All recommendations and calculations are given for networks on which Kaspersky Security Center manages the protection of devices with Kaspersky software installed, including mobile devices. If mobile devices, or any other managed devices, are to be considered separately, this is stated specifically.

To obtain and maintain optimum performance under varying operational conditions, you must take into account the number of networked devices, network topology, and set of Kaspersky Security Center features that you require.

This Guide provides the following information:

• Limitations of Kaspersky Security Center
• Calculations for the key nodes of Kaspersky Security Center (Administration Servers and distribution points):
  • Hardware requirements for Administration Servers and distribution points
  • Calculation of the number and hierarchy of Administration Servers
  • Calculation of the number and configuration of distribution points
• Configuration of event logging in the database depending on the number of networked devices
• Configuration of specific tasks aimed at optimal performance of Kaspersky Security Center
• Traffic rate (network load) between Kaspersky Security Center Administration Server and every protected device

Consulting this guide is recommended in the following cases:

• When planning resources prior to Kaspersky Security Center installation
• When planning significant changes to the scale of the network on which Kaspersky Security Center is deployed
• When switching from using Kaspersky Security Center within a limited network segment (a test environment) to full-scale deployment of Kaspersky Security Center on the corporate network
• When making changes to the set of Kaspersky Security Center features used

Page top

Information about limitations of Kaspersky Security Center

The following table displays the limitations of the current version of Kaspersky Security Center.

Limitations of Kaspersky Security Center

Page top

Calculations for Administration Servers

This section provides the software and hardware requirements for devices used as Administration Servers. Also provided are recommendations for calculating the number and hierarchy of Administration Servers depending on the configuration of the organization's network.

Calculation of hardware resources for the Administration Server

This section contains calculations that provide guidance for planning hardware resources for the Administration Server. A recommendation on calculating disk space when the Vulnerability and Patch Management feature is used is provided separately.

Hardware requirements for the DBMS and the Administration Server

The following tables give the recommended minimum hardware requirements to a DBMS and Administration Server obtained during tests. For a complete list of operating systems and DBMSs supported, please refer to the list of hardware and software requirements.

Administration Server and DBMS are on different devices, the network includes 50 000 devices

Configuration of the device that has Administration Server installed

Configuration of the device that has DBMS installed

Administration Server and DBMS are on the same device, the network includes 50 000 devices

Configuration of the device that has Administration Server and DBMS installed

Administration Server and DBMS are on different devices, the network includes 100 000 devices

Configuration of the device that has Administration Server installed

Configuration of the device with DBMS installed

The tests were run under the following settings:

• Automatic assignment of distribution points is enabled on the Administration Server, or distribution points are assigned manually in accordance with the recommended table.
• The backup task saves backup copies to a file resource located on a dedicated server.
• The synchronization interval for Network Agents is set as specified in the table below.

  Synchronization interval for Network Agents

  Synchronization interval (minutes)	Number of managed devices
  15	10,000
  30	20,000
  45	30,000
  60	40,000
  75	50,000
  150	100,000

Calculation of database space

The approximate amount of space that must be reserved in the database can be calculated using the following formula:

(200 * C + 2.3 * E + 2.5 * A), KB

where:

• C is the number of devices.
• E is the number of events to store.
• A is the total number of Active Directory objects:
  • Device accounts
  • User accounts
  • Accounts of security groups
  • Active Directory organizational units

  If scanning of Active Directory is disabled, A is considered to equal zero.

If you plan to enable (in the Kaspersky Endpoint Security policy settings) notification of Administration Server on applications that you run, you will need additional (0.03 * C) gigabytes to store in the database the information about applications that you run.

If Administration Server distributes Windows updates (thus acting as the Windows Server Update Services server), the database will require an additional 2.5 GB.

During operation, a certain unallocated space is always present in the database. Therefore, the actual size of the database file (by default, the KAV.MDF file, if you use SQL Server as the DBMS) often turns out to be approximately twice as large as the amount of space occupied in the database.

It is not recommended to limit explicitly the size of the transaction log (by default, the file KAV_log.LDF, if you use SQL Server as the DBMS). It is recommended to leave the default value of th MAXSIZE parameter. However, if you have to limit the size of this file, take into consideration that the typical necessary value of the MAXSIZE parameter for KAV_log.LDF is 20480 MB.

Calculation of disk space (with and without the use of the Vulnerability and patch management feature)

Calculation of disk space without the use of the Vulnerability and patch management feature

The Administration Server disk space required for the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder can be estimated approximately using the formula:

(724 * C + 0.15 * E + 0.17 * A), KB

where:

• C is the number of devices.
• E is the number of events to store.
• A is the total number of Active Directory objects:
  • Device accounts
  • User accounts
  • Accounts of security groups
  • Active Directory organizational units

If scanning of Active Directory is disabled, A is considered to equal zero.

Calculation of additional disk space with the use of the Vulnerability and patch management feature

• Updates. The shared folder additionally requires at least 4 GB to store updates.
• Installation packages. If some installation packages are stored on the Administration Server, the shared folder will require an additional amount of free disk space equal to the total size of all of the available installation packages to be installed.
• Remote installation tasks. If remote installation tasks are present on the Administration Server, an additional amount of free disk space (in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder) equal to the total size of all installation packages to be installed will be required.
• Patches. If Administration Server is involved in installation of patches, an additional amount of disk space will be required:
  • The patches folder should have the amount of disk space equal to the total size of all patches that have been downloaded. By default, patches are stored in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\.working\wusfiles folder (you can use the klsrvswch utility to specify a different folder for storing patches). If Administration Server is used as the WSUS server, you are advised to allocate at least 100 GB to this folder.
  • The %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must have an amount of disk space equal to the total size of those patches that are referenced by existing instances of update (patch) installation and vulnerability fix tasks.

Page top

Calculation of the number and configuration of Administration Servers

To reduce the load on the primary Administration Server, you can assign a separate Administration Server to each administration group. The number of secondary Administration Servers cannot exceed 500 for a single primary Administration Server.

We recommend that you create the configuration of Administration Servers in correspondence to the configuration of your organization's network.

Recommendations for connecting dynamic virtual machines to Kaspersky Security Center

Dynamic virtual machines (also referred to as dynamic VMs) consume more resources than static virtual machines.

For more information on dynamic virtual machines, see Support of dynamic virtual machines.

When a new dynamic VM is connected, Kaspersky Security Center creates an icon for this dynamic VM in Administration Console and moves the dynamic VM to the administration group. After that, the dynamic VM is added to the Administration Server database. The Administration Server is fully synchronized with Network Agent installed on this dynamic VM.

In an organization's network, Network Agent creates the following network lists for each dynamic VM:

• Hardware
• Installed software
• Detected vulnerabilities
• Events and lists of executable files of the Application control component

The Network Agent transfers these network lists to the Administration Server. The size of the network lists depends on components installed on the dynamic VM, and may affect the performance of Kaspersky Security Center and database management system (DBMS). Note that the load can grow non-linearly.

After the user finishes working with the dynamic VM and turns it off, this machine is then removed from the virtual infrastructure and entries about this machine are removed from the Administration Server database.

All these actions consume a lot of Kaspersky Security Center and Administration Server database resources, and can reduce the performance of Kaspersky Security Center and DBMS. We recommend that you connect up to 20,000 dynamic VMs to Kaspersky Security Center.

You can connect more than 20,000 dynamic VMs to Kaspersky Security Center if the connected dynamic VMs perform standard operations (for example, database updates) and consume no more than 80 percent of memory and 75–80 percent of available cores.

Changing policy settings, software or operating system on the dynamic VM can reduce or increase resource consumption. The consumption of 80–95 percent of resources is considered optimal.

Calculations for distribution points and connection gateways

This section provides the hardware requirements for devices used as distribution points together with recommendations for calculating the number of distribution points and connection gateways depending on the configuration of the corporate network.

Requirements for a distribution point

To handle up to 10,000 client devices, a distribution point must meet, at a minimum, the following requirements (a configuration for a test stand is provided):

• CPU:  Intel Core i7-7700 CPU, 3.60 GHz 4 cores.
• RAM: 8 GB.
• Disk: SSD 120 GB.

In addition, a distribution point must have internet access and must always be connected.

If any remote installation tasks are pending on the Administration Server, the device with the distribution point will also require an amount of free disk space that is equal to the total size of the installation packages to be installed.

If one or multiple instances of the task for update (patch) installation and vulnerability fix are pending on the Administration Server, the device with the distribution point will also require additional free disk space, equal to twice the total size of all patches to be installed.

Calculating the number and configuration of distribution points

The more client devices a network contains, the more distribution points it requires. We recommend that you not disable automatic assignment of distribution points. When automatic assignment of distribution points is enabled, Administration Server assigns distribution points if the number of client devices is quite large and defines their configuration.

Using exclusively assigned distribution points

If you plan to use certain specific devices as distribution points (that is, exclusively assigned servers), you can opt out of using automatic assignment of distribution points. In this case, make sure that the devices that you intend to make distribution points have sufficient volume of free disk space, are not shut down regularly, and have Sleep mode disabled.

Number of exclusively assigned distribution points on a network that contains a single network segment, based on the number of networked devices

Number of exclusively assigned distribution points on a network that contains multiple network segments, based on the number of networked devices

Using standard client devices (workstations) as distribution points

If you plan to use standard client devices (that is, workstations) as distribution points, we recommend that you assign distribution points as shown in the tables below in order to avoid excessive load on the communication channels and on Administration Server:

Number of workstations functioning as distribution points on a network that contains a single network segment, based on the number of networked devices

Number of workstations functioning as distribution points on a network that contains multiple network segments, based on the number of networked devices

If a distribution point is shut down (or not available for some other reason), the managed devices in its scope can access the Administration Server for updates.

Calculation of the number of connection gateways

If you plan to use a connection gateway, we recommend that you designate a special device for this function.

A connection gateway can cover a maximum 10,000 managed devices, including mobile devices.

Logging of information about events for tasks and policies

This section provides calculations associated with event storage in the database of the Administration Server and offers recommendations on how to minimize the number of events, thereby reducing the load on the Administration Server.

By default, the properties of each task and policy provide for storing all events related to task execution and policy enforcement.

However, if a task is run quite frequently (for example, more than once per week) and on a fairly large number of devices (for example, more than 10,000), the number of events may turn out to be too large and the events may flood the database. In this case, it is recommended to select one of two options in the task settings:

• Save events related to task progress. In this case, the database receives only information about task launch, progress, and completion (successful, with a warning or error) from each device on which the task is run.
• Save only task execution results. In this case, the database receives only information about task completion (successful, with a warning or error) from each device on which the task is run.

If a policy has been defined for a fairly large number of devices (for example, more than 10,000), the number of events may also turn out to be large and the events may flood the database. In this case, it is recommended to choose only the most critical events in the policy settings and enable their logging. You are advised to disable the logging of all other events.

In doing so, you will reduce the number of events in the database, increase the speed of execution of scenarios associated with analysis of the event table in the database, and lower the risk that critical events will be overwritten by a large number of events.

You can also reduce the storage term for events associated with a task or a policy. The default period is 7 days for task-related events and 30 days for policy-related events. When changing the event storage term, consider the work procedures in place at your organization and the amount of time that the system administrator can devote to analyzing each event.

It is advisable to modify the event storage settings in any of the following cases:

• Events about changes in the intermediate states of group tasks and events about applying policies occupy a large share of all events in the Kaspersky Security Center database.
• The Kaspersky Event Log begins showing entries about automatic removal of events when the established limit on the total number of events stored in the database is exceeded.

Choose event logging options based on the assumption that the optimal number of events coming from a single device per day must not exceed 20. You can increase this limit slightly, if necessary, but only if the number of devices on your network is relatively small (fewer than 10,000).

Specific considerations and optimal settings of certain tasks

Certain tasks are subject to specific considerations related to the number of networked devices. This section offers recommendations on the optimal configuration of settings for such tasks.

Device discovery, the data backup task, database maintenance task, and group tasks for updating Kaspersky Endpoint Security are part of the basic functionality of Kaspersky Security Center.

The inventory task is part of the Vulnerability and Patch Management feature and is unavailable if this feature is not activated.

Device discovery frequency

It is not advisable to increase the default frequency of device discovery because this can create an excessive load on domain controllers. Instead, it is recommended to schedule polling at the minimum possible frequency permitted by the needs of your organization. Recommendations for calculating the optimal schedule are provided in the table below.

Device discovery schedule

Administration Server data backup task and database maintenance task

The Administration Server stops working when the following tasks are running:

• Backup of Administration Server data
• Database maintenance

When these tasks are running, the database cannot receive any data.

You may have to reschedule these tasks so that they are not executed at the same time as other Administration Server tasks.

Group tasks for updating Kaspersky Endpoint Security

If the Administration Server acts as the update source, the recommended schedule option for group update tasks of Kaspersky Endpoint Security 10 and later versions is When new updates are downloaded to the repository with the Use automatically randomized delay for task starts check box selected.

If a local task for downloading updates from Kaspersky servers to the repository is created on each distribution point, periodic scheduling is recommended for the Kaspersky Endpoint Security group update task. The value of the randomization period must be one hour in this case.

Software inventory task

You can reduce load on the database while obtaining information about the installed applications. To do this, we recommend that you run an inventory task on reference devices on which a standard set of software is installed.

The number of executable files received by the Administration Server from a single device cannot exceed 150,000. When Kaspersky Security Center reaches this limit, it cannot receive any new files.

Typically, the number of files on a common client device does not exceed 60,000. The number of executable files on a file server can be greater than and even exceed the 150,000 threshold.

Test measurements have shown that the inventory task has the following results on a device running the Windows 7 operating system with Kaspersky Endpoint Security 11 installed and no third-party applications installed:

• With the DLL modules inventory and Script files inventory check boxes cleared: approximately 3000 files.
• With the DLL modules inventory and Script files inventory check boxes selected: from 10,000 to 20,000 files depending on the number of operating system service packs installed.
• With only the Script files inventory check box selected: approximately 10,000 files.

Page top

Details of network load spread among Administration Server and protected devices

This section provides the results of test measurements of network traffic with a description of the conditions under which the measurements were performed. You can refer to this information when planning the network infrastructure and the throughput capacity of network channels within your organization (or between the Administration Server and another organization with devices to protect). Knowing the throughput capacity of the network, you can also estimate approximately how much time different data transmission operations will take.

Traffic consumption under various scenarios

The table below shows the results of measuring tests conducted on traffic between the Administration Server and a managed device in different scenarios.

By default, devices are synchronized with the Administration Server every 15 minutes or at a longer interval. However, if you modify the settings of a policy or a task on the Administration Server, early synchronization occurs on devices to which the policy (or task) is applicable so the new settings are transmitted to the devices.

Traffic rate between the Administration Server and managed device

Page top

Average traffic usage per 24 hours

The average 24-hour traffic usage between the Administration Server and a managed device is as follows:

• Traffic from the Administration Server to the managed device is 840 KB.
• Traffic from the managed device to the Administration Server is 1 MB.

The traffic was measured under the following conditions:

• The managed device had Network Agent and Kaspersky Endpoint Security for Linux installed.
• The device was not assigned a distribution point.
• Vulnerability and patch management was not enabled.
• The frequency of synchronization with the Administration Server was 15 minutes.

Page top