Calculations for the Sensor component
8 November 2023
ID 211923
These calculations also apply when the application is deployed on a virtual platform.
When calculating the hardware requirements for the Sensor component, you must take into account that the maximum volume of processed traffic for one Sensor component is 4 Gbps. The most resource-intensive technology is the Intrusion Detection System.
You can use a server hosting the Sensor component as a proxy server during data exchange between the Endpoint Agent components and the Central Node component to simplify configuration of network rules. For example, if Endpoint Agent components are located in a separate segment of the network, it will suffice to configure a connection between servers with the Central Node and Sensor components.
When configuring the redirection of traffic from Endpoint Agent components to the Central Node component, please take into account the following limitations:
- A maximum of 15,000 computers with the Endpoint Agent component can connect to a single Central Node component.
- The maximum allowed packet loss between servers hosting the Sensor and Central Node components should be 10% with a packet delay up to 100 ms.
The hardware requirements for a server with the Sensor component depend on the volume of processed traffic. The required bandwidth of the communication channel between servers with the Central Node and Sensor components is calculated as follows:
10% SPAN port traffic at typical load or 20% of the SPAN port traffic at peak load + email traffic + ICAP traffic + requirement for the communication channel between the Central Node and Endpoint Agent components
The requirements for the communication channel between the Central Node and Endpoint Agent components depend on the number of Endpoint Agent components whose traffic the Sensor component forwards to the Central Node component. For more details on the requirements for the communication channel between the components, see the Calculations for the Central Node component section → Communication channel requirements.
If the bandwidth of the communication channel is more than 2 Gbps, you must configure the use of one processor core for processing network interrupts.
Hardware requirements for the Sensor component depending on the processed traffic
The Sensor component can be integrated with the IT infrastructure of an organization as follows:
- Receive mirrored traffic from network devices from SPAN ports.
- Connect to a mail server over the POP3 protocol.
- Connect to a mail server over the SMTP protocol.
- Receive traffic from a proxy server over the ICAP protocol.
The hardware requirements for the Sensor component are listed in the table below. The calculations are provided for a case in which the Sensor component does not process email messages or traffic over the ICAP protocol. If the Sensor component redirects the traffic of Endpoint Agent components, communication channel requirements must also be taken into account.
Hardware requirements for the Sensor component depending on the volume of processed traffic from SPAN ports
Number of Endpoint Agent components | Volume of processed traffic (Mbps) | Minimum RAM (GB) | Minimum number of logical cores |
|---|---|---|---|
10,000 | 100 | 16 | 4 |
15,000 | 500 | 16 | 8 |
15,000 | 1,000 | 24 | 16 |
15,000 | 2,000 | 32 | 32 |
15,000 | 4,000 | 32 | 48 |
The hardware requirements for a Sensor component that is integrated with a mail server are presented in the table below. The calculations are provided for a case in which the Sensor component does not process mirrored traffic or traffic over the ICAP protocol.
Hardware requirements for a Sensor component that is integrated with a mail server
Number of email messages per second | Minimum RAM (GB) | Minimum number of logical cores |
|---|---|---|
1-4 | 16 | 4 |
5-20 | 16 | 8 |
Processing traffic over the ICAP protocol requires less resources than processing email messages.
If one Sensor component processes traffic over multiple protocols, it is recommended to use the sizing calculator to calculate the server configuration. You should take into account the following recommendations:
- Simultaneous processing of traffic over the ICAP protocol and from SPAN ports is recommended for analysis of objects transmitted through a proxy server over the HTTPS protocol.
To process traffic over the HTTPS protocol, the proxy server must support server certificate replacement.
- When integration with mail sensors is configured, it is not practical to extract SMTP traffic from SPAN traffic.
Disk space requirements on a server with the Sensor component
It is recommended to use a RAID 1 disk array. The total disk space must be at least 500 GB. The minimum free disk space requirements for different data types are presented in the table below.
Minimum requirements for disk space on a server with the Sensor component
Data type | Disk space (GB) |
|---|---|
Redis database dump | 16 |
Operating system | 25 |
Temporary files | 32 |
Trace files and update packages | 151 |
Total | 224 |
If the volume of processed traffic is greater than 1 Gbps, it is recommended to allocate at least 600 GB of disk space.
