Virtual Host Setup: Basic Deployment

Document created by RSA Information Design and Development on Apr 10, 2019Last modified by RSA Information Design and Development on Jan 6, 2020
Version 10Show Document
  • View in full screen mode
 

This topic contains general guidelines and requirements for deploying RSANetWitness Platform 11.3.0.2 in a virtual environment.

Abbreviations Used in the Virtual Deployment Guide

                                                                                                   
AbbreviationsDescription
CPUCentral Processing Unit
EPSEvents Per Second
VMware ESXEnterprise-class, type-1 hypervisor, Supported versions - 6.5, 6.0 and 5.5
GBGigabyte. 1GB = 1,000,000,000 bytes
GbGigbit. 1Gb = 1,000,000,000 bits.
GbpsGigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
GHzGigaHertz 1 GHz = 1,000,000,000 Hz
IOPSInput/Output Operations Per Second
MbpsMegabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
NASNetwork Attached Storage
OVFOpen Virtualization Format
OVAOpen Virtual Appliance. For purposes of this guide, OVA stands for Open Virtual Host.
RAMRandom Access Memory (also known as memory)
SANStorage Area Network
SSD/EFD HDDSolid-State Drive/Enterprise Flash Drive Hard Disk Drive
SCSISmall Computer System Interface
SCSI (SAS)Point-to-point serial protocol that moves data to and from computer storage devices such as hard drives and tape drives.
vCPUVirtual Central Processing Unit (also known as a virtual processor)
vRAMVirtual Random Access Memory (also known as virtual memory)
RSA NetWitness UEBARSA NetWitness User and Entity Behavior Analysis

Hyper-V

Microsoft Hyper Visor, Supported version 2016 Server

VHDX Hyper-V virtual hard disk

Supported Virtual Hosts

You can install the following NetWitness Platform hosts in your virtual environment as a virtual host and inherit features that are provided by your virtual environment:

  • NetWitness Server
  • Event Stream Analysis - ESA Primary and ESA Secondary
  • Archiver
  • Broker
  • Concentrator
  • Log Decoder
  • Malware Analysis
  • Decoder
  • Remote Log Collector
  • Endpoint Log Hybrid
  • User and Entity Behavior Analysis (UEBA)

You must be familiar with the following VMware infrastructure concepts:

  • VMware vCenter Server
  • VMware ESXi
  • Virtual machine

For information on VMware concepts, refer to the VMware product documentation.

The virtual hosts are provided as an OVA. You need to deploy the OVA file as a virtual machine in your virtual infrastructure.

Installation Media

Installation media are in the form of OVA and VHDX packages, which are available for download and installation from Download Central (https://download.rsasecurity.com). As part of your order fulfillment, RSA gives you access to the OVA and VHDX.

Virtual Environment Recommendations

The virtual hosts installed with the OVA and VHDX packages have the same functionality as the NetWitness Platform hardware hosts. This means that when you implement virtual hosts, you must account for the back-end hardware. RSA recommends that you perform the following tasks when you set up your virtual environment.

  • Based on resource requirements of the different components, follow best practices to use the system and dedicated storage appropriately.
  • Make sure that back-end disk configurations provide a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
  • Build Concentrator directories for meta and index databases on the SSD/EFD HDD.
  • If the database components are separate from the installed operating system (OS) components (that is, on a separate physical system), provide direct connectivity with either:
    • Two 8-Gbps Fiber Channel SAN ports per virtual host,
      or
    • 6-Gbps Serial Attached SCSI (SAS) connectivity.

Note: 1.) Currently, NetWitness Platform does not support Network Attached Storage (NAS) for Virtual deployments.
2.) The Decoder allows any storage configuration that can meet the sustained throughput requirement. The standard 8-Gbps Fiber Channel link to a SAN is insufficient to read and write packet data at 10 Gb. You must use multiple Fiber Channels when you configure to the connection from a 10G Decoder to the SAN.

Virtual Host Recommended System Requirements

The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.

  • Storage allocation is covered in Step 3 “Configure Databases to Accommodate NetWitness Platform”.
  • vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
  • The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets, for non SSL.
  • The vCPU specifications for all the components listed in the following tables are
    Intel Xeon CPU @2.59 Ghz.
  • All ports are SSL tested at 15,000 EPS for logs and 1.5 Gbps for packets.

Note: The above recommended values might differ for 11.3.0.2 installation when you install and try the new features and enhancements.

NetWitness Server and Co-Located Components

The NetWitness Server, Jetty, Broker, Respond, and Reporting Engine are in the same location.

                     
CPUMemoryRead IOPSWrite IOPS
12 or 31.18 GHz 64 GB100350

 

Scenario One

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, and Archiver.
  • The Packet Stream included a Network Decoder and Concentrator.

  • The background load included hourly and daily reports.
  • Charts were configured.

Log Decoder

                                      
EPSCPUMemoryRead IOPSWrite IOPS
2,5006 or 15.60 GHz32 GB5075

5,000

8 or 20.79 GHz

32 GB

100

100

7,500

10 or 25.99 GHz

32 GB

150

150

Network Decoder

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
504 or 10.39 GHz 32 GB 50150
1004 or 10.39 GHz 32 GB 50250
2504 or 10.39 GHz 32 GB50350

Concentrator - Log Stream

                                      
EPSCPUMemoryRead IOPSWrite IOPS

2,500

4 or 10.39 GHz

32 GB

300

1,800

5,0004 or 10.39 GHz32 GB4002,350
7,500 6 or 15.59 GHz32 GB5004,500

Concentrator - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
50 4 or 10.39 GHz 32 GB 50 1,350
100 4 or 10.39 GHz 32 GB 1001,700
250 4 or 10.39 GHz 32 GB1502,100

 

Archiver

                                      
EPSCPUMemoryRead IOPSWrite IOPS
2,500 4 or 10.39 GHz 32 GB 150 250
5,000 4 or 10.39 GHz 32 GB 150250
7,500 6 or 15.59 GHz 32 GB150350

Scenario Two

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
  • The Packet Stream included a Network Decoder, Concentrator, and Warehouse Connector.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load Included reports, charts, alerts, investigation, and Respond.
  • Alerts were configured.

 

Log Decoder

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00016 or 41.58 GHz50 GB30050

15,000

20 or 51.98 GHz

60 GB

550

100

Network Decoder

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
500 8 or 20.79 GHz40 GB150200
1,00012 or 31.18 GHz50 GB200400
1,50016 or 41.58 GHz75 GB200500

 

Concentrator - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00010 or 25.99 GHz50 GB1,550 + 506,500
15,00012 or 31.18 GHz60 GB1,200 + 4007,600

 

Concentrator - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
500 12 or 31.18 GHz50 GB2504,600
1,00016 or 41.58 GHz50 GB5505,500
1,50024 or 62.38 GHz75 GB1,0506,500

 

Warehouse Connector - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,0008 or 20.79 GHz30 GB5050
15,00010 or 25.99 GHz35 GB5050

Warehouse Connector - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
500 6 or 15.59 GHz32 GB5050
1,0006 or 15.59 GHz32 GB5050

1,500

8 or 20.79 GHz

40 GB5050

 

Archiver - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00012 or 31.18 GHz40 GB1,300700
15,00014 or 36.38 GHz45 GB1,200900

 

Event Stream Analysis with Context Hub

                        
EPSCPUMemoryRead IOPSWrite IOPS
90,00032 or 83.16 GHz164 GB5050

 

Scenario Three

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder and Concentrator.
  • The Packet stream included a Network Decoder and the Concentrator.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Respond was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load included hourly and daily reports.

  • Charts were configured.

 

Log Decoder

                        
EPSCPUMemoryRead IOPSWrite IOPS
25,00032 or 83.16 GHz75 GB250150

 

Network Decoder

                        
MbpsCPUMemoryRead IOPSWrite IOPS
2,00016 or 41.58 GHz75 GB50650

 

Concentrator - Log Stream

                        
EPSCPUMemoryRead IOPSWrite IOPS
25,00016 or 41.58 GHz75 GB6509,200

 

Concentrator - Packet Stream

                        
MbpsCPUMemoryRead IOPSWrite IOPS
2,00024 or 62.38 GHz75 GB1507,050

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

                               
EPSCPUMemoryRead IOPSWrite IOPS
15,0008 or 20.79 GHz8 GB5050
30,0008 or 20.79 GHz15 GB100100

Scenario Four

The requirements in these tables were calculated under the following conditions for Endpoint Log Hybrid.

  • All the components were integrated.
  • Endpoint Server is installed.
  • The Log stream included a Log Decoder and Concentrator.

Endpoint Log Hybrid

The values provided below are qualified for NetWitness Platform 11.2 for a dedicated Endpoint Log Hybrid with no other log sources configured.

                                              
AgentsCPUMemoryIOPS Values

Storage Requirements

Per Scan

 5000 16 core or 42 GHz  32 GB Read IOPS Write IOPS

 

Log Decoder250

150

60 GB
Concentrator1507,050

60 GB

MongoDb

250

150

10 GB

 

                                              
AgentsCPUMemoryIOPS Values

Storage Requirements

Per Scan

 20000 16 core or 42 GHz 64 GB Read IOPS Write IOPS

 

Log Decoder250

150

240 GB
Concentrator1507,050

240 GB

MongoDb

250

150

40 GB

To retain more than one snapshot of all the agents, the Concentrator and MongoDb storage size needs to be increased. For example, for 2 snapshots, multiply the Concentrator and MongoDB * 2 = 120 GB and 20 GB respectively. (Log Decoder storage size is kept constant.)

The following is the storage requirement for an agent per day. You can increase the storage based on the number of agents. For example, if you want to deploy 100 agents, multiple the values for Concentrator and MongoDB * 100 * number of days.

                               
Storage per agent per day
 Tracking Schedule Scan
Log Decoder

7.8 MB

9.8 MB
Concentrator11.22 MB13.31 MB
MongoDb0.04 MB0.61 MB

If you have more than 25K agents in your virtual deployment, RSA recommends you to do one of the following:

  • Scale resources such as CPU, RAM, and storage
  • Install a physical host (Endpoint Log Hybrid)

Endpoint Broker

                  
AgentsCPURAM
 50000

2%

  4 GB

 

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

                               
EPSCPUMemoryRead IOPSWrite IOPS
15,0008 or 20.79 GHz8 GB5050
30,0008 or 20.79 GHz15 GB100100

 

Legacy Windows Collectors Sizing Guidelines

Refer to the RSA NetWitness Platform Legacy Windows Collection Update & Installation for sizing guidelines for the Legacy Windows Collector.

UEBA

                     
CPUMemoryRead IOPSWrite IOPS
16 or 2.4GHz64 GB500MB 500MB

 

Note: RSA recommends that you only deploy UEBA on a virtual host if your log collection volume is low. If you have a moderate to high log collection volume, RSA recommends that you deploy UEBA on the physical host described under "RSA NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide. Contact Customer Support (https://community.rsa.com/docs/DOC-1294) for advice on choosing which host, virtual or physical, to use for UEBA.

Previous Topic:Overview
You are here
Table of Contents > Basic Deployment

Attachments

    Outcomes