Virtual Host Setup: Basic Deployment

Document created by RSA Information Design and Development on Mar 21, 2017Last modified by David O'Malley on Mar 21, 2017
Version 2Show Document
  • View in full screen mode
  

This topic contains general guidelines and requirements for deploying Security Analytics in a virtual environment.

Abbreviations Used in the Virtual Deployment Guide

                                                                                           
AbbreviationsDescription
CPUCentral Processing Unit
EPSEvents Per Second
VMware ESXEnterprise-class, type-1 hypervisor
GBGigabyte. 1GB = 1,000,000,000 bytes
GbGigbit. 1Gb = 1,000,000,000 bits.
GbpsGigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
GHzGigaHertz 1 GHz = 1,000,000,000 Hz
IOPSInput/Output Operations Per Second

IPDB

Internet Protocol Database

MbpsMegabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
NASNetwork Attached Storage
OVFOpen Virtualization Format
OVAOpen Virtual Appliance. For purposes of this guide, OVA stands for Open Virtual Host.
RAMRandom Access Memory (also known as memory)
SANStorage Area Network
SSD/EFD HDDSolid-State Drive/Enterprise Flash Drive Hard Disk Drive
SCSISmall Computer System Interface
SCSI (SAS)Point-to-point serial protocol that moves data to and from computer storage devices such as hard drives and tape drives.
vCPUVirtual Central Processing Unit (also known as a virtual processor)
vRAMVirtual Random Access Memory (also known as virtual memory)

Supported Virtual Hosts

You can install the following Security Analytics hosts in your virtual environment as a virtual host and inherit features that are provided by your virtual environment:

  • Security Analytics Server
  • Archiver
  • Broker
  • Concentrator
  • Event Stream Analysis
  • Log Decoder
  • Malware Analysis
  • Decoder
  • Remote Log Collector
  • Warehouse Connector

You must be familiar with the following VMware infrastructure concepts:

  • VMware vCenter Server
  • VMware C host
  • Virtual machine

For information on VMware concepts, refer to the VMware product documentation.

The virtual hosts are provided as an OVA. You need to deploy the OVA file as a virtual machine in your virtual infrastructure.

Installation Media

Installation media are in the form of OVA packages, which are available for download and installation from Download Central (https://download.rsasecurity.com). As part of your order fulfillment, RSA gives you access to the OVAs that pertain to each component ordered.

Virtual Environment Recommendations

The virtual hosts installed with the OVA packages have the same functionality as the Security Analytics hardware hosts. This means that when you implement virtual hosts, you must account for the back-end hardware. RSA recommends that you perform the following tasks when you set up your virtual environment.

  • Based on resource requirements of the different components, follow best practices to use the system and dedicated storage appropriately.
  • Make sure that back-end disk configurations provide a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
  • Build Concentrator directories for meta and index databases on the SSD/EFD HDD.
  • If the database components are separate from the installed operating system (OS) components (that is, on a separate physical system), provide direct connectivity with either:
    • Two 8-Gbps Fiber Channel SAN ports per virtual host,
      or
    • 6-Gbps Serial Attached SCSI (SAS) connectivity.

Note: 1.) Currently, Security Analytics does not support Network Attached Storage (NAS) for Virtual deployments.
2.)The Decoder allows any storage configuration that can meet the sustained throughput requirement. The standard 8-Gbps Fiber Channel link to a SAN is insufficient to read and write packet data at 10 Gb. You must use multiple Fiber Channels when you configure to the connection from a 10G Decoder to the SAN.

Virtual Host Recommended System Requirements

The following tables list the vCPU, vRAM, and Read and Write IOPS recommended requirements for the virtual hosts based on the EPS or capture rate for each component.

  • Storage allocation is covered in Step 3 “Configure Databases to Accommodate Security Analytics Suite”.
  • vRAM and vCPU recommendations may vary depending on capture rates, configuration and content enabled.
  • The recommendations were tested at ingest rates of up to 25,000 EPS for logs and two Gbps for packets.
  • The vCPU specifications for all the components listed in the following tables are
    Intel Xeon CPU @2.59 Ghz.
  • All ports are SSL.

Scenario One

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, and Archiver.
  • The Packet Stream included a Packet Decoder and Concentrator.

  • The background load Included hourly and daily reports.
  • Charts were configured.

Log Decoder

                                      
EPSCPUMemoryRead IOPSWrite IOPS
2,5006 or 15.60 GHz25 GB5075

5,000

8 or 20.79 GHz

25 GB

100

100

7,500

10 or 25.99 GHz

25 GB

150

150

Packet Decoder

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
504 or 10.39 GHz25 GB50150
1004 or 10.39 GHz25 GB50250
2504 or 10.39 GHz25 GB50350

Concentrator - Log Stream

                                      
EPSCPUMemoryRead IOPSWrite IOPS

2,500

4 or 10.39 GHz

25 GB

300

1,800

5,0004 or 10.39 GHz25 GB4002,350
7,5006 or 15.59 GHz25 GB5004,500

Concentrator - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
504 or 10.39 GHz25 GB501,350
1004 or 10.39 GHz25 GB1001,700
2504 or 10.39 GHz25 GB1502,100

Achiver

                                      
EPSCPUMemoryRead IOPSWrite IOPS
2,5004 or 10.39 GHz25 GB150250
5,0004 or 10.39 GHz25 GB150250
7,5006 or 15.59 GHz25 GB150350

Scenario Two

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder, Concentrator, Warehouse Connector, and Archiver.
  • The Packet Stream included a Packet Decoder, Concentrator, and Warehouse Connector.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load Included reports, charts, alerts, investigation, and incident management.
  • Alerts were configured.

Log Decoder

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00016 or 41.58 GHz50 GB30050

15,000

20 or 51.98 GHz

60 GB

550

100

Packet Decoder

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
5008 or 20.79 GHz40 GB150200
1,00012 or 31.18 GHz50 GB200400
1,50016 or 41.58 GHz75 GB200500

Concentrator - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00010 or 25.99 GHz50 GB1,550 + 506,500
15,00012 or 31.18 GHz60 GB1,200 + 4007,600

Concentrator - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
50012 or 31.18 GHz50 GB2504,600
1,00016 or 41.58 GHz50 GB5505,500
1,50024 or 62.38 GHz75 GB1,0506,500

Warehouse Connector - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,0008 or 20.79 GHz30 GB5050
15,00010 or 25.99 GHz35 GB5050

Warehouse Connector - Packet Stream

                                      
MbpsCPUMemoryRead IOPSWrite IOPS
5006 or 15.59 GHz20 GB5050
1,0006 or 15.59 GHz30 GB5050

1,500

8 or 20.79 GHz

40 GB5050

Archiver - Log Stream

                               
EPSCPUMemoryRead IOPSWrite IOPS
10,00012 or 31.18 GHz40 GB1,300700
15,00014 or 36.38 GHz45 GB1,200900

Event Stream Analysis with Context Hub

                        
EPSCPUMemoryRead IOPSWrite IOPS
90,00032 or 83.16 GHz94 GB5050

Security Analytics (SA) Server and Co-Located Components

The SA Server, Jetty, Broker, Incident Management, and Reporting Engine are in the same location.

                     
CPUMemoryRead IOPSWrite IOPS
12 or 31.18 GHz50 GB100350

Scenario Three

The requirements in these tables were calculated under the following conditions.

  • All the components were integrated.
  • The Log stream included a Log Decoder and Concentrator.
  • The Packet stream included a Packet Decoder and the Concentrator.
  • Event Stream Analysis was aggregating at 90K EPS from three Hybrid Concentrators.
  • Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
  • The background load Included hourly and daily reports.

  • Charts were configured.

Log Decoder

                        
EPSCPUMemoryRead IOPSWrite IOPS
25,00032 or 83.16 GHz75 GB250150

Packet Decoder

                        
MbpsCPUMemoryRead IOPSWrite IOPS
2,00016 or 41.58 GHz75 GB50650

Concentrator - Log Stream

                        
EPSCPUMemoryRead IOPSWrite IOPS
25,00016 or 41.58 GHz75 GB6509,200

Concentrator - Packet Stream

                        
MbpsCPUMemoryRead IOPSWrite IOPS
2,00024 or 62.38 GHz75 GB1507,050

Log Collector (Local and Remote)

The Remote Log Collector is a Log Collector service running on a remote host and the Remote Collector is deployed virtually.

                               
EPSCPUMemoryRead IOPSWrite IOPS
15,0008 or 20.79 GHz8 GB5050
30,0008 or 20.79 GHz15 GB100100

Legacy Windows Collectors Sizing Guidelines

Refer to the RSA Security Analytics Legacy Windows Collection Update & Installation documentation for sizing guidelines for the Legacy Windows Collector.

You are here

Basic Deployment

Attachments

    Outcomes