Version 2.0, Service Pack 5.2, March 29, 2005 Overview Introduction This document provides hardware and software recommendations for deploying SiteProtector 2.0, Service Pack 5.2, as follows: small deployment medium deployment large deployment multi-site deployment Related documentation For other SiteProtector document, see the following: For minimum system requirements, see the SiteProtector System Requirements. For installation instructions, see the SiteProtector Installation Guide. For more information about managing network scans, go to the SiteProtector Strategy Guide. In this document This document contains the following topics: Topic Page Recommendations 2 Small Deployment 3 Medium Deployment 5 Large Deployment 8 Multiple-Site Deployment 11 2005 Internet Security Systems, Inc. All rights reserved worldwide. 1
Recommendations Introduction This topic gives recommendations for hardware, software, and free disk space. The recommendations are based on typical customer environments and may not apply to your specific environment. Hardware and software Hardware and software recommendations are based on the following items: Item Average events per day for the site Maximum heartbeats per day Total devices scanned Description This number represents the average number of events processed per day throughout the entire site. The recommendations in this guide assume that the total number of events per day in your entire site will not consistently exceed the number in this column. This number represents the maximum number of heartbeats the database processes per day throughout your entire site. This number represents the total number of devices that Internet Scanner will scan per day in your site. Additional factors can affect scanning performance, including the following: number of Internet Scanner applications in your configuration frequency of scans types of policies that you apply to scans types of hosts that you are scanning Table 1: Basis for hardware and software recommendations Free hard disk space Free hard disk space recommendations are based on the following: expected event volume space required to store event data for 30 days space required to perform periodic database maintenance Database Layout For information about the layout of your database files, go to the Microsoft SQL Web site: http://www.microsoft.com/sql/ 2
Small Deployment Small Deployment Introduction A small deployment of SiteProtector can be installed on a single computer. Environment A small deployment is appropriate in the following environment: Sensor or Agent Type Number of Agents Supported Average Events Per Day for the Site Maximum Heartbeats Per Day for the Site Network Sensors 5 Server Sensors 50 50,000 a total per Site NA Proventia Desktop Agents b RealSecure Desktop Agents 500 50,000 total per Site 1,000 500 50,000 total per Site 1,000 Table 2: Small deployment environment a. This number is the average events per day for network and server sensors combined. b. The numbers for Proventia Desktop Agents are subject to change, pending an upcoming release of Proventia Desktop. Note: In a Small Deployment scenario, the total number of devices scanned by Internet Scanner is up to 500. Performance note A small deployment of SiteProtector should perform well under these conditions. However, if the average events per day and the maximum heartbeats per day are consistently higher than the numbers listed, a small deployment of SiteProtector may experience performance problems regardless of the number of sensors and agents you are using. Potential problems include the following: The console may become slow or unresponsive. The database may become temporarily unable to accept new events until the activity drops to within the recommendations listed above. The database may process events at a very slow rate until the activity drops to within the recommendations listed above. If you think the activity in your environment will exceed the recommendations listed above, consider using a medium or large deployment of SiteProtector. Factors that impact performance Several factors can impact the overall performance and responsiveness of each SiteProtector instance: multiple console operations long-running analysis queries report generation fusion analysis attack patterns maintenance operations 3
Hardware and software The following table gives hardware and software recommendations for a small deployment: Item processor Recommendation (2) 2.4 GHz Xeon Windows 2000 Server Windows 2003 Server SQL Server 2000 Standard 2 GB 36-73 GB Table 3: Hardware and software recommendations (small deployment) Diagram This figure illustrates the small deployment: Figure 1: Small deployment diagram 4
Medium Deployment Medium Deployment Introduction A medium deployment of SiteProtector can be installed on three or more computers as follows: Computer Components 1 Application Server 2 Database 3 Event Collector Agent Manager Table 4: Medium deployment description Environment A medium deployment is appropriate in the following environment: Sensor or Agent Type Number of Agents Supported Average Events Per Day for the Site Maximum Heartbeats Per Day for the Site Network Sensors up to 200 Server Sensors up to 400 up to 2,500,000 a total per Site NA Proventia Desktop Agents b 15,000 c up to 720,000 total per Site 30,000 RealSecure Desktop Agents 10,000 up to 480,000 total per Site 20,000 Table 5: Medium deployment environment a. This number is the average events per day for network and server sensors combined. b. The numbers for Proventia Desktop Agents are subject to change, pending an upcoming release of Proventia Desktop. c. Assumes a minimum of two remote Event Collectors and two remote Agent Managers in each Site to handle 15,000 Proventia Desktop agents. The Event Collector and Agent Manager can be installed on the same computer. Note: In a Medium Deployment scenario, the total number of devices scanned by Internet Scanner is up to 10,000. Performance note A medium deployment of SiteProtector should perform well under these conditions. However, if the average events per day and the maximum heartbeats per day are consistently higher than the numbers listed, a medium deployment of SiteProtector may experience performance problems regardless of the number of sensors and agents you are using. Potential problems include the following: The console may become slow or unresponsive. The database may become temporarily unable to accept new events until the activity drops to within the recommendations listed above. The database may process events at a very slow rate until the activity drops to within the recommendations listed above. 5
If you think the activity in your environment will exceed the recommendations listed above, consider using a large deployment of SiteProtector. Factors that impact performance Several factors can impact the overall performance and responsiveness of each SiteProtector instance: multiple console operations long-running analysis queries report generation fusion analysis attack patterns maintenance operations Hardware and software The following table gives hardware and software recommendations for the medium deployment: Computer Item Recommendation 1 (Application Server) processor (1) 2.4 GHz Xeon Windows 2000 Server Windows Server 2003 2 GB 36 GB 2 (Database) processor (2) 3.0 GHz Xeon Windows 2000 Server Windows Server 2003 SQL Server SQL Server 2000, Standard Edition 4 GB 73 to 438 GB as follows: 15K RPM SCSI disk RAID configuration multiple controllers Table 6: Hardware and software recommendations (medium deployment) 6
Medium Deployment Computer Item Recommendation 3 (Event Collector/Agent Manager) processor 2.4 GHz Xeon Intel Pentium 4 Windows 2000 Server (with SP4) or later Windows 2000 Advanced Server (with SP4) or later Windows Server 2003 Windows Enterprise Server 2003 1 GB 36 GB Table 6: Hardware and software recommendations (medium deployment) Diagram This figure illustrates the medium deployment: Figure 2: Medium deployment diagram 7
Large Deployment Introduction A large deployment of SiteProtector can be installed on three or more computers as follows: Computer Components 1 Application Server 2 Database 3 Event Collector Agent Manager Table 7: Large deployment description Environment A large deployment is appropriate in the following environment: Sensor or Agent Type Number of Agents Supported Average Events Per Day for the Site Maximum Heartbeats Per Day for the Site Network Sensors up to 300 Server Sensors up to 500 up to 5,000,000 a total per Site NA Proventia Desktop Agents b 50,000 c up to 2, 500,000 total per Site 100,000 RealSecure Desktop Agents 25,000 up to 2,500,000 total per Site 50,000 Table 8: Large deployment environment a. This number is the average events per day for network and server sensors combined. b. The numbers for Proventia Desktop Agents are subject to change, pending an upcoming release of Proventia Desktop. c. Assumes a minimum of five remote Event Collectors and five remote Agent Managers in each Site to handle 50,000 Proventia Desktop agents. The Event Collector and Agent Manager can be installed on the same computer. Note: In a Large Deployment scenario, the total number of devices scanned by Internet Scanner is up to 50,000. Performance note A large deployment of SiteProtector should perform well under these conditions. However, if the average events per day and the maximum heartbeats per day are consistently higher than the numbers listed, a large deployment of SiteProtector may experience performance problems regardless of the number of sensors and agents you are using. Potential problems include the following: The console may become slow or unresponsive. The database may become temporarily unable to accept new events until the activity drops to within the recommendations listed above. The database may process events at a very slow rate until the activity drops to within the recommendations listed above. 8
Large Deployment If you think the activity in your environment will exceed the recommendations listed above, consider using a multiple-site deployment of SiteProtector. Factors that impact performance Several factors can impact the overall performance and responsiveness of each SiteProtector instance: multiple console operations long-running analysis queries report generation fusion analysis attack patterns maintenance operations Hardware and software The following table gives hardware and software recommendations for the large deployment: Computer Component Recommendation 1(Application Server) processor (2) 3.2Ghz Xeon with 2 MB cache Windows 2000 Server (with SP4) or later Windows Server 2003 2 GB 36 GB 2 (Database) processor (4) 3.2Ghz Xeon with 2 MB cache Windows 2000 Advanced Server (with SP4) or later Windows 2003 Server, Enterprise Edition SQL Server version 2000 Enterprise Edition 8 GB 143-730 GB with the following specifications: 15K RPM SCSI disk RAID configuration multiple controllers Table 9: Hardware and software recommendations (large deployment) 9
Computer Component Recommendation 3 (Event Collector/ Agent Manager) processor 2.4 GHz Xeon Intel Pentium 4 Windows 2000 Server (with SP4) or later Windows 2000 Advanced Server (SP4) or later Windows Server 2003 Windows Enterprise Server 2003 1 GB 36 GB Table 9: Hardware and software recommendations (large deployment) (Continued) Diagram This figure illustrates the large deployment: Figure 3: Large deployment diagram 10
Multiple-Site Deployment Multiple-Site Deployment Introduction If your current configuration is too large, consider dividing it into several smaller sites. Use the guidelines and requirements for the small, medium, and large deployments described in this topic to help you choose the best deployment for each site. The multiple-site deployment consists of several large deployments that report to a Dashboard instance. Use the multiple-site deployment if the following applies: the sizing criteria for your configuration exceeds the numbers specified in the large deployment your configuration is distributed over a large geographic area Diagram Figure 4 illustrates the multiple-site deployment: Figure 4: Multiple-site deployment diagram 11
Copyright 1994-2005, Internet Security Systems, Inc. All rights reserved worldwide. Internet Security Systems, the Internet Security Systems logo, RealSecure and SiteProtector are trademarks of Internet Security Systems, Inc. Other marks and trade names mentioned are marks and names of their owners as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifications and content are subject to change without notice. 12