Preparing and configuring a Sensor

In terms of hardware, the Sensor must have two network interfaces and must have hardware specifications compliant with one of the recommended configurations listed in the System requirements for the Sensor section. The hardware component of the Sensor can also be provided by a virtual machine, if the virtual machine has the performance of equivalent hardware solutions listed under System requirements for the Sensor.

In terms of network topology, the Sensor must be installed as close as possible to the network boundary. If possible, it should be installed downstream of the termination point of GRE tunnels but upstream of any hardware/software tools that could modify traffic (such as a firewall or IPS). After the Sensor is installed, the Customer must install an operating system (available upon request) on it.

The process of installing an operating system is described in detail in the Installing the Sensor OS on a server section. During the OS installation process, you must assign an IP address to the Sensor management interface, and specify a network mask for the specific IP address and the default gateway. The IP address for the management interface must be allocated from the provider's pool of PA addresses.

However, an IP address from a Protected subnet must not be assigned to the management interface. If an IP address from a Protected subnet pool is assigned to the Sensor, the monitoring system will be inaccessible for management when traffic is switched over to the protection route. Access to the management interface must be allocated (the list is provided with the Sensor image).

The access IP address and ports assigned directly to the network interface designated for Sensor management may be translated (using an internal IP address directly on the management network interface and using a non-standard port for access over the SSH protocol). The main requirement is to ensure uninterrupted accessibility from the Internet to the management interface via the access pathways indicated in the table titled "List of required ports and protocols for the Sensor management interface".

The best solution for ensuring uninterrupted access is to use a separate channel (>= 10 Mbps) to connect the Sensor to the Internet. This way, if the channel is attacked, the monitoring system will still be accessible prior to switching over to the protection route.

After installing the operating system, the secondary network interface of the Sensor will be down. It will be activated when the Sensor is remotely configured by Kaspersky DDoS Protection Technical Support experts. Nonetheless, immediately after the operating system is installed, a symmetric copy of the traffic of all Protected resources must be sent to the secondary network interface of the Sensor.

Important note! The port used for receiving a copy of traffic on the Sensor operates in receive-only mode. This could cause a situation in which the cumulative bandwidth of inbound and outbound traffic of a Protected resource exceeds the speed of the physical channel used for sending data to the Sensor. For example, the inbound traffic could be 250 Mbps while the outbound traffic is 900 Mbps. The cumulative rate in this example would be 1150 Mbps, which exceeds the speed of a gigabit connection. To ensure correct operation of the Sensor, you will need an aggregated 2 Gbps channel for receiving a copy of traffic.

You can install an additional network card or a separate Sensor for receiving the entire volume of mirrored traffic.