Deploying the application on a virtual platform requires 10 percent more CPU resources than deploying the application on a physical server. In virtual disk settings, a Thick Provision disk type must be selected.
To avoid possible performance degradation when deploying the application on a virtual platform, we recommend to:
Hardware requirements for a server with the Central Node and Sensor components
The hardware requirements for a server on which the Central Node and Sensor components are installed depend on the following conditions:
To determine the volume of processed decrypted traffic for calculating the load on the server, use the following formula:
<volume of decrypted traffic transmitted by ArtX TLSProxy 1.9.1> = 5 * <volume of unencrypted traffic>
To determine the volume of traffic processed on the ICAP server for calculating the load on the server, use the following formula:
<volume of traffic processed on the ICAP server> = 5 * <volume of traffic that is not processed on the ICAP server>
The Endpoint Agent component can be installed on a workstation, terminal server, file server, or network attached storage (NAS).
Information about the compatibility of versions of applications that represent the Endpoint Agent component with versions of Kaspersky Anti Targeted Attack Platform is provided in the following Help sections: Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac.
Kaspersky Endpoint Agent for Windows can also be installed on a SCADA server.
To determine the effective number of hosts with the Endpoint Agent component for calculating the server load, you can use the following formula:
K = A+3*B+20*C
where
If the volume of processed traffic is greater than 1 Gbps, you must install Central Node and Sensor components on standalone servers.
The hardware requirements for the Central Node server depending on the functionality being used are listed in the tables below.
Note that with the event chain scanning feature enabled, different hardware requirements apply to the Central Node server. Please refer to the Hardware requirements for the Central Node server with the event chain scanning feature enabled section.
Hardware requirements for the server with the Central Node component when using KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
|||||
---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
|||
1000 |
64 |
8 |
100 |
1000 |
1 |
4 |
300 |
200 |
Up to 7.2 TB |
3000 |
80 |
12 |
100 |
1000 |
1 |
4 |
700 |
500 |
|
5000 |
96 |
16 |
100 |
1000 |
1 |
4 |
1000 |
600 |
|
10,000 |
144 |
24 |
100 |
1000 |
1 |
4 |
2000 |
800 |
|
15,000 |
192 |
32 |
100 |
1000 |
1 |
4 |
2000 |
800 |
Hardware requirements for the server with the Central Node component when using KATA and KEDR functionality
Maximum number of hosts with the Endpoint Agent component |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
Second disk subsystem (RAID 10) |
||||
---|---|---|---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
ROPS (read operations per second) |
WOPS (write operations per second) |
||||||
1000 |
1 |
200 |
Not processed |
96 |
16 |
100 |
1000 |
1.9 |
4 |
300 |
300 |
2000 |
2 |
500 |
Not processed |
128 |
24 |
100 |
1000 |
2 |
4 |
500 |
500 |
5000 |
1 |
1000 |
Not processed |
160 |
36 |
100 |
1000 |
2 |
4 |
1000 |
600 |
10,000 |
2 |
1000 |
Not processed |
224 |
48 |
100 |
1000 |
2 |
4 |
2000 |
800 |
5000 |
5 |
Not processed |
2000 |
144 |
32 |
100 |
1000 |
1.9 |
4 |
1000 |
600 |
10,000 |
20 |
Not processed |
4000 |
224 |
56 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
4000 |
256 |
64 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
7000 |
320 |
104 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
15,000 |
20 |
Not processed |
10,000 |
320 |
144 |
100 |
1000 |
1.9 |
4 |
2000 |
800 |
Hardware requirements for the server with the Central Node component when using КАТА functionality
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports on the server with the Central Node component |
Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps) |
Minimum RAM (GB) |
Minimum number of logical cores at 3 GHz |
First disk subsystem (RAID 1 or RAID 10) |
|||
---|---|---|---|---|---|---|---|---|
ROPS (read operations per second) |
WOPS (write operations per second) |
Disk array size (TB) |
The number of disks in the array |
|||||
2 |
500 |
Not processed |
64 |
20 |
100 |
1000 |
2 |
4 |
2 |
1000 |
Not processed |
80 |
28 |
100 |
1000 |
2 |
4 |
5 |
Not processed |
2000 |
64 |
20 |
100 |
1000 |
2 |
4 |
20 |
Not processed |
4000 |
80 |
40 |
100 |
1000 |
2 |
2 |
20 |
Not processed |
7000 |
128 |
72 |
100 |
1000 |
2 |
2 |
20 |
Not processed |
10,000 |
128 |
112 |
100 |
1000 |
2 |
2 |
Kaspersky Anti Targeted Attack Platform does not support operation with software RAID array.
The CPU must support the BMI2, AVX, and AVX2 instruction sets.
Example calculations of required server configuration for Kaspersky Anti Targeted Attack Platform components If you want to:
you need two servers with the following hardware:
The above calculation is also valid for an infrastructure with 5000 hosts with Kaspersky Endpoint Security for Linux or a combination of components (for example, 9000 hosts with Kaspersky Endpoint Security for Windows and 2000 hosts with Kaspersky Endpoint Security for Linux). |
Disk space requirements on the Central Node server
The server with the Central Node component must have at least 2000 GB of free space on the first disk subsystem and at least 2400 GB on the second disk subsystem. The amount of space required on the second disk subsystem depends on the preferred storage policy and can be calculated using the following formula:
150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (400 GB + 240 GB * <number of days to store data>)/0.65, but no more than 12 TB.
If you want to use the event chain scanning feature, use the following formula to calculate the space requirement on the second disk subsystem:
150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (600 GB + 240 GB * <number of days to store data>)/0.65, but no more than 12 TB.
These formulas can be used to roughly estimate the required disk space. The actual amount of stored data depends on the traffic profile of the organization and may differ from the calculated result.
If you did not install the Central Node and Sensor component as a high availability cluster, you must calculate the disk space for the Events database, GB and Storage, GB settings using the following formula:
A = F - R, GB.
where
If the number of hosts connected to the Central Node component is in between the listed values, use the larger number in your calculations.
Reserved amount of free space depending on the number of Endpoint Agent hosts
Number of Endpoint Agent hosts |
Reserved amount of free space (GB) |
---|---|
1000 |
1000 |
3000 |
1200 |
5000 |
1400 |
10,000 |
1900 |
15,000 |
2400 |
If you have configured integration for scanning external system objects using the REST API, the hardware requirements of the Central Node server must be increased. Additional hardware requirements are presented in the table below.
Hardware requirements for the server with the Central Node component with integrated external systems
Maximum number of processed objects per second |
Number of additional logical cores |
The number of additional servers with the Sandbox component |
---|---|---|
8 |
2 |
1 |
16 |
4 |
2 |
24 |
7 |
3 |
If you configured integration to send events to an external system using the REST API, you must increase the hardware requirements of the Central Node server by 1 logical core and 6 GB of RAM.
If you are saving network traffic, the hardware requirements of the Central Node server must be increased. For more details on hardware requirements, see Calculations for the Sensor component → Hardware requirements of the Sensor when saving raw network traffic.
Requirements for the PCN server in distributed solution mode
If you are using distributed solution mode, to calculate the hardware requirements, you must take into account that the hardware requirements of the PCN server are 10% higher in terms of RAM and the number of logical cores than the hardware requirements of the server with the Central Node component. The hardware requirements of the server with the Central Node component are listed in the following tables: Hardware requirements for the server with the Central Node component when using KEDR functionality; Hardware requirements for the server with the Central Node component when using KATA+KEDR functionality; Hardware requirements for the server with the Central Node component when using КАТА functionality (see above).
You can connect up to 30 SCN servers to one PCN server.
Communication channel requirements
You must make sure that sufficient communication channel bandwidth is available between the server with the Central Node component and each network segment, depending on the number of hosts with the Endpoint Agent component in the segment. The bandwidth requirements depending on the number of hosts with the Endpoint Agent component is listed in the table below.
Communication channel bandwidth depending on the number of Endpoint Agent hosts
Maximum number of hosts with the Endpoint Agent component |
Required bandwidth of the communication channel reserved for Endpoint Agent components (Mbps) |
---|---|
10 |
1 |
50 |
2 |
100 |
3 |
1000 |
20 |
10,000 |
200 |
Minimum requirements for the communication channel between the PCN and SCN servers in distributed solution mode are listed in the table below.
Minimum requirements for the communication channel between the PCN and SCN servers
Maximum number of hosts with the Endpoint Agent component |
Maximum number of email messages per second |
Maximum volume of traffic from SPAN ports (Mbps) |
Required communication channel bandwidth (Mbps) |
---|---|---|---|
5000 |
5 |
2000 |
20 |
10,000 |
20 |
4000 |
30 |
Hardware requirements for Central Node cluster servers
A cluster must include at least 4 servers: 2 storage servers and 2 processing servers. If you have up to 15,000 connected hosts with the Kaspersky Endpoint Agent component, you need at least 2 storage servers and 2 processing servers. If you have from 15,000 to 30,000 connected hosts with the Kaspersky Endpoint Agent component, you need at least 2 storage servers and 3 processing servers.
Each cluster server must have two network adapters to configure cluster and external subnet. The cluster subnet must be capable of up to 10 Gbps.
The cluster subnet must also meet the following requirements:
The hardware requirements for cluster servers when using KEDR functionality are listed in the table below.
Hardware requirements for processing servers when using KEDR functionality
Minimum RAM (GB) |
Minimum number of logical cores |
RAID disk array type |
The number of disks in a RAID disk array |
Single HDD volume (GB) |
---|---|---|---|---|
256 |
48 |
RAID 1 |
2 |
1200 |
Hardware requirements for storage servers when using KEDR functionality
Minimum RAM (GB) |
Minimum number of logical cores |
First disk subsystem |
Second disk subsystem |
|||
---|---|---|---|---|---|---|
RAID disk array type |
The number of disks in a RAID disk array |
Single HDD volume (GB) |
Number of disks |
Single HDD volume (GB) |
||
128 |
16 |
RAID 1 |
2 |
1200 |
at least 6 |
at least 1200 |
We recommend using disks of the same size for the two disk subsystems. For the second disk subsystem, you must use disks that are not combined into a RAID array.
The performance requirements for disk subsystems are equivalent to those specified in the table Hardware requirements for a server with the Central Node component when using KEDR functionality (see above).