Calculations for the Central Node component

Deploying the application on a virtual platform requires 10 percent more CPU resources than deploying the application on a physical server. In virtual disk settings, a Thick Provision disk type must be selected.

To avoid possible performance degradation when deploying the application on a virtual platform, we recommend to:

Hardware requirements for a server with the Central Node and Sensor components

The hardware requirements for a server on which the Central Node and Sensor components are installed depend on the following conditions:

If the volume of processed traffic is greater than 1 Gbps, you must install Central Node and Sensor components on standalone servers.

The hardware requirements for the Central Node server depending on the functionality being used are listed in the tables below.

Note that with the event chain scanning feature enabled, different hardware requirements apply to the Central Node server. Please refer to the Hardware requirements for the Central Node server with the event chain scanning feature enabled section.

Hardware requirements for the server with the Central Node component when using KEDR functionality

Maximum number of hosts with the Endpoint Agent component

Minimum RAM (GB)

Minimum number of logical cores at 3 GHz

First disk subsystem (RAID 1 or RAID 10)

Second disk subsystem (RAID 10)

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

The number of disks in the array

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

1000

64

8

100

1000

1

4

300

200

Up to 7.2 TB

3000

80

12

100

1000

1

4

700

500

5000

96

16

100

1000

1

4

1000

600

10,000

144

24

100

1000

1

4

2000

800

15,000

192

32

100

1000

1

4

2000

800

Hardware requirements for the server with the Central Node component when using KATA and KEDR functionality

Maximum number of hosts with the Endpoint Agent component

Maximum number of email messages per second

Maximum volume of traffic from SPAN ports on the server with the Central Node component

Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps)

Minimum RAM (GB)

Minimum number of logical cores at 3 GHz

First disk subsystem (RAID 1 or RAID 10)

Second disk subsystem (RAID 10)

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

The number of disks in the array

ROPS (read operations per second)

WOPS (write operations per second)

1000

1

200

Not processed

96

16

100

1000

1.9

4

300

300

2000

2

500

Not processed

128

24

100

1000

2

4

500

500

5000

1

1000

Not processed

160

36

100

1000

2

4

1000

600

10,000

2

1000

Not processed

224

48

100

1000

2

4

2000

800

5000

5

Not processed

2000

144

32

100

1000

1.9

4

1000

600

10,000

20

Not processed

4000

224

56

100

1000

1.9

4

2000

800

15,000

20

Not processed

4000

256

64

100

1000

1.9

4

2000

800

15,000

20

Not processed

7000

320

104

100

1000

1.9

4

2000

800

15,000

20

Not processed

10,000

320

144

100

1000

1.9

4

2000

800

Hardware requirements for the server with the Central Node component when using КАТА functionality

Maximum number of email messages per second

Maximum volume of traffic from SPAN ports on the server with the Central Node component

Maximum volume of traffic from SPAN ports on servers with the Sensor component (Mbps)

Minimum RAM (GB)

Minimum number of logical cores at 3 GHz

First disk subsystem (RAID 1 or RAID 10)

ROPS (read operations per second)

WOPS (write operations per second)

Disk array size (TB)

The number of disks in the array

2

500

Not processed

64

20

100

1000

2

4

2

1000

Not processed

80

28

100

1000

2

4

5

Not processed

2000

64

20

100

1000

2

4

20

Not processed

4000

80

40

100

1000

2

2

20

Not processed

7000

128

72

100

1000

2

2

20

Not processed

10,000

128

112

100

1000

2

2

Kaspersky Anti Targeted Attack Platform does not support operation with software RAID array.

The CPU must support the BMI2, AVX, and AVX2 instruction sets.

Example calculations of required server configuration for Kaspersky Anti Targeted Attack Platform components

If you want to:

  • process traffic from a network device with a throughput up to 4 Gbps;
  • process 20 email messages per second;
  • use 15,000 hosts with Kaspersky Endpoint Security for Windows or 5000 hosts with Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac,

you need two servers with the following hardware:

  • Server with the Central Node component: at least 256 GB RAM and at least 64 logical CPU cores
  • Server with the Sensor component: at least 92 GB RAM and at least 32 logical CPU cores

The above calculation is also valid for an infrastructure with 5000 hosts with Kaspersky Endpoint Security for Linux or a combination of components (for example, 9000 hosts with Kaspersky Endpoint Security for Windows and 2000 hosts with Kaspersky Endpoint Security for Linux).

Disk space requirements on the Central Node server

The server with the Central Node component must have at least 2000 GB of free space on the first disk subsystem and at least 2400 GB on the second disk subsystem. The amount of space required on the second disk subsystem depends on the preferred storage policy and can be calculated using the following formula:

150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (400 GB + 240 GB * <number of days to store data>)/0.65, but no more than 12 TB.

If you want to use the event chain scanning feature, use the following formula to calculate the space requirement on the second disk subsystem:

150 GB + <number of Kaspersky Endpoint Agent or Kaspersky Endpoint Security for Windows hosts>/15,000 * (600 GB + 240 GB * <number of days to store data>)/0.65, but no more than 12 TB.

These formulas can be used to roughly estimate the required disk space. The actual amount of stored data depends on the traffic profile of the organization and may differ from the calculated result.

If you did not install the Central Node and Sensor component as a high availability cluster, you must calculate the disk space for the Events database, GB and Storage, GB settings using the following formula:

A = F - R, GB.

where

If the number of hosts connected to the Central Node component is in between the listed values, use the larger number in your calculations.

Reserved amount of free space depending on the number of Endpoint Agent hosts

Number of Endpoint Agent hosts

Reserved amount of free space (GB)

1000

1000

3000

1200

5000

1400

10,000

1900

15,000

2400

If you have configured integration for scanning external system objects using the REST API, the hardware requirements of the Central Node server must be increased. Additional hardware requirements are presented in the table below.

Hardware requirements for the server with the Central Node component with integrated external systems

Maximum number of processed objects per second

Number of additional logical cores

The number of additional servers with the Sandbox component

8

2

1

16

4

2

24

7

3

If you configured integration to send events to an external system using the REST API, you must increase the hardware requirements of the Central Node server by 1 logical core and 6 GB of RAM.

If you are saving network traffic, the hardware requirements of the Central Node server must be increased. For more details on hardware requirements, see Calculations for the Sensor componentHardware requirements of the Sensor when saving raw network traffic.

Requirements for the PCN server in distributed solution mode

If you are using distributed solution mode, to calculate the hardware requirements, you must take into account that the hardware requirements of the PCN server are 10% higher in terms of RAM and the number of logical cores than the hardware requirements of the server with the Central Node component. The hardware requirements of the server with the Central Node component are listed in the following tables: Hardware requirements for the server with the Central Node component when using KEDR functionality; Hardware requirements for the server with the Central Node component when using KATA+KEDR functionality; Hardware requirements for the server with the Central Node component when using КАТА functionality (see above).

You can connect up to 30 SCN servers to one PCN server.

Communication channel requirements

You must make sure that sufficient communication channel bandwidth is available between the server with the Central Node component and each network segment, depending on the number of hosts with the Endpoint Agent component in the segment. The bandwidth requirements depending on the number of hosts with the Endpoint Agent component is listed in the table below.

Communication channel bandwidth depending on the number of Endpoint Agent hosts

Maximum number of hosts with the Endpoint Agent component

Required bandwidth of the communication channel reserved for Endpoint Agent components (Mbps)

10

1

50

2

100

3

1000

20

10,000

200

Minimum requirements for the communication channel between the PCN and SCN servers in distributed solution mode are listed in the table below.

Minimum requirements for the communication channel between the PCN and SCN servers

Maximum number of hosts with the Endpoint Agent component

Maximum number of email messages per second

Maximum volume of traffic from SPAN ports (Mbps)

Required communication channel bandwidth (Mbps)

5000

5

2000

20

10,000

20

4000

30

Hardware requirements for Central Node cluster servers

A cluster must include at least 4 servers: 2 storage servers and 2 processing servers. If you have up to 15,000 connected hosts with the Kaspersky Endpoint Agent component, you need at least 2 storage servers and 2 processing servers. If you have from 15,000 to 30,000 connected hosts with the Kaspersky Endpoint Agent component, you need at least 2 storage servers and 3 processing servers.

Each cluster server must have two network adapters to configure cluster and external subnet. The cluster subnet must be capable of up to 10 Gbps.

The cluster subnet must also meet the following requirements:

The hardware requirements for cluster servers when using KEDR functionality are listed in the table below.

Hardware requirements for processing servers when using KEDR functionality

Minimum RAM (GB)

Minimum number of logical cores

RAID disk array type

The number of disks in a RAID disk array

Single HDD volume (GB)

256

48

RAID 1

2

1200

Hardware requirements for storage servers when using KEDR functionality

Minimum RAM (GB)

Minimum number of logical cores

First disk subsystem

Second disk subsystem

RAID disk array type

The number of disks in a RAID disk array

Single HDD volume (GB)

Number of disks

Single HDD volume (GB)

128

16

RAID 1

2

1200

at least 6

at least 1200

We recommend using disks of the same size for the two disk subsystems. For the second disk subsystem, you must use disks that are not combined into a RAID array.

The performance requirements for disk subsystems are equivalent to those specified in the table Hardware requirements for a server with the Central Node component when using KEDR functionality (see above).

See also

Calculations for the Sensor component

Calculations for the Central Node component deployed on the KVM virtualization platform

Calculations for the Sandbox component

Page top