BluSapphire
Search…
Appendix A
supporting document for Pre Deployment checklists

Sensor

Sensor is a gateway appliance (physical in most cases) that receives a SPAN/Mirror copy of all the traffic moving in and out of the firewall. Most Static Analysis and DPI happen at the sensor. The Sensor is also responsible for describing the traffic model(s) and sending over the metadata to the master for further analysis.
Bandwidth
CPU/Cores
Threads
RAM (GB)
SSD (GB)
500 Mpbs
8
16
32
256
1Gbps
16
32
64
512
5Gbps
36
72
320
2000
10Gbps
72
144
512
4000

Log Collector

Is used to collect Logs and Flows from the client network. It needs to upload the compressed data to Collector in the cloud.
EPS
CPU
RAM (GB)
Diskspace (GB)
500-1000
4 cores / 8 threads
16
128
1000-2000
8 cores/ 16 threads
32
256
2000-5000
8 cores/16 threads
64
256/512
5000-10000
16 cores / 32 threads
128
1TB

Responder

Is responsible agentless Response & Remediation and needs to communicate with the Master in the cloud.
Size
Response & Remediation only
Threat Hunt (IOCs based live or log hunts)
Generic Hunts (artifact collection viz., memory, services, autostart etc.,)
100-200 endpoints
16GB RAM, 8 cores, 128GB Diskspace
16GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 128GB Diskspace
200-1000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 256GB Diskspace
100-3000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
64 GB RAM, 16 cores, 256GB Diskspace
64GB RAM, 16cores, 512GB Diskspace
3000-5000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
64GB RAM, 16 cores, 256GB Diskspace
64GB RAM, 16 cores, 1TB Diskspace
Upto 10000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
128GB RAM, 32 cores, 512GB Diskspace
16GB RAM, 8 cores, 2TB Diskspace
Above 10k+
Call for specs
Call for specs
Call for specs

Sample Deployment Architecture

Simple network architecture depicting Sensor, GW Collector and Responder in a typical deployment.
Last modified 11mo ago