Appendix A
supporting document for Pre Deployment checklists
Sensor
Sensor is a gateway appliance (physical in most cases) that receives a SPAN/Mirror copy of all the traffic moving in and out of the firewall. Most Static Analysis and DPI happen at the sensor. The Sensor is also responsible for describing the traffic model(s) and sending over the metadata to the master for further analysis.
Recommended Configuration
Bandwidth
CPU/Cores
Threads
RAM (GB)
SSD (GB)
500 Mpbs
8
16
32
256
1Gbps
16
32
64
512
5Gbps
36
72
320
2000
10Gbps
72
144
512
4000
Log Collector
Is used to collect Logs and Flows from the client network. It needs to upload the compressed data to Collector in the cloud.
Recommended Configuration
EPS
CPU
RAM (GB)
Diskspace (GB)
500-1000
4 cores / 8 threads
16
128
1000-2000
8 cores/ 16 threads
32
256
2000-5000
8 cores/16 threads
64
256/512
5000-10000
16 cores / 32 threads
128
1TB
Responder
Is responsible agentless Response & Remediation and needs to communicate with the Master in the cloud.
Recommended Configuration
Size
Response & Remediation only
Threat Hunt (IOCs based live or log hunts)
Generic Hunts (artifact collection viz., memory, services, autostart etc.,)
100-200 endpoints
16GB RAM, 8 cores, 128GB Diskspace
16GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 128GB Diskspace
200-1000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 128GB Diskspace
32GB RAM, 8 cores, 256GB Diskspace
100-3000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
64 GB RAM, 16 cores, 256GB Diskspace
64GB RAM, 16cores, 512GB Diskspace
3000-5000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
64GB RAM, 16 cores, 256GB Diskspace
64GB RAM, 16 cores, 1TB Diskspace
Upto 10000 endpoints
16GB RAM, 8 cores, 128GB Diskspace
128GB RAM, 32 cores, 512GB Diskspace
16GB RAM, 8 cores, 2TB Diskspace
Above 10k+
Call for specs
Call for specs
Call for specs
Sample Deployment Architecture
Simple network architecture depicting Sensor, Log Collector and Responder in a typical deployment.
Last updated