Virtual Appliance Sizing Specifications

This article describes the resources required for the successful installation and operation of Stellar Cyber virtual appliances.

Sensor Specifications

You can install Modular Sensors and Server Sensors using installation files downloaded from the DP. Modular Sensors install as dedicated VMs. Server Sensors install as applications in an existing host VM (Linux or Windows).

See the following sections for details:

Provision Sufficient Resources for Virtual Sensors!

In order to guarantee the performance of your virtual sensors, you must provision them according to the system requirements for CPUs and memory in the sections that follow. For hypervisors that allow it, this includes reserving resources.

In addition, pay attention to the clock speed for provisioned processors. Stellar Cyber validates sensor installations on processors @ 2.10 GHz.

The procedure below provides instructions on how to reserve resources in a VMware environment.

Other hypervisors may provide their own tools for reserving resources. Refer to your hypervisor's documentation for details. In general, Stellar Cyber recommends reserving resources wherever possible to guarantee sensor performance.

Modular Sensor Specifications

A modular sensor lets you easily add the features you like to your sensor. This helps simplify your deployment and lets you manage the VM requirements for the sensors based on the modular features they use.

The modular sensor VM must meet the minimum specifications in the table below:

Modular Features Virtual Cores RAM (GB) SSD (GB) Workers
Log forwarder (500 events/s) 1 3 64 1
Log forwarder and aggregator (500 events/s; 100 Mbps traffic) 1 3 64 1

The OVA/VHD files distributed for Modular Sensor installation in VMware/Hyper-V environments provision the VM with 4 virtual cores, 8 GB of RAM, and a 64 GB disk. You must provision sufficient resources to support the features you anticipate enabling for the Modular Sensor in its Modular Sensor Profile. Use the table below to determine the total resources required for different combinations of the features available in a Modular Sensor Profile.

As a rule of thumb, Stellar Cyber recommends that you provision at least 1.5 times as much memory as the number of CPU cores to ensure stable performance. So, for example, if you provision 8 CPUs, you should provision at least 8 x 1.5 = 12 GB of memory.

CPU RAM (GB) Disk (GB)

Log Collector
Log Forwarder

Network Traffic

IDS

Sandbox

Tenable

1 3 23 ü
2 3 28 ü ü
4 6 50 ü ü ü
4 6 50 ü ü ü
4 6 50 ü ü ü ü
2 4 33 ü ü
3 5 38 ü ü ü

4

8

60

ü ü ü ü

4

8

60

ü ü ü ü

4

8

60

ü ü ü ü ü

Keep in mind the following:

  • Log Collector and Log Forwarder are always enabled in Modular Sensor Profiles.

  • (missing or bad snippet)
  • The Sandbox and IDS features can only be enabled if Network Traffic is enabled.

  • The default Modular Sensor profile created for your organization has Network Traffic, Sandbox, and IDS enabled. If you create a new Modular Sensor profile, however, those options are not enabled by default and must be enabled manually.

  • Modular Sensor throughput is as follows:

    Component

     

     

      
    Virtual Cores (reserved)

    4

    8

    1224
    RAM (GB) (reserved)

    8

    16

    3264
    Maximum traffic inspection throughput (Mbps)*
    (1 or 2 span ports)

    200

    500

    1,00010,000

    * Stated specifications support the corresponding maximum network traffic inspection throughput. Performance may vary depending on your environment, configuration, and other variables.

  • The resources in the table were current at the time of writing. You can always see the most recent recommendations from Stellar Cyber by using the show module request command in the Sensor CLI. For example:

  • You can see which features are currently enabled on a sensor, as well as its current provisioning by using the show module command in the Sensor CLI. For example:

Automatic Resource Checking

When you apply a Modular Sensor Profile, Stellar Cyber automatically checks the resources provisioned for the target sensor and informs you whether they are sufficient to support the features enabled in the profile. You can also see the results in the show module command listed above – the output of the command reports both the name of the Modular Sensor Profile applied and whether the resource checks passed.

If the resource checks do not pass, Stellar Cyber informs you of the issue and displays the sensor in the list with a visible warning of the problem. It does not enable the sensor features until the minimum specifications are met.

Linux Server Sensor Specifications

The Linux Server Sensor uses 5% of the host server's resources, including each CPU core, so the VM must have at least:

Component Specification
Host CPU Xeon Core 2 virtual cores (2.0 GHz or more)
Host RAM (GB) 12
Host SSD (GB) 128

Windows Server Sensor Specifications

The Windows host into which the Windows Server Sensor is installed must have at least:

Component Specification
Host CPU Xeon Core 2 virtual cores (2.0 GHz or more)
Host RAM (GB) 8
Host SSD (GB) 128
OS Windows Server 2008 R2 (or later)

Enabling SSSE3

Sensors installed on Linux hosts with KVM hypervisors must have SSSE3 enabled for their vCPUs in order to collect network packets (including packets received from a mirror port) and generate Interflow data from them. This is true for both device sensors and server sensors.
SSSE3 is typically supported/enabled for most vCPUs, but may not be for certain legacy AMD vCPUs. See below for instructions on enabling SSSE3.

Similarly, sensors deployed in Hyper-V must have processor compatibility mode disabled to ensure that SSSE3 works correctly. Refer to Installing a Modular Security Sensor in Hyper-V for instructions.