Alert Logic Requirements for Virtual and Physical Appliances

Requirements for Alert Logic IDS virtual appliances

Bandwidth volume directly impacts the ability of the appliance to inspect traffic. High-traffic environments may require a virtual machine with additional processor and memory resources.

The following table describes the basic system requirements to install a virtual IDS appliance:

Virtual CPU cores Components System Requirements
4 cores RAM 16 GB
Disk space 60 GB minimum
Supported virtual environment VMware and Hyper-V
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak supported throughput 500 Mbps
8 cores RAM 32 GB
Disk space 60 GB minimum
Supported virtual environment VMware and Hyper-V
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak supported throughput 1 Gbps
16 cores RAM 64 GB
Disk space 60 GB minimum
Supported virtual environment VMware and Hyper-V
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak supported throughput 2 Gbps (1 Gbps per fiber interface)

Requirements for Alert Logic Log Manager virtual appliances

Bandwidth volume directly impacts the ability of the appliance to ingest syslog traffic. High-traffic environments may require a virtual machine with additional processor and memory resources.

The following table describes the basic system requirements to install a virtual Log Manager appliance:

Virtual CPU cores Components System Requirements
2 cores RAM 2 GB
Disk space 60 GB minimum
Supported virtual environment VMware
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption

Physical IDS appliance specifications

Bandwidth volume directly impacts the ability of the appliance to inspect traffic. High-traffic environments require physical appliances with additional power, processor, and memory resources.

Alert Logic provides three tiers of physical appliances to meet system requirements. The following table describes the components and specifications for each appliance:

Appliances Components System Specifications

Tier 1 - R230XL

CPU 4 cores
RAM 16 GB
Disk Space 1 TB
Chassis 1U rack mounted
Power 250W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak throughput 500 Mbps
Tier 2 - R640XL CPU 8 cores
RAM 32 GB
Disk Space 1 TB
Chassis 1U rack mounted
Power 750W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak throughput 1 Gbps
Tier 3 - R640XL CPU 24 cores
RAM 64 GB
Disk Space 1 TB
Chassis 1U rack mounted
Power 750W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak throughput 2 Gbps (1 Gbps per fiber interface)

Physical Log Manager appliance specifications

The following table describes the basic specifications for the physical appliance:

Components System Specifications
CPU Intel Xeon
RAM 4 GB
Disk space 500 GB
Chassis 1U rack mounted
Power 250W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption

Requirements for Alert Logic Managed Web Application Firewall (WAF) appliances

VMware WAF virtual appliance

If your CPU usage is above 80 percent for extended periods, Alert Logic recommends adding processor resources.

The following table describes the basic system requirements to install a VMware virtual appliance:

Components System Requirements
Guest operating system CentOS 64-bit
CPU 2 CPUs 64 bit
RAM 4 GB
Disk space 250 GB
Virtual network interface(s) An interface with an external IP address for management
An interface with access to the web servers to be protected
NIC type em1000
Encryption/decryption for SSL traffic AES-NI CPU instruction set for encryption/decryption of SSL traffic on VMs and host OS is recommended
Clustering For clustering to work, ensure promiscuous mode, forged transmits, and MAC address changes are allowed on the VMware virtual switch (vSwitch) or the port group in the VMware ESX network configuration

Physical WAF appliance capacity

Bandwidth volume directly impacts the ability of the appliance to manage traffic. High-traffic environments may require appliances with additional power, processor, and memory resources.

The following table describes the basic bandwidth limits for the WAF physical appliances:

Appliances Throughput Number of Virtual Hosts Number of SSL Certificates Number of Website Security Profiles
Tier 1 - R220, R230 0-250 Mbps 1000 100 100
Tier 2 - R630 250-1000 Mbps 1000 100 100

Physical WAF appliance specifications

The following table describes the basic specifications for the physical appliance:

Components System Specifications
CPU Intel Xeon
RAM 4 GB
Disk space 500 GB
Chassis 1U rack mounted
Power 250W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption

WAF requirements for Amazon Web Services (AWS)

Before you deploy WAF for one of your production web applications, consider the availability zones and AWS instance types that work best in your environment.

Availability zones

WAF supports any number of availability zones within a single AWS region. For a list of regions that Alert Logic supports, see Supported AWS regions. The CloudFormation template configures an even distribution of worker nodes across availability zones. The CloudFormation template maintains the number of worker nodes equal to the number of availability zones. For example, two availability zones always have at least two WAF workers.

If you need to modify the CloudFormation template to support more than the default two availability zones, create a ticket with Alert Logic Support.

AWS supported instance types for autoscaling

WAF workers and management WAF appliances are bound to specific AWS instance types. Management WAF appliances run on General Purpose Large instance types. Worker appliances run on Compute Optimized Large and Xlarge instance types. The default instance types are c5.large for workers and m5.large for the management WAF. The CloudFormation template allows for selecting instance types when run.

Management instance processing capacity

The m5.large instance suffices for most installations. An Amazon Elastic Block Store (EBS) volume outside the management WAF persists the log and configuration data. You can use the CloudFormation template to specify a new management WAF instance type to upgrade the management WAF appliance. The Autoscaling CloudFormation template for WAF is available on request for AWS Auto Scaling deployments.

Management WAF instance processing capacity is approximately:

Instance Type vCPU Workers Capacity EBS Volume Size
t3a.medium 2 vCPU 1 Worker 100 GB, SSD
t3.medium 2 vCPU 1 Worker 100 GB, SSD
m5a.large 2 vCPU 25 Workers 200 GB, SSD
m5.large 2 vCPU 25 Workers 200 GB, SSD
m5a.xlarge 4 vCPU 50 Workers 300 GB, SSD
m5.xlarge 4 vCPU 50 Workers 300 GB, SSD

Management WAF instances are not processing traffic inline. Traffic capacity is the management WAF's ability to process data from the workers and deny logs at near real time as workers deliver the data. Average performance is measured using a representative sample of e-commerce web traffic. Actual performance may vary and depends on factors such as ratio of inbound to outbound traffic, request complexity, variability in input, and concurrency.

The EBS volume size is the minimum recommended. The EBS volume is used to store log data in transit to the Alert Logic backend and Deny Log data used for tuning. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system. This condition does not affect availability of the WAF autoscaling stack.

Worker instance processing capacity

WAF scales up or down to accommodate changes in traffic load. You can optimize the size and initial number of worker instances to serve expected daily traffic rather than optimizing for peak traffic load as is required where processing capacity is static.

Worker instance processing capacity:

Instance Type vCPU Traffic Capacity EBS Volume Size
t3a.medium 2 vCPU 40 Mbps 32 GB, SSD
t3.medium 2 vCPU 40 Mbps 32 GB, SSD
c5a.large 2 vCPU 80 Mbps 32 GB, SSD
c5.large 2 vCPU 80 Mbps 32 GB, SSD
c5a.xlarge 4 vCPU 160 Mbps 32 GB, SSD
c5.xlarge 4 vCPU 160 Mbps 32 GB, SSD
c5.2xlarge 8 vCPU 320 Mbps 32 GB, SSD
c5a.2xlarge 8 vCPU 320 Mbps 32 GB, SSD
c5.4xlarge 16 vCPU 640 Mbps 32 GB, SSD
c5a.4xlarge 16 vCPU 640 Mbps 32 GB, SSD
c5.8xlarge 36 vCPU 1.4 Gbps 32 GB, SSD
c5a.8xlarge 32 vCPU 1.3 Gbps 32 GB, SSD
c5.12xlarge 48 vCPU 1.9 Gbps 32 GB, SSD
c5a.12xlarge 48 vCPU 1.9 Gbps 32 GB, SSD
c5.16xlarge 72 vCPU 2.9 Gbps 32 GB, SSD
c5a.16xlarge 64 vCPU 2.6 Gbps 32 GB, SSD
c5.24xlarge 96 vCPU 3.8 Gbps 32 GB, SSD
c5a.24xlarge 96 vCPU 3.8 Gbps 32 GB, SSD

Traffic capacity is peak capacity measured using inbound and outbound traffic combined, assuming a representative sample of e-commerce web traffic. Actual performance may vary and depends on factors such as ratio of inbound to outbound traffic, request complexity, variability in input, and concurrency.

The EBS volume size is the minimum recommended. The EBS volume is used for caching and as a temporary store for log data in transit to the management WAF instance. If traffic caching is not enabled, it is possible to run with smaller volume sizes. Cache directory sizing is configured dynamically relative to the available disk space; a smaller volume size means the cache will be smaller. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system.

AWS supported instance types for WAF pair high availability

Prior to deploying WAF for one or more production web applications, some items must be considered to meet requirements for availability, performance, and traffic (SSL) encryption.

Traffic encryption

WAF supports Secure Sockets Layer (SSL) end-to-end encryption, as required in AWS (by HIPAA, for example) both for standalone and for autoscaling deployments. If SSL encryption is required all the way to the backend server, WAF must be configured to re-encrypt traffic before forwarding it to the server. To re-encrypt traffic, select SSL for both inbound and outbound traffic when configuring the website in WAF. To comply with HIPAA requirements for high availability configurations, Elastic Load Balancing must be configured as a TCP load balancer so the initial SSL request from the client is not terminated until it reaches WAF.

Performance

WAF runs on select instance types in the AWS Marketplace ranging from a c5.large and c5a.large to c5.12xlarge and c5a.12xlarge. The actual performance for a specific application depends on factors such as request size, complexity, and the ratio of inbound to outbound traffic as a rough estimate. Traffic capacity is peak capacity measured using inbound and outbound traffic combined, assuming a representative sample of e-commerce web traffic.

Supported EC2 instances

WAF runs on the following EC2 instances:

Instance Type vCPU Traffic Capacity EBS Volume Size (Root)
c5.large 2 80 Mbps 100 GB, SSD
c5.xlarge 4 160 Mbps 200 GB, SSD
c5.2xlarge 8 320 Mbps 200 GB, SSD
c5.4xlarge 16 640 Mbps 300 GB, SSD
c5.9xlarge 36 1.4 Gbps 300GB, SSD
c5.12xlarge 48 1.9 Gbps 300GB, SSD
c5a.large 2 80 Mbps 100 GB, SSD
c5a.xlarge 4 160 Mbps 200 GB, SSD
c5a.2xlarge 8 320 Mbps 200 GB, SSD
c5a.4xlarge 16 640 Mbps 300 GB, SSD
c5a.8xlarge 32 1.3 Gbps 300 GB, SSD
c5.12xlarge 48 1.9 Gbps 300 GB, SSD
* Estimated total network bandwidth peak processing capacity. Actual performance depends on application.

The EBS volume size is the minimum recommended. If traffic caching is not enabled, you can run WAF with smaller volume sizes. Cache directory sizing is configured dynamically relative to the available disk space; a smaller volume size means the cache will be smaller. Total cache directory size is roughly 20 percent of available disk space. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system. Alert Logic recommends you create separate partitions for root (/) and log data (/wsm/log) to prevent log data partition disk space issues from causing further failures in processing traffic.

High availability

You can deploy WAF in autoscaling configurations to provide high availability and performance adaptation to web applications with high and fluctuating traffic loads. An alternative configuration is a fixed capacity active/active deployment with two or more WAF nodes running parallel behind Elastic Load Balancing. In such a deployment, deploy the WAF instances in different Availability Zones.

You can extend a single node WAF deployment to a high availability configuration by deploying an additional WAF node and configuring Elastic Load Balancing for the nodes.

To learn how to install a virtual or physical appliance, see Install and Configure the Virtual Appliances or Install and Configure the Physical Appliance.