Alert Logic Requirements for Virtual and Physical Appliances
Requirements for Alert Logic IDS virtual appliances
Bandwidth volume directly impacts the ability of the appliance to inspect traffic. High-traffic environments may require a virtual machine with additional processor and memory resources.
The following table describes the basic system requirements to install a virtual IDS appliance:
| Virtual CPU cores | Components | System Requirements |
|---|---|---|
| 4 cores | RAM | 16 GB |
| Disk space | 60 GB minimum | |
| Supported virtual environment | VMware and Hyper-V | |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption | |
| Peak supported throughput | 500 Mbps | |
| 8 cores | RAM | 32 GB |
| Disk space | 60 GB minimum | |
| Supported virtual environment | VMware and Hyper-V | |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption | |
| Peak supported throughput | 1 Gbps | |
| 16 cores | RAM | 64 GB |
| Disk space | 60 GB minimum | |
| Supported virtual environment | VMware and Hyper-V | |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption | |
| Peak supported throughput | 2 Gbps (1 Gbps per fiber interface) |
Requirements for Alert Logic Log Manager virtual appliances
Bandwidth volume directly impacts the ability of the appliance to ingest syslog traffic. High-traffic environments may require a virtual machine with additional processor and memory resources.
The following table describes the basic system requirements to install a virtual Log Manager appliance:
| Virtual CPU cores | Components | System Requirements |
|---|---|---|
| 2 cores | RAM | 2 GB |
| Disk space | 60 GB minimum | |
| Supported virtual environment | VMware | |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption |
Physical IDS appliance specifications
Bandwidth volume directly impacts the ability of the appliance to inspect traffic. High-traffic environments require physical appliances with additional power, processor, and memory resources.
Alert Logic provides three tiers of physical appliances to meet system requirements. The following table describes the components and specifications for each appliance:
| Appliances | Components | System Specifications |
|---|---|---|
|
Tier 1 - R230XL |
CPU | 4 cores |
| RAM | 16 GB | |
| Disk Space | 1 TB | |
| Chassis | 1U rack mounted | |
| Power | 250W | |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption | |
| Peak throughput | 500 Mbps | |
| Tier 2 - R640XL | CPU | 8 cores |
| RAM | 32 GB | |
| Disk Space | 1 TB | |
| Chassis | 1U rack mounted | |
| Power | 750W | |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption | |
| Peak throughput | 1 Gbps | |
| Tier 3 - R640XL | CPU | 24 cores |
| RAM | 64 GB | |
| Disk Space | 1 TB | |
| Chassis | 1U rack mounted | |
| Power | 750W | |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption | |
| Peak throughput | 2 Gbps (1 Gbps per fiber interface) |
Physical Log Manager appliance specifications
The following table describes the basic specifications for the physical appliance:
| Components | System Specifications |
|---|---|
| CPU | Intel Xeon |
| RAM | 4 GB |
| Disk space | 500 GB |
| Chassis | 1U rack mounted |
| Power | 250W |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption |
Requirements for Alert Logic Managed Web Application Firewall (WAF) appliances
VMware WAF virtual appliance
If your CPU usage is above 80 percent for extended periods, Alert Logic recommends adding processor resources.
The following table describes the basic system requirements to install a VMware virtual appliance:
| Components | System Requirements |
|---|---|
| Guest operating system | CentOS 64-bit |
| CPU | 2 CPUs 64 bit |
| RAM | 4 GB |
| Disk space | 250 GB |
| Virtual network interface(s) | An interface with an external IP address for management An interface with access to the web servers to be protected |
| NIC type | em1000 |
| Encryption/decryption for SSL traffic | AES-NI CPU instruction set for encryption/decryption of SSL traffic on VMs and host OS is recommended |
| Clustering | For clustering to work, ensure promiscuous mode, forged transmits, and MAC address changes are allowed on the VMware virtual switch (vSwitch) or the port group in the VMware ESX network configuration |
Physical WAF appliance capacity
Bandwidth volume directly impacts the ability of the appliance to manage traffic. High-traffic environments may require appliances with additional power, processor, and memory resources.
The following table describes the basic bandwidth limits for the WAF physical appliances:
| Appliances | Throughput | Number of Virtual Hosts | Number of SSL Certificates | Number of Proxies |
|---|---|---|---|---|
| Tier 1 - R220, R230 | 0-250 Mbps | 1000 | 100 | 100 |
| Tier 2 - R630 | 250-1000 Mbps | 1000 | 100 | 100 |
Physical WAF appliance specifications
The following table describes the basic specifications for the physical appliance:
| Components | System Specifications |
|---|---|
| CPU | Intel Xeon |
| RAM | 4 GB |
| Disk space | 500 GB |
| Chassis | 1U rack mounted |
| Power | 250W |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption |
WAF requirements for Amazon Web Services (AWS)
Before you deploy WAF for one of your production web applications, consider the availability zones and AWS instance types that work best in your environment.
Availability zones
WAF supports any number of availability zones within a single AWS region. For a list of regions that Alert Logic supports, see Supported AWS regions. The CloudFormation template configures an even distribution of worker nodes across availability zones. The CloudFormation template maintains the number of worker nodes equal to the number of availability zones. For example, two availability zones always have at least two WAF workers.
If you need to modify the CloudFormation template to support more than the default two availability zones, create a ticket with Alert Logic Support.
AWS supported instance types for autoscaling
WAF workers and master appliances are bound to specific AWS instance types. Master appliances run on General Purpose Medium and Large instance types. Worker appliances run on General Purpose Small and Compute Optimized Medium and Xlarge instance types. The default instance types are t3.medium or c5.large for workers and t3.medium or m5.large for the master. The CloudFormation template allows for selecting instance types when run.
Master instance processing capacity
The m5.large instance suffices for most installations. An Amazon Elastic Block Store (EBS) volume outside the master persists the log and configuration data. You can use the CloudFormation template to specify a new master instance type to upgrade the master appliance. The Autoscaling CloudFormation template for WAF is available on request for AWS Auto Scaling deployments.
Master instance processing capacity is approximately:
| Instance Type | vCPU | Workers Capacity | Traffic Capacity | EBS Volume Size |
|---|---|---|---|---|
| t3a.medium | 2 vCPU | 1 Worker | 5 Gbps | 100 GB, SSD |
| t3.medium | 2 vCPU | 1 Worker | 5 Gbps | 100 GB, SSD |
| m5a.large | 2 vCPU | 25 Workers | 10 Gbps | 100 GB, SSD |
| m5.large | 2 vCPU | 25 Workers | 10 Gbps | 100 GB, SSD |
| m5a.xlarge | 4 vCPU | 50 Workers | 10 Gbps | 300 GB, SSD |
| m5.xlarge | 4 vCPU | 50 Workers | 10 Gbps | 300 GB, SSD |
Master instances are not processing traffic inline. Traffic capacity is the master's ability to process data from the Learner and deny logs at near real time as workers deliver the data. Average performance is measured using a representative sample of e-commerce web traffic. Actual performance may vary and depends on factors such as ratio of inbound to outbound traffic, request complexity, variability in input, and concurrency.
The EBS volume size is the minimum recommended. The EBS volume is used to store log data in transit to the Alert Logic backend and Deny Log data used for tuning. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system. This condition does not affect availability of the WAF autoscaling stack.
Worker instance processing capacity
WAF scales up or down to accommodate changes in traffic load. You can optimize the size and initial number of worker instances to serve expected daily traffic rather than optimizing for peak traffic load as is required where processing capacity is static.
Worker instance processing capacity:
| Instance Type | vCPU | Traffic Capacity | EBS Volume Size |
|---|---|---|---|
| t3a.medium | 2 vCPU | 10 Gbps | 10 GB, SSD |
| t3.medium | 2 vCPU | 10 Gbps | 10 GB, SSD |
| c5a.large | 2 vCPU | 10 Gbps | 10 GB, SSD |
| c5.large | 2 vCPU | 10 Gbps | 10 GB, SSD |
| c5a.xlarge | 4 vCPU | 10 Gbps | 10 GB, SSD |
| c5.xlarge | 4 vCPU | 10 Gbps | 10 GB, SSD |
| c5.2xlarge | 8 vCPU | 10 Gbps | 10 GB, SSD |
| c5a.2xlarge | 8 vCPU | 10 Gbps | 10 GB, SSD |
| c5.4xlarge | 16 vCPU | 10 Gbps | 10 GB, SSD |
| c5a.4xlarge | 16 vCPU | 10 Gbps | 10 GB, SSD |
| c5.8xlarge | 32 vCPU | 10 Gbps | 10 GB, SSD |
| c5a.8xlarge | 32 vCPU | 10 Gbps | 10 GB, SSD |
| c5.12xlarge | 48 vCPU | 12 Gbps | 12 GB, SSD |
| c5a.12xlarge | 48 vCPU | 12 Gbps | 12 GB, SSD |
| c5.16xlarge | 64 vCPU | 20 Gbps | 25 GB, SSD |
| c5a.16xlarge | 64 vCPU | 20 Gbps | 20 GB, SSD |
| c5.24xlarge | 96 vCPU | 20 Gbps | 25 GB, SSD |
| c5a.24xlarge | 96 vCPU | 20 Gbps | 20 GB, SSD |
Traffic capacity is an average performance measured using a representative sample of e-commerce web traffic. Actual performance may vary and depends on factors such as ratio of inbound to outbound traffic, request complexity, variability in input, and concurrency.
The EBS volume size is the minimum recommended. The EBS volume is used for caching and as a temporary store for log data in transit to the master instance. If traffic caching is not enabled, it is possible to run with smaller volume sizes. Cache directory sizing is configured dynamically relative to the available disk space; a smaller volume size means the cache will be smaller. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system.
AWS supported instance types for WAF pair high availability
Prior to deploying WAF for one or more production web applications, some items must be considered to meet requirements for availability, performance, and traffic (SSL) encryption.
Traffic encryption
WAF supports Secure Sockets Layer (SSL) end-to-end encryption, as required in AWS (by HIPAA, for example) both for standalone and for autoscaling deployments. If SSL encryption is required all the way to the backend server, WAF must be configured to re-encrypt traffic before forwarding it to the server. To re-encrypt traffic, select SSL for both inbound and outbound traffic when configuring the website in WAF. To comply with HIPAA requirements for high availability configurations, Elastic Load Balancing must be configured as a TCP load balancer so the initial SSL request from the client is not terminated until it reaches WAF.
Performance
WAF runs on select instance types in the AWS Marketplace ranging from a c5.large to c5a.4xlarge. The actual performance for a specific application depends on factors such as request size, complexity, and the ratio of inbound to outbound traffic as a rough estimate. The peak performance for a typical web application measured in Gbps total, inbound plus outbound traffic, is the number of Elastic Compute Units multiplied by 10.
Supported EC2 instances
WAF runs on the following EC2 instances:
| Instance Family | Instance Type | Processor Architecture | vCPU | Network Performance | Network Bandwidth | EBS Volume Size (Root) | EBS Volume Size (Log) |
|---|---|---|---|---|---|---|---|
| Compute optimized | c5.large | 64-bit | 2 | Moderate | 10 GB | 100 GB, SSD | 100 GB, SSD |
| Compute optimized | c5.xlarge | 64-bit | 4 | High | 10 GB | 100 GB, SSD | 100 GB, SSD |
| Compute optimized | c5.2xlarge | 64-bit | 8 | High | 10 GB | 100 GB, SSD | 100 GB, SSD |
| Compute optimized | c5.4xlarge | 64-bit | 16 | High | 10 GB | 100 GB, SSD | 100 GB, SSD |
| Compute optimized | c5a.large | 64-bit | 2 | Moderate | 10 GB | 100 GB, SSD | 100 GB, SSD |
| Compute optimized | c5a.xlarge | 64-bit | 4 | High | 10 GB | 100 GB, SSD | 100 GB, SSD |
| Compute optimized | c5a.2xlarge | 64-bit | 8 | High | 10 GB | 100 GB, SSD | 100 GB, SSD |
| Compute optimized | c5a.4xlarge | 64-bit | 16 | High | 10 GB | 100 GB, SSD | 100 GB, SSD |
| * Estimated total network bandwidth peak processing capacity. Actual performance depends on application. | |||||||
The EBS volume size is the minimum recommended. If traffic caching is not enabled, you can run WAF with smaller volume sizes. Cache directory sizing is configured dynamically relative to the available disk space; a smaller volume size means the cache will be smaller. Total cache directory size is roughly 20 percent of available disk space. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system. Alert Logic recommends you create separate partitions for root (/) and log data (/wsm/log) to prevent log data partition disk space issues from causing further failures in processing traffic.
High availability
You can deploy WAF in autoscaling configurations to provide high availability and performance adaptation to web applications with high and fluctuating traffic loads. An alternative configuration is a fixed capacity active/active deployment with two or more WAF nodes running parallel behind Elastic Load Balancing. In such a deployment, deploy the WAF instances in different Availability Zones.
You can extend a single node WAF deployment to a high availability configuration by deploying an additional WAF node and configuring Elastic Load Balancing for the nodes.