Alert Logic Requirements for Virtual and Physical Appliances

Requirements for Alert Logic IDS virtual appliances

Bandwidth volume directly impacts the ability of the appliance to inspect traffic. High-traffic environments may require a virtual machine with additional processor and memory resources.

The following table describes the basic system requirements to install a virtual IDS appliance:

Virtual CPU cores Components System Requirements
4 cores RAM 16 GB
Disk space 40 GB minimum
Supported virtual environment VMware and Hyper-V
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak supported throughput 500 Mbps
8 cores RAM 32 GB
Disk space 40 GB minimum
Supported virtual environment VMware and Hyper-V
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak supported throughput 1 Gbps
16 cores RAM 64 GB
Disk space 40 GB minimum
Supported virtual environment VMware and Hyper-V
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak supported throughput 2 Gbps (1 Gbps per fiber interface)

Physical IDS appliance specifications

Bandwidth volume directly impacts the ability of the appliance to inspect traffic. High-traffic environments require physical appliances with additional power, processor, and memory resources.

Alert Logic provides three tiers of physical appliances to meet system requirements. The following table describes the components and specifications for each appliance:

Appliances Components System Specifications

Tier 1 - R230XL

CPU 4 cores
RAM 16 GB
Disk Space 1 TB
Chassis 1U rack mounted
Power 250W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak throughput 500 Mbps
Tier 2 - R640XL CPU 8 cores
RAM 32 GB
Disk Space 1 TB
Chassis 1U rack mounted
Power 750W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak throughput 1 Gbps
Tier 3 - R640XL CPU 24 cores
RAM 64 GB
Disk Space 1 TB
Chassis 1U rack mounted
Power 750W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Peak throughput 2 Gbps (1 Gbps per fiber interface)

Physical Log Manager appliance specifications

The following table describes the basic specifications for the physical appliance:

Components System Specifications
CPU Intel Xeon
RAM 4 GB
Disk space 500 GB
Chassis 1U rack mounted
Power 250W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption

Requirements for Alert Logic Managed Web Application Firewall (WAF) appliances

VMware WAF virtual appliance

If your CPU usage is above 80 percent for extended periods, Alert Logic recommends adding processor resources.

The following table describes the basic system requirements to install a VMware virtual appliance:

Components System Requirements
Guest operating system CentOS 64-bit
CPU 2 CPUs 64 bit
RAM 4 GB
Disk space 250 GB
Virtual network interface(s) An interface with an external IP address for management
An interface with access to the web servers to be protected
NIC type em1000
Encryption/decryption for SSL traffic AES-NI CPU instruction set for encryption/decryption of SSL traffic on VMs and host OS is recommended
Clustering For clustering to work, ensure promiscuous mode, forged transmits, and MAC address changes are allowed on the VMware virtual switch (vSwitch) or the port group in the VMware ESX network configuration

Physical WAF appliance capacity

Bandwidth volume directly impacts the ability of the appliance to manage traffic. High-traffic environments may require appliances with additional power, processor, and memory resources.

The following table describes the basic bandwidth limits for the WAF physical appliances:

Appliances Throughput Number of Virtual Hosts Number of SSL Certificates Number of Proxies
Tier 1 - R220, R230 0-250 Mbps 1000 100 100
Tier 2 - R630 250-1000 Mbps 1000 100 100

Physical WAF appliance specifications

The following table describes the basic specifications for the physical appliance:

Components System Specifications
CPU Intel Xeon
RAM 4 GB
Disk space 500 GB
Chassis 1U rack mounted
Power 250W
Encryption TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption

WAF requirements for Amazon Web Services (AWS)

Before you deploy WAF for one of your production web applications, consider the availability zones and AWS instance types that work best in your environment.

Availability zones

WAF supports any number of availability zones within a single AWS region. For a list of regions that Alert Logic supports, see Supported AWS regions. The CloudFormation template configures an even distribution of worker nodes across availability zones. The CloudFormation template maintains the number of worker nodes equal to the number of availability zones. For example, two availability zones always have at least two WAF workers.

If you need to modify the CloudFormation template to support more than the default two availability zones, create a ticket with Alert Logic Support.

AWS supported instance types for autoscaling

WAF workers and master appliances are bound to specific AWS instance types. Master appliances run on General Purpose Medium and Large instance types. Worker appliances run on General Purpose Small and Compute Optimized Medium and Xlarge instance types. The default instance types are t3.medium or c5.large for workers and t3.medium or m5.large for the master. The CloudFormation template allows for selecting instance types when run.

Master instance processing capacity

The m5.large instance suffices for most installations. An Amazon Elastic Block Store (EBS) volume outside the master persists the log and configuration data. You can use the CloudFormation template to specify a new master instance type to upgrade the master appliance. The Autoscaling CloudFormation template for WAF is available on request for AWS Auto Scaling deployments.

Master instance processing capacity is approximately:

Instance Type vCPU Workers Capacity Traffic Capacity EBS Volume Size
t3a.medium 2 vCPU 1 Worker 5 Gbps 100 GB, SSD
t3.medium 2 vCPU 1 Worker 5 Gbps 100 GB, SSD
m5a.large 2 vCPU 25 Workers 10 Gbps 100 GB, SSD
m5.large 2 vCPU 25 Workers 10 Gbps 100 GB, SSD
m5a.xlarge 4 vCPU 50 Workers 10 Gbps 300 GB, SSD
m5.xlarge 4 vCPU 50 Workers 10 Gbps 300 GB, SSD

Master instances are not processing traffic inline. Traffic capacity is the master's ability to process data from the Learner and deny logs at near real time as workers deliver the data. Average performance is measured using a representative sample of e-commerce web traffic. Actual performance may vary and depends on factors such as ratio of inbound to outbound traffic, request complexity, variability in input, and concurrency.

The EBS volume size is the minimum recommended. The EBS volume is used to store log data in transit to the Alert Logic backend and Deny Log data used for tuning. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system. This condition does not affect availability of the WAF autoscaling stack.

Worker instance processing capacity

WAF scales up or down to accommodate changes in traffic load. You can optimize the size and initial number of worker instances to serve expected daily traffic rather than optimizing for peak traffic load as is required where processing capacity is static.

Worker instance processing capacity:

Instance Type vCPU Traffic Capacity EBS Volume Size
t3a.medium 2 vCPU 10 Gbps 10 GB, SSD
t3.medium 2 vCPU 10 Gbps 10 GB, SSD
c5a.large 2 vCPU 10 Gbps 10 GB, SSD
c5.large 2 vCPU 10 Gbps 10 GB, SSD
c5a.xlarge 4 vCPU 10 Gbps 10 GB, SSD
c5.xlarge 4 vCPU 10 Gbps 10 GB, SSD
c5.2xlarge 8 vCPU 10 Gbps 10 GB, SSD
c5a.2xlarge 8 vCPU 10 Gbps 10 GB, SSD
c5.4xlarge 16 vCPU 10 Gbps 10 GB, SSD
c5a.4xlarge 16 vCPU 10 Gbps 10 GB, SSD
c5.8xlarge 32 vCPU 10 Gbps 10 GB, SSD
c5a.8xlarge 32 vCPU 10 Gbps 10 GB, SSD
c5.12xlarge 48 vCPU 12 Gbps 12 GB, SSD
c5a.12xlarge 48 vCPU 12 Gbps 12 GB, SSD
c5.16xlarge 64 vCPU 20 Gbps 25 GB, SSD
c5a.16xlarge 64 vCPU 20 Gbps 20 GB, SSD
c5.24xlarge 96 vCPU 20 Gbps 25 GB, SSD
c5a.24xlarge 96 vCPU 20 Gbps 20 GB, SSD

Traffic capacity is an average performance measured using a representative sample of e-commerce web traffic. Actual performance may vary and depends on factors such as ratio of inbound to outbound traffic, request complexity, variability in input, and concurrency.

The EBS volume size is the minimum recommended. The EBS volume is used for caching and as a temporary store for log data in transit to the master instance. If traffic caching is not enabled, it is possible to run with smaller volume sizes. Cache directory sizing is configured dynamically relative to the available disk space; a smaller volume size means the cache will be smaller. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system.

AWS supported instance types for WAF pair high availability

Prior to deploying WAF for one or more production web applications, some items must be considered to meet requirements for availability, performance, and traffic (SSL) encryption.

Traffic encryption

WAF supports Secure Sockets Layer (SSL) end-to-end encryption, as required in AWS (by HIPAA, for example) both for standalone and for autoscaling deployments. If SSL encryption is required all the way to the backend server, WAF must be configured to re-encrypt traffic before forwarding it to the server. To re-encrypt traffic, select SSL for both inbound and outbound traffic when configuring the website in WAF. To comply with HIPAA requirements for high availability configurations, Elastic Load Balancing must be configured as a TCP load balancer so the initial SSL request from the client is not terminated until it reaches WAF.

Performance

WAF runs on select instance types in the AWS Marketplace ranging from a c5.large to c5a.4xlarge. The actual performance for a specific application depends on factors such as request size, complexity, and the ratio of inbound to outbound traffic as a rough estimate. The peak performance for a typical web application measured in Gbps total, inbound plus outbound traffic, is the number of Elastic Compute Units multiplied by 10.

Supported EC2 instances

WAF runs on the following EC2 instances:

Instance Family Instance Type Processor Architecture vCPU Network Performance Network Bandwidth EBS Volume Size (Root) EBS Volume Size (Log)
Compute optimized c5.large 64-bit 2 Moderate 10 GB 100 GB, SSD 100 GB, SSD
Compute optimized c5.xlarge 64-bit 4 High 10 GB 100 GB, SSD 100 GB, SSD
Compute optimized c5.2xlarge 64-bit 8 High 10 GB 100 GB, SSD 100 GB, SSD
Compute optimized c5.4xlarge 64-bit 16 High 10 GB 100 GB, SSD 100 GB, SSD
Compute optimized c5a.large 64-bit 8 Moderate 10 GB 100 GB, SSD 100 GB, SSD
Compute optimized c5a.xlarge 64-bit 16 High 10 GB 100 GB, SSD 100 GB, SSD
Compute optimized c5a.2xlarge 64-bit 31 High 10 GB 100 GB, SSD 100 GB, SSD
Compute optimized c5a.4xlarge 64-bit 62 High 10 GB 100 GB, SSD 100 GB, SSD
* Estimated total network bandwidth peak processing capacity. Actual performance depends on application.

The EBS volume size is the minimum recommended. If traffic caching is not enabled, you can run WAF with smaller volume sizes. Cache directory sizing is configured dynamically relative to the available disk space; a smaller volume size means the cache will be smaller. Total cache directory size is roughly 20 percent of available disk space. If the EBS volume disk space runs out, the WAF instance stops logging and issues an alert to the Alert Logic monitoring system. Alert Logic recommends you create separate partitions for root (/) and log data (/wsm/log) to prevent log data partition disk space issues from causing further failures in processing traffic.

High availability

You can deploy WAF in autoscaling configurations to provide high availability and performance adaptation to web applications with high and fluctuating traffic loads. An alternative configuration is a fixed capacity active/active deployment with two or more WAF nodes running parallel behind Elastic Load Balancing. In such a deployment, deploy the WAF instances in different Availability Zones.

You can extend a single node WAF deployment to a high availability configuration by deploying an additional WAF node and configuring Elastic Load Balancing for the nodes.

To learn how to install a virtual or physical appliance, see Install and Configure the Virtual Appliances or Install and Configure the Physical Appliance.