5. Software & Hardware Requirements¶
Installing Wanguard will not generate any negative side effects on the network’s performance. Full installation and configuration should take less than an hour; after that, the network will be monitored and protected immediately. No baseline data gathering is required.
Wanguard 8.1 can be installed on the following 64-bit Linux distributions:
● Debian Linux 7 to 11 (free, community-supported)● Ubuntu Server 14 to 20 (free, Debian-based)● Red Hat Enterprise Linux 7 or 8 (commercial)● CentOS 7 or 8 (free, Red Hat-based)
Wanguard was designed to be completely scalable, so its components can be installed on a single server with adequate hardware resources or distributed among multiple servers from across the network.
It is highly recommended to install the software on dedicated servers, not on Virtual Machines, mainly because:
➔ Having fast and uninterrupted access to the hard disk is a critical requirement of the Console➔ The resources have to be provisioned in a predictable and timely manner➔ Some virtualized environments do not have a stable and highly-accurate clock source
5.1. Hardware Sizing Guideline¶
Brief overview with the importance of each hardware resource for each software component:
CPU Speed |
CPU Cores |
RAM Size |
Disk Size |
Disk Speed |
Network Adapter |
|
Console |
High |
High |
High |
Very High |
Very High |
Very Low |
Packet Sensor |
Very High |
High |
Medium |
Low |
Low |
Very High |
Flow Sensor |
Low |
Low |
High |
Medium |
High |
Very Low |
SNMP Sensor |
Very Low |
Low |
Very Low |
Very Low |
Very Low |
Very Low |
Sensor Cluster |
Medium |
Medium |
Medium |
Very Low |
Very Low |
Very Low |
Packet Filter |
Very High |
Very High |
Medium |
Very Low |
Very Low |
Very High |
Flow Filter |
Low |
Low |
High |
Very Low |
Very Low |
Very Low |
Filter Cluster |
Medium |
Medium |
High |
Very Low |
Very Low |
Very High |
5.2. System Requirements for Console¶
Capacity |
<10 components (Sensors, Filters, BGP Connectors) |
Architecture |
64-bit x86 |
CPU |
1x 2.4 GHz quad-core Xeon |
RAM |
2 x 8 GB |
NICs |
1 x Fast Ethernet for management |
HDDs |
2 x 7200 RPM HDD (SSD highly recommended), RAID 1, 350 GB |
The Console server stores the database and centralizes all operational logs, graphs, and IP accounting data. Its performance is determined by its configuration, the performance of the I/O, and the applications it relies on: MySQL/MariaDB, Apache HTTPD, PHP, and InfluxDB. Any server should have redundant hardware components such as fans, power supplies, or disks in RAID.
To access the web interface, use one of the following web browsers: Google Chrome 64+, Firefox 52+, Microsoft Edge 12+, Opera 43+. JavaScript and cookies must be enabled. Java and Adobe Flash are not required.
For the best experience, we recommend using Google Chrome and a 1280x1024 or higher resolution display. SVG graphs can be rendered correctly on macOS only after installing the Consolas font.
5.3. System Requirements for Packet Sensor¶
Capacity |
10 Gbit/s, 14 Mpkts/s (wire-rate) |
40 Gbit/s, ±30 Mpkts/s |
Architecture |
Intel Xeon 64-bit, dedicated server |
Intel Xeon 64-bit, dedicated server |
CPU |
1x 2.4 GHz Xeon E5-2640v4 |
1 x 2.4 GHz Xeon E5-2680v4 |
RAM |
4 x 2 GB DDR4 (quad channel) |
4 x 8 GB DDR4 (quad channel) |
NICs |
1 x 10 GbE adapter (Intel 82599+ or PF_RING/DPDK-supported chipset) 1 x Fast Ethernet for management |
1 x 40 GbE adapter (Intel XL710+ or most DPDK-supported chipsets) 1 x Fast Ethernet for management |
HDDs |
2 x 5400 HDD, RAID 1, 10 GB (including OS) |
2 x 5400 HDD, RAID 1, 10 GB (including OS) |
Packet Sensor can be load-balanced over multiple CPU cores with the following hardware/Capture Engines:
➔ Intel 82599 chipset network adapters, such as Intel X520, Intel X540, HP X560, or Silicom PE310G4DBi9-T➔ PF_RING (with or without ZC) high-speed packet I/O framework➔ Netmap high-speed packet I/O framework and its supported NICs➔ Data Plane Development Kit (DPDK) and most of its supported NICs
You can easily scale the Packet Sensor’s capacity above 100 Gbit/s by enabling packet sampling on the switch or TAP, or by defining a Sensor Cluster that aggregates multiple Packet Sensor instances running on different servers equipped with 10, 40 or 100 Gbit/s network adapters. The number of connections between IPs is not a limiting factor.
5.4. System Requirements for Flow Sensor¶
Capacity |
15000+ flows/s |
Architecture |
64-bit x86 |
CPU |
1 x 2.0 GHz dual-core Xeon |
RAM |
1 x 8 GB |
NICs |
1 x Fast Ethernet for management |
HDDs |
2 x 7200 RPM HDD, RAID 1, 60 GB |
Flow Sensor can monitor an almost unlimited number of interfaces. On modern hardware, processing tens of thousands of flows/s is also not a problem. Each Flow Sensor receives flows from only one flow exporter. Any server with enough RAM can run tens of Flow Sensor instances. For this type of Sensor, the amount of RAM is much more important than the speed of the CPU.
Flow Sensor can store flow data on the local disk in a highly compressed binary format. Querying non-indexed flow data can take a very long time; therefore, using a fast SSD disk is advisable if this is a frequent task.
5.5. System Requirements for SNMP Sensor¶
Capacity |
20+ devices |
Architecture |
64-bit x86 |
CPU |
1 x 1.6 GHz dual-core Xeon |
RAM |
1 x 1 GB |
NICs |
1 x Fast Ethernet for management |
HDDs |
2 x 5200 RPM HDD, RAID 1, 20 GB |
SNMP Sensor can monitor an unlimited number of interfaces of a single networking device. Any server can run an almost unlimited number of SNMP Sensor instances.
5.6. System Requirements for Sensor Cluster¶
The hardware requirements for Sensor Cluster are very low because the traffic information is pre-aggregated by the associated Flow Sensor, Packet Sensor, or SNMP Sensor instances. It is best to run it on the Console server.
5.7. System Requirements for Packet Filter¶
Capacity |
10 Gbit/s, 14 Mpkts/s |
40 Gbit/s, >30 Mpkts/s |
Architecture |
Intel Xeon 64-bit, dedicated server |
Intel Xeon 64-bit, dedicated server |
CPU |
1 x 2.4 GHz Intel Xeon E5-2640v4 |
1 x 2.4 GHz Intel Xeon E5-2690v4 |
RAM |
4 x 2 GB DDR4 (quad channel) |
4 x 8 GB DDR4 (quad channel) |
NICs |
2 x 10 GbE interfaces (Chelsio T5+, Intel X520+, or other DPDK-supported chipset) 1 x Fast Ethernet for management |
2 x 40 Gbe interfaces (Chelsio T5+, Intel XL710+, Mellanox ConnectX-5+ or most DPDK-supported chipsets) 1 x Fast Ethernet for management |
HDDs |
2 x 5200 RPM HDD, RAID 1, 35 GB |
2 x 5200 RPM HDD, RAID 1, 35 GB |
The main task of Packet Filter is to inspect the traffic flooding the attacked IP destination(s) and to generate dynamic filtering rules that isolate the malicious packets. When it generates a filtering rule, it announces it to the Console and applies it on the local Netfilter firewall, embedded Dataplane firewall, in-NIC hardware filter, BGP Flowspec-capable router, or third-party filtering appliance.
The firewall backends used by Packet Filter do not need the connection tracking mechanism specific to stateful firewalls and IPSes. This ensures much better filtering and routing performance during spoofed attacks and SYN floods. However, the filtering and packet-forwarding capacity may still not be line-rate, especially during powerful attacks with small packets.
Packet Filter supports hardware-based line-rate packet filtering on:
➔ Chelsio T5+ network adapters. On the Chelsio T5 or T6, Packet Filter can program 486 LE-TCAM filter rules to block traffic for source/destination IPv4/IPv6 addresses, source/destination TCP/UDP ports, and IP protocols. Packet counters are available➔ Intel 82599 chipset network adapters, such as Intel X520, Intel X540, and HP X560. Packet Filter is able to program 4096 filter rules to block IPv4 addresses, but either sources or destinations, not both. Packet counters are not available➔ Servers fulfilling the minimum system requirements configured to use the DPDK Capture Engine and the embedded Dataplane Firewall. Packet counters are available➔ Mellanox ConnectX-5 network adapters with OFED drivers. Packet Filter is able to program up to 924 hardware filtering rules to block traffic for source/destination IPv4/IPv6 addresses, source/destination TCP/UDP ports, and IP protocols. Packet counters are not available➔ Most adapters supporting the DPDK Flow API. Packet counters are available
To scale the packet filtering capacity above 100 Gbits/s, either use BGP Flowspec or split the traffic with a hardware load balancer or use equal-cost multi-path routing. You can then configure a Filter Cluster to aggregate multiple Packet Filter instances running on different servers equipped with 10/40/100 Gbit/s network adapters.
5.8. System Requirements for Flow Filter¶
The hardware requirements for Flow Filter are very low because it analyzes traffic information pre-aggregated by Flow Sensor. If Flow Filter is used only for reporting and not for packet filtering, it is best to run it on the same server with the Console.
Flow Filter can apply filtering rules just the same as Packet Filter. The requirements for software-based and/or hardware-based traffic filtering are listed in the previous section.
5.9. System Requirements for Filter Cluster¶
Filter Cluster groups, aggregates and controls multiple Packet Filter and/or Flow Filter instances.
The hardware requirements for Filter Cluster are very low because the traffic information is pre-aggregated by the associated Filter instances. If Filter Cluster is used only for reporting and not for packet filtering, it is best to run it on the same server with the Console.