cheapest forward node for small network #6386
-
|
Hi, I would like to know what is the smallest forward node hardware that can be installed on a very small network. I plan on installing the manager in a Data center on a Dell server. Thank you |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
Take a look at the hardware requirements page https://docs.securityonion.net/en/2.3/hardware.html There's a lot of useful planning information in there. There isn't a specific set of requirements for a forward node as it is very dependent on things like the amount of PCAP data you want to store, the speed (and utilisation) of the links you want to monitor, the types of monitoring you want to configure (Snort, Strelka etc) and other factors. |
Beta Was this translation helpful? Give feedback.
-
|
thank you for your reply. I did have a look at the hardware requirement page but it doesn't really give much details about recommended hardware for forward nodes. Let's say i only want to forward the data to the remote manager, i do no want to store anything local, do I still need a buisiness "server" ? |
Beta Was this translation helpful? Give feedback.
-
|
So the design of the forward node is to ingest network traffic and analyse it. Storing the pcap locally and forwarding the Zeek/Suricata/Strelka logs to the manager keeps the bandwidth use down between the two systems. If you don't want to keep the PCAP data for any period of time you can have a small storage capacity on the forward node. The alerts will still be forwarded but you won't be able to extract the pcap data as it will probably have been overwritten. The CPU and RAM requirements are still relative to the amount of traffic you are monitoring, and how many active snort rules you have. I've run forward nodes on a Dell R210 before with a single CPU and 8GB of RAM, with a 1TB HDD. It worked okay, but performance wasn't great. |
Beta Was this translation helpful? Give feedback.
-
|
thank you for the details. then we can say that a server with 4 to 8 cores with 16 to 32GB of RAM with 2 x 1TB HDD in RAID would be okay for small network of around 50 users? I know it's always depending on a lot of factors and i will make my own test. It's just to know in advance what to start with for testing. Thank you very much |
Beta Was this translation helpful? Give feedback.
-
|
It's very difficult to say with any accuracy - if those 50 users aren't doing much then it would probably be okay. If those 50 users are moving a lot of data around across a 10Gbit link then no. If you already have that server available then give it a try. You may find that the disk is a limiting factor depending on the traffic - a maxed out 1Gbps link generates 250MBps of data. Your two HDDs are almost certainly not going to be able to keep up with that. As you have identified there are too many factors to say clearly if it will or won't work for you. |
Beta Was this translation helpful? Give feedback.
-
|
understood. Thank you |
Beta Was this translation helpful? Give feedback.
Take a look at the hardware requirements page https://docs.securityonion.net/en/2.3/hardware.html
There's a lot of useful planning information in there. There isn't a specific set of requirements for a forward node as it is very dependent on things like the amount of PCAP data you want to store, the speed (and utilisation) of the links you want to monitor, the types of monitoring you want to configure (Snort, Strelka etc) and other factors.