Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/user-manual/Bro-hardware.texi

94 lines
4.4 KiB
Text
Raw Blame History

@menu
* Number and Type of Machines Needed::
* Hard Drive and Controller Considerations::
* NICs::
* Taps::
* ACL Mechanisms::
@end menu
@comment ********************************************
@node Number and Type of Machines Needed
@section Number and Type of Machines Needed
@cindex Host issues
Bro won't run well unless you use suitable hardware. This section of the Bro User Manual
describes the many hardware-related issues with which you'll need to deal if Bro is to run
optimally.
The better the equipment, the better Bro will run, so getting the best equipment you can afford is
a good idea. In particular the speed of the CPU and motherboard will affect Bro's performance in
filtering, analyzing, reacting and storing the network data that it encounters. Ideally the CPU
should have a processing speed of around 1GHz or higher and the motherboard should be at least
500MHz. The CPU and motherboard should be reliable and durable, and if possible obtain
machines that support dual CPUs. RAM is also extremely important in dealing with the large
amounts of network throughput without packet drops; a minimum of 1 GB of RAM is thus
recommended, other than for small networks, with 2 GB approaching the optimal. The amount of motherboard BIOS memory
can also make a big difference for Bro performance, and having more than one network port is
also a very good idea, as explained shortly.
The number of machines you will need depends on the scope of your Bro deployment (e.g., how
many protocols you want to analyze, how much traffic Bro will need to process, whether you
want to store packet capture data, and so on). No matter how small a deployment you have, you
will probably at a minimum want two machines, one for bulk recording/data capture and one for
analyzing live Bro data. With large deployments Bro is likely to work best with a number of
machines (perhaps up to five), each dedicated to a specific task. In this latter case it may be best
to have one machine can perform data capture, another to process and store connection
summaries, still another to run policy scripts, and a few redundant machines for the sake of
operational continuity.
@comment ********************************************
@node Hard Drive and Controller Considerations
@section Hard Drive and Controller Considerations
@cindex Disk Issues
@cindex Controller Issues
Every Bro machine needs to have at least one large capacity hard drive, a minimum of 60 to 80
GB of storage (and more in the case of the bulb trace host), and possible a second hard drive, too.
Bro output files can fill a small capacity hard drive quickly, and the packet capture output can be
voluminous if Bro is engaging in a considerable amount of analysis because the network
throughput rate is high or a large amount of anomalous packets are traversing the network where
Bro is placed.
What type of hard drive is best? Although SCSI (Small Computer System Interface), SATA
(Serial ATA) or IDE (Integrated Drive Electronics) disks may all potentially prove satisfactory
from a performance standpoint, many people who run Bro choose IDE if they run Bro on
FreeBSD. Why -- IDE has been tested in connection with FreeBSD more extensively than the
other types of disk hardware. Obtaining a high-end disk controller card is also advantageous to
performance.
@comment ********************************************
@node NICs
@section NICs
@cindex NICs
Bro deployments require at least two NICs, one for capturing network data and the other for
interfacing with the network so that Bro can be remotely administered. Three NICs can also be
used, with two of them for acquiring network data (to minimize data loss resulting from packet or
frame errors) and one for remote administration. High-end NICs are recommended in that they
generally result in far fewer packet drops or losses than do inexpensive ones. A NIC speed of
about 1 Gb per second is usually more than sufficient. No more than two NICs for capturing
network data is necessary.
If two network data acquisition NICs are used, each needs to be suited for the type of network to
which it will be attached.
SysKonnect SK-9844 Gigabit Ethernet cards are recommended because they have been tested extensively with Bro.
Having identical NICs is desirable from a management standpoint.
@comment ********************************************
@node Taps
@section Taps
@cindex Taps
@comment ********************************************
@node ACL Mechanisms
@section ACL Mechanisms
@cindex ACL Mechanisms
Reference in a new issue View git blame Copy permalink