NDR: Virtual Sensor Requirements
Description
Sensor Sizing Specifications/Requirements
- The OVA/VHD files distributed for Modular Sensor installation in VMware/Hyper-V environments provision the VM with 1 virtual core, 3 GB of RAM, and a 64 GB disk.
- This default assumes that your firewall/device will have a maximum of 500 Events Per Second (EPS).
- You must provision sufficient resources to support the EPS that you anticipate for the Modular Sensor. If your firewall/device will be sending more than that, see the chart below for the required VM specifications as you will need to increase the resources of the sensor VM.
- Don’t forget to account for all devices sending logs if you’re sending logs from multiple devices to a single sensor.
- As a rule of thumb, Stellar Cyber recommends that you provision at least 1.5 times as much memory as the number of CPU cores to ensure stable performance. So, for example, if you provision 8 CPUs, you should provision at least 8 x 1.5 = 12 GB of memory.
| Number of Events Per Second (EPS) | Virtual Cores | RAM (GB) | SSD (GB) |
| 500 (Default/Recommended for most cases) | 1 | 3 | 128 |
| 1000 | 4 | 8 | 128 |
| 1500 | 8 | 16 | 256 |
| 7000 | 12 | 32 | 256 |
| 10,000 | 24 | 64 | 512 |
Firewall Configuration
The modular sensor requires specific ports & URLs to be open on your firewall for outbound communication:
General Purpose Ports
| Source | Port | Protocol | Purpose |
| 53 | UDP | Name service for:
|
| 123 | UDP | Performing time synchronization |
| 443 | TCP | Displaying user interface |
| 4789, 8472 | UDP | VXLAN packet forwarding |
| 5123 | TCP | Local file assembly over HTTPS |
| 6640-6648 | TCP with TLS 1.2 | Communicating with the CM. |
| 8443 | TCP (HTTPS with TLS 1.2) | Downloading software and files from the DP, including custom log parsers. | |
| 8888, 8889 | TCP (HTTPS with TLS 1.2) | Receiver ports for communicating with the DA | |
| 6640-6648, 8443, 8888, 8889 | TCP Proxy | Must be open for communications between sensor and aggregator. |
Domains
All of the following domains are required.
| Source | Destination | Port | Protocol | Purpose |
| http://archive.ubuntu.com http://security.ubuntu.com esm.ubuntu.com http://ppa.launchpad.net | 443 80 (Sensors running 4.3.6 and earlier) | TCP | Software updates. Sensors running 4.3.7 and later no longer require Port 80 for Ubuntu updates; only 443 is required. |
| For centos/redhat servers:
| Environment specific | TCP | Customer configured port for accessing the OS provider's server (repository) for application updates |
| For SUSE servers:
| Environment specific | TCP | Customer configured port for accessing the OS provider's server (repository) for application updates |
| For Ubuntu servers:
| Environment specific | TCP | Customer configured port for accessing the OS provider's server (repository) for application updates |
| launchpadlibrarian.net | 80 | TCP | Software updates |
| http://download.webmin.com | 80 | TCP | Software updates |
| dl.stellarcyber.ai | 443, 80 | TCP | Downloading files during upgrade |
| live.sysinternals.com/sysmon.exe | 443 | TCP | Optional. Domain is required if the customer wants to install feature |
| http://pypi.python.org http://pypi.org | 443 | TCP | For installation and update of required packages |
| http://pythonhosted.org | 443 | TCP | For installation and update of required packages |
