Your hardware requirements for FlowTraq mostly depend on the number of flow updates per second that your network exporters produce. We refer to this as the flow rate. This number can be highly variable depending on the size of your network and the number and configuration of your exporters. A single powerful server can often handle 300,000 updates per second comfortably depending on configuration.
Since FlowTraq can be “clustered” it is possible to use multiple smaller servers instead of a single powerful one. FlowTraq automatically load-balances the flows over your cluster. To estimate your flowrate, the following rule of thumb can be used: 10Gbit/sec of typical, sustained network traffic will yield about 50,000 flow updates per second (50 KFPS).
To quickly measure your flow rate take a look at the administrative panel in FlowTraq. Estimate your sustained rate by averaging the peaks with the valleys.
To size a FlowTraq deployment expect to use 8 modern CPU cores and at least 64GB of RAM per 50 KFPS. For example, to handle 150,000 updates/second consider deploying a single server with 24 cores and 192 GB of RAM — or use 3 smaller servers (or VMs) with 8 cores and 64GB each.
Disk space configuration should be driven by your required retention. At a sustained 50 KFPS (day and night), FlowTraq will use about 1TB of disk space per week of data. Therefore keeping 3 months of flow data at a saturated 10Gbit network will take about 12TB.
|Flow Rate at 10Gbps||50,000 updates per second at 10Gbps saturation (unsampled)|
|CPU||8 modern CPU cores|
|RAM||64GB, or 8GB per core|
|Disk||12TB for 90 days, 1TB per week of history|
FlowTraq can balance workload over multiple servers in a cluster configuration. All processing and storage is spread equally over the available hardware, effectively multiplying your flow handling capacity by the number of workers in the cluster. The cluster presents itself to the user as as a single FlowTraq instance; the actual workload balancing is transparent to the end user.
For example, 1,000,000 flow updates per second is comfortably handled by cluster of 8 FlowTraq servers each handling 125 KFPS. Since all servers are working together your analysis will be just as quick as interacting with a single FlowTraq server handling only 125,000 updates per second.
Although individual FlowTraq servers have been configured to handle over 700,000 flow updates per second, we typically only recommend this in rare cases. Splitting over multiple clustered servers allows you to take advantage of multiple physically separate disk IO busses, and more drives. The result is much improved disk query performance.
FlowTraq clusters can be grown dynamically over time. If your flow processing requirements grow you can simply add additional FlowTraq servers to the cluster to speed up processing and increase storage.
Some exporting devices are capable of downsampling to reduce their processing load. When flows are sampled, many communications will not be reported on, and forensic accuracy of your traffic is lost. FlowTraq recommends using 1-on-1 unsampled flow exporting whenever possible.
When sampling is used, the recommended hardware remains unchanged, however, you will be able to monitor a larger aggregate bandwidth since only a portion of the traffic is reported.
FlowTraq can be deployed in a virtualized environment using the same recommended hardware specifications as used for bare metal deployments. For convenience, FlowTraq is delivered as a virtual appliance (or “vApp”) which includes a full working copy of FlowTraq server and all necessary operating system components. To quickly deploy a FlowTraq node simply load the vApp in a compatible virtualizer such as ESXi.
Keep in mind that virtualized environments are shared with other virtual machines, and that the physical hardware is frequently “over-provisioned”. If the workload of all the virtual machines on the hardware exceeds the capabilities of that hardware it is likely that performance will suffer. In rare cases of over-provisioning, virtual machines are terminated to free up resources.
When virtualizing a cluster, make sure to deploy each node of the FlowTraq cluster on different physical hardware for maximum performance benefit.
Remote and centrally administered filesystems are a powerful option in terms of performance and convenience. Most SAN and NAS solutions are sufficiently fast to support the IO requirements of a FlowTraq cluster. Due to the parallel nature of FlowTraq servers, disk-based queries may saturate the available IO bandwidth temporarily as records are read from disk simultaneously.
To gain additional flow retention history, it is possible to use compressed filesystems such as ZFS. Compression ratios of up to 3x have been observed, resulting in an effective increase in flow history of up to 3x. Filesystem compression is transparent, but does require some additional CPU and RAM.
In a multi-tenant environment where you are servicing multiple customers with a single FlowTraq server or FlowTraq cluster, your hardware requirements must be computed by combining the flow rates of all your customers. The total combined flow rate can be used to decide how much CPU, RAM, and disk is required to service the combined flow updates of your customers.
To efficiently offer full forensic recall of all flow records, the FlowTraq server software keeps a memory cache of recently received records. The larger this cache, the more records can be accessed quickly. Using 256GB of RAM on a sustained 100,000 per second flow rate will yield approximately 5 hours of cached history in RAM.
Adding RAM to a FlowTraq server will increase the period for which queries can quickly be serviced from RAM. If you are looking for records that are not in the RAM cache, then the FlowTraq server will have to access these records on disk, which may take substantially longer than accessing RAM-cached records.
FlowTraq server nodes are supported on Linux (Debian, Ubuntu, RHEL, Fedora, SuSe), Solaris 10 SPARC, Solaris 10 Intel, FreeBSD, MicroSoft Windows (2008, 2012, 2016, Win7, 2008R2, Win8), and Mac OS X 10.5 and up.
The FlowTraq user interface requires Apache version 2 and PHP version 7.2.
Although the FlowTraq server software will work in a 32-bit environment, we strongly recommend the server software be installed on a 64-bit (x86-64) platform. Keep in mind that both the CPU as well as the operating system must both have 64-bit support. For instance, 32-bit Linux will run on a 64-bit processor; however, the FlowTraq server application will not be able to access more than about 2GB of RAM (which may be sufficient for your environment, but most likely isn’t). Using a 64-bit operating system will allow the FlowTraq server software to use much more RAM which allows you to have a longer instant recall history and a higher input flow rate.