5. Software & Hardware Requirements¶
Installing Wanguard will not negatively impact your network’s performance. The full installation and configuration process can take less than one hour, after which your network will be monitored and protected immediately. No baseline data gathering is required.
Wanguard 8.4 can be installed on the following Linux distributions running on 64-bit Intel/AMD processors:
● Debian Linux 10 to 12 (free, community-supported)● Ubuntu Server 18 to 24 (free, Debian-based)● Red Hat Enterprise Linux 8 or 9 (commercial)● Rocky Linux 8 or 9 (free, Red Hat-based)● AlmaLinux 8 or 9 (free, Red Hat-based)
5.1. Hardware Sizing Guideline¶
The software was designed to be completely scalable, so its components can be installed on a single server with adequate hardware resources or distributed among multiple servers across the network.
We highly recommend installing the software on dedicated servers rather than Virtual Machines because:
Below is a brief overview of how important each hardware resource is for each software component.
CPU Speed |
CPU Cores |
RAM Size |
Disk Size |
Disk Speed |
Network Adapter |
|
Console |
High |
High |
High |
Very High |
Very High |
Very Low |
Packet Sensor |
Very High |
High |
Medium |
Low |
Low |
Very High |
Flow Sensor |
Low |
Low |
High |
Very High |
Medium |
Very Low |
SNMP Sensor |
Very Low |
Low |
Very Low |
Very Low |
Very Low |
Very Low |
Sensor Cluster |
Medium |
Medium |
Medium |
Very Low |
Very Low |
Very Low |
Packet Filter |
Very High |
Very High |
Medium |
Very Low |
Very Low |
Very High |
Flow Filter |
Low |
Low |
High |
Very Low |
Very Low |
Very Low |
Filter Cluster |
Medium |
Medium |
High |
Very Low |
Very Low |
Very High |
5.2. System Requirements for Console¶
Architecture |
64-bit x86 |
CPU |
1x 2.4 GHz quad-core Xeon |
RAM |
2 x 8 GB |
NICs |
1 x Fast Ethernet for management |
HDDs |
2 x 7200 RPM HDD (SSD highly recommended), RAID 1, 350 GB |
The Console server is responsible for storing the database and centralizing all operational logs, graphs, and IP accounting data. Its performance depends on its configuration, I/O performance, and the applications it utilizes, such as MySQL/MariaDB, Apache HTTPD, PHP, and InfluxDB. For reliability, the server should include redundant hardware components, such as fans, power supplies, and disks configured in RAID.
To access the web interface, use one of the following supported web browsers: Google Chrome 64+, Firefox 52+, Microsoft Edge 12+, Opera 43+. Ensure JavaScript and cookies are enabled. Java and Adobe Flash are not required.
For the best experience, use Google Chrome and a display resolution of 1280x1024 or higher. On macOS, install the Consolas font to ensure SVG graphs render correctly.
5.3. System Requirements for Packet Sensor¶
Capacity |
10 Gbit/s, 14 Mpkts/s (wire-rate) |
40 Gbit/s, ±30 Mpkts/s |
Architecture |
Intel Xeon 64-bit, dedicated server |
Intel Xeon 64-bit, dedicated server |
CPU |
1x 2.4 GHz Xeon E5-2640v4 |
1 x 2.4 GHz Xeon E5-2680v4 |
RAM |
4 x 2 GB DDR4 (quad channel) |
4 x 8 GB DDR4 (quad channel) |
NICs |
1 x 10 GbE adapter (Intel 82599+ or PF_RING/DPDK-supported chipset) 1 x Fast Ethernet for management |
1 x 40 GbE adapter (Intel XL710+ or most DPDK-supported chipsets) 1 x Fast Ethernet for management |
HDDs |
2 x 5400 HDD, RAID 1, 10 GB (including OS) |
2 x 5400 HDD, RAID 1, 10 GB (including OS) |
Packet Sensor can be load-balanced over multiple CPU cores with the following hardware/Capture Engines:
➔ Intel 82599 chipset network adapters, such as Intel X520, Intel X540, HP X560, or Silicom PE310G4DBi9-T➔ PF_RING (with or without ZC) high-speed packet I/O framework➔ Netmap high-speed packet I/O framework and its supported NICs➔ Data Plane Development Kit (DPDK) and most of its supported NICs
Packet Sensor can scale its capacity beyond 100 Gbit/s by enabling packet sampling on the switch or TAP or by defining a Sensor Cluster to aggregate multiple Packet Sensor instances across servers equipped with 10, 40, or 100 GbE adapters. The number of connections between IPs is not a limiting factor.
5.4. System Requirements for Flow Sensor¶
Capacity |
15000+ flows/s |
Architecture |
64-bit x86 |
CPU |
1 x 2.0 GHz dual-core Xeon |
RAM |
1 x 8 GB |
NICs |
1 x Fast Ethernet for management |
HDDs |
2 x 7200 RPM HDD, RAID 1, 60 GB |
Flow Sensor can monitor an almost unlimited number of interfaces. On modern hardware, it can process tens of thousands of flows per second without issues. Each Flow Sensor instance receives flows from a single flow exporter. A bare-metal server with sufficient RAM can run multiple Flow Sensor instances, as RAM is more critical than CPU speed for this Sensor. Using a bare-metal server instead of a virtual machine is strongly recommended for optimal performance.
Flow Sensor stores flow data locally in a highly compressed binary format. However, querying non-indexed flow data can be time-consuming. If frequent querying is required, it is advisable to use a fast SSD for improved performance.
5.5. System Requirements for SNMP Sensor¶
Capacity |
20+ devices |
Architecture |
64-bit x86 |
CPU |
1 x 1.6 GHz dual-core Xeon |
RAM |
1 x 1 GB |
NICs |
1 x Fast Ethernet for management |
HDDs |
2 x 5200 RPM HDD, RAID 1, 20 GB |
SNMP Sensor can monitor an unlimited number of interfaces of a single networking device. Additionally, any server can run virtually unlimited SNMP Sensor instances, depending on available hardware resources..
5.6. System Requirements for Sensor Cluster¶
Sensor Cluster has minimal hardware requirements because it processes pre-aggregated traffic information from associated Flow Sensor, Packet Sensor, or SNMP Sensor instances. For optimal performance, it is recommended to run the Sensor Cluster on the Console server.
5.7. System Requirements for Packet Filter¶
Capacity |
10 Gbit/s, 14 Mpkts/s |
40 Gbit/s, >30 Mpkts/s |
Architecture |
Intel Xeon 64-bit, dedicated server |
Intel Xeon 64-bit, dedicated server |
CPU |
1 x 2.4 GHz Intel Xeon E5-2640v4 |
1 x 2.4 GHz Intel Xeon E5-2690v4 |
RAM |
4 x 2 GB DDR4 (quad channel) |
4 x 8 GB DDR4 (quad channel) |
NICs |
2 x 10 GbE interfaces (Chelsio T5+, Intel X520+, or other DPDK-supported chipset) 1 x Fast Ethernet for management |
2 x 40 Gbe interfaces (Chelsio T5+, Intel XL710+, Mellanox ConnectX-5+ or most DPDK-supported chipsets) 1 x Fast Ethernet for management |
HDDs |
2 x 5200 RPM HDD, RAID 1, 35 GB |
2 x 5200 RPM HDD, RAID 1, 35 GB |
Packet Filter inspects traffic targeting attacked IP destinations and generates dynamic filtering rules to isolate malicious packets. Once a filtering rule is created, it is announced to the Console and applied to one of the following:
➔ Local Netfilter firewall➔ Embedded Dataplane firewall➔ In-NIC hardware filter➔ BGP Flowspec-capable router➔ Third-party filtering appliance
The firewall backends used by Packet Filter do not rely on connection tracking mechanisms, which are specific to stateful firewalls and IPSes. This approach significantly improves filtering and routing performance during spoofed attacks and SYN floods. However, the filtering and packet-forwarding capacity may still fall short of line-rate during high-volume attacks with small packets.
Packet Filter supports line-rate filtering on the following hardware:
➔ Chelsio T5+ network adapters. On the Chelsio T5 or T6, Packet Filter can program 486 LE-TCAM filter rules to block traffic for source/destination IPv4/IPv6 addresses, source/destination TCP/UDP ports, and IP protocols. Packet counters are available➔ Intel 82599 chipset network adapters, such as Intel X520, Intel X540, and HP X560. Packet Filter is able to program 4096 filter rules to block IPv4 addresses, but either sources or destinations, not both. Packet counters are not available➔ Servers fulfilling the minimum system requirements configured to use the DPDK Capture Engine and the embedded Dataplane Firewall. Packet counters are available➔ Mellanox ConnectX-5 network adapters with OFED drivers. Packet Filter is able to program up to 924 hardware filtering rules to block traffic for source/destination IPv4/IPv6 addresses, source/destination TCP/UDP ports, and IP protocols. Packet counters are not available➔ Most adapters supporting the DPDK Flow API. Packet counters are available
To scale packet filtering capacity beyond 100 Gbit/s:
➔ Use BGP Flowspec➔ Split traffic using a hardware load balancer or equal-cost multi-path routing (ECMP)➔ Filter Cluster can also be configured to aggregate multiple Packet Filter instances running on different servers equipped with 10, 40, or 100 Gbit/s network adapters
5.8. System Requirements for Flow Filter¶
Flow Filter has minimal hardware requirements because it processes pre-aggregated traffic information from the Flow Sensor. When used solely for reporting, and not for packet filtering, it is recommended to run Flow Filter on the same server as the Console.
Flow Filter can apply filtering rules in the same way as Packet Filter. The requirements for both software-based and hardware-based traffic filtering are detailed in the previous section.
5.9. System Requirements for Filter Cluster¶
Filter Cluster groups, aggregates, and manages multiple Packet Filter and/or Flow Filter instances.
The hardware requirements for Filter Cluster are minimal because the traffic data is pre-aggregated by the associated Filter instances. When used exclusively for reporting and not for packet filtering, it is recommended to run Filter Cluster on the same server as the Console.