2.1. System Requirements

2.1.1. Server Hardware Requirements

FlowTraq's hardware requirements depend heavily on the number of devices sending NetFlow information to it, and the amount and nature of traffic handled by those devices.

In order to provide full forensic recall capability, FlowTraq stores every flow record it receives to disk indefinitely, as long as there is room in the database. In addition to storing flow records on disk, FlowTraq Server keeps a memory cache of recently received records. The larger this cache, the larger the number of records which can be accessed quickly.

This full-fidelity feature allows for more powerful analysis and forensic capabilities than traditional flow collectors. However, it also means that FlowTraq can be more demanding of the hardware it's running on than traditional flow collectors.

Many customers opt to purchase hardware specifically for their FlowTraq installation. The table below gives some rules of thumb for configuring a hardware platform for FlowTraq Server:

Table 2.1. FlowTraq Server Hardware Configuration Guidelines

Flow Rate	CPU Examples	RAM	Disk
up to 4 million/hr	Core-2, i5, Athlon II-X4, 2Ghz	4GB-8GB (DDR3-1066)	Single disk at 5,400 rpm
up to 20 million/hr	i7-950, Phenom II-X6, 2.5Ghz	8GB-24GB (DDR3-1066)	Single or 3-disk RAID, 7,200 rpm
up to 100 million/hr	Xeon Nehalem W5590, Opteron 6174, 3Ghz	24GB-128GB (DDR-1333)	3-disk RAID, 10Krpm
more than 100 million/hr	Contact us...	Contact us...	Contact us...

The preceding configurations should be interpreted as guidelines. To determine your requirements, test the software's performance in your network environment.

Every network environment is different, and every organization's reporting needs and alerting needs are unique to the organization. You may be able to get the job done with less powerful hardware. A older processor such as a Core 2 Duo may still be able to handle the same input flow rate as a Xeon Nehalem W5590; however, queries may take longer to service than they would on the faster CPU.

	Tip
	In extremely demanding environments (such as those with a high flow load, many FlowTraq users, or heavy Alert usage), you may wish to run more than one FlowTraq instance and divide the workload among them. For instance, you might set up two instances of FlowTraq Server, and have half of your flow sources report to the first and the other half report to the second.

	Caution: 32-bit environments
Although FlowTraq will work in a 32-bit environment, we strongly recommend that FlowTraq Server be installed on a 64-bit (x86-64) platform. On 32-bit platforms, FlowTraq Server will only be able to allocate approximately 2GB of RAM for its memory cache. This is unlikely to be sufficient in most environments. Using a 64-bit operating system will allow FlowTraq Server software to allocate more RAM, which allows for a longer instant recall history and a higher input flow rate. Note that in order to be able to take advantage of a 64-bit platform, both the CPU and the operating system must be 64-bit.

Caution: 32-bit environments

Although FlowTraq will work in a 32-bit environment, we strongly recommend that FlowTraq Server be installed on a 64-bit (x86-64) platform.

On 32-bit platforms, FlowTraq Server will only be able to allocate approximately 2GB of RAM for its memory cache. This is unlikely to be sufficient in most environments.

Using a 64-bit operating system will allow FlowTraq Server software to allocate more RAM, which allows for a longer instant recall history and a higher input flow rate.

Note that in order to be able to take advantage of a 64-bit platform, both the CPU and the operating system must be 64-bit.

Frequently Asked Questions
1.	How many cores do I need?
	If your choice is between more cores at a lower clock frequency, or fewer cores at a higher clock frequency, we recommend you go with the latter. A higher clock frequency helps individual threads run faster, while having additional cores allows more threads to run concurrently. FlowTraq Server does benefit from having additional cores because it is heavily multi-threaded; however, we have found that a higher clock speed gives a quicker response to client requests. A general rule of thumb is that 4 cores are more than enough for most installations. In certain cases we would recommend more than 4 cores. For example, if you plan to run many input ports, or if you plan to serve a large number of concurrently-connected clients, then might suggest 6, or more, cores.
2.	All else being equal, should I choose a server with more RAM, or a server with faster RAM?
	The more RAM, the better. More RAM means a longer history in the cache, which means fewer disk accesses. Disk is very slow compared to RAM, so the more data FlowTraq Server can keep in RAM, the quicker the queries return, and the faster your interactive traffic analysis will be.
3.	How much disk space do I need for my flow database?
	The answer to this question depends on your flow rate and on how many months or years of historical forensic data you need to keep. Flow data is very compact compared to packet captures. A rule of thumb we have observed is that a typical end user generates 100MB of stored flow records per year. So if there are 1000 end users in your network environment, and you need to be able to retain forensic records for 10 years, make sure you have at least 100MB/user/year1000 users10 years = 1,000,000M or 1TB of disk space. You can dedicate up to 16TB of disk space to the database.
4.	How fast a disk do I need?
	The higher the RPMs, the better. Speed limitations in modern hard disks are caused by the time it takes for the disk to rotate and the desired data to appear under the heads. The faster the disk spins, the quicker data can be written and read back. If you can get 15K RPM or better, get it!
5.	RAID or non-RAID?
	A Redundant Array of Independent Disks is a beautiful thing when constructed correctly. But in many cases, RAID is slower than a single-disk setup. For instance, RAID levels 4, 5, and 6 offer great redundancy for a relatively small capacity overhead; however, each write will translate into as many as 4 physical disk accesses. Unless the disks are very fast, this may hurt more than it helps. RAID levels 0 (striping) and 1 (mirroring) generally offer faster read times at either a high capacity overhead (mirroring), or lack of redundancy (striping). We consider RAID 1+0 (striping and mirroring) ideal for speed, but it is expensive due to the capacity overhead.

2.1.2. Client Hardware Requirements

FlowTraq Client and the CLI (command-line interface) tools are lightweight and don't require a substantial hardware investment. FlowTraq Client is a Java application and will run on any system that supports the Sun Java 5 runtime (version 1.5) or newer. Most client systems will need no more than 1GB of RAM and a 1Ghz processor. Depending on your usage patterns, however, you may want to give the client system more RAM. 4GB RAM should be sufficient for even the heaviest FlowTraq Client users.

The FlowTraq Command Line Interface (CLI) tools are even more lightweight than FlowTraq Client, and will run on any system that supports TCP/IP networking.

2.1.3. Platform Requirements

FlowTraq Client

FlowTraq Client supports Windows XP, 2003, Vista, 2008, and 7 (x86 and x86-64 architectures); Mac OS X (10.5+, x86 and x86-64 architectures); Linux (Kernel 2.6+, x86 and x86-64 architectures); Solaris 10 (SPARC and x86-64 architectures); and FreeBSD.

A Java Runtime Environment (JRE) version 1.5+, provided by Sun Microsystems/Oracle is required.

	Caution
	Please note that other JREs, including OpenJDK, are not supported.

FlowTraq Server

FlowTraq Server supports Windows XP, 2003, Vista, 2008, and 7 (x86 and x86-64 architectures); Mac OS X (10.5+, x86 and x86-64 architectures); Linux (Kernel 2.6+, x86 and x86-64 architectures); Solaris 10 (SPARC and x86-64 architectures); and FreeBSD.

Prev	Up	Next
	Home