31 October 2023
Introduction
threatER's Enforce software stack can seamlessly integrate into any hardware meeting minimum system requirements. As part of this critical capability, we are now also able to optionally and seamlessly install and run on systems with or without network bypass. This also means that customers may now deploy Enforce on independently procured hardware meeting the minimum requirements.
System requirements
The physical or virtual machine you are installing must meet the following minimum set of system requirements:
CPU
In general, the target system must utilize a 64-bit Intel processor with at least 2 physical cores running at 2.2GHz or more in order to support bidirectional 1Gbps operation. More cores can of course be used, and the more that are used the faster system bootup will be, and software updates will also be faster as well.
For bidirectional 10Gbps operation, at least 12 logical cores (generally implemented as 6 physical cores with hyperthreading, yielding 12 logical cores) running at least 2.9GHz are required.
For our own production turnkey hardware shipping from our box build partners as of Oct 2023, we leverage the following processors:
- Intel(R) Xeon(R) E-2336 CPU @ 2.9GHz (6 core/12 thread for up to bidirectional 10Gbps performance)
- Intel(R) Atom(TM) CPU C3758 @ 2.2GHz (8 core/8 thread for up to bidirectional 1Gbps performance)
- Intel(R) Atom(TM) CPU C3558 @ 2.2GHz (4 core/4 thread for up to bidirectional 1Gbps performance)
Although the processors shown above are the ones that we use in most of our currently shipping turnkey systems, other processors meeting the minimum requirements or better can be used.
RAM
For <= 1Gbps sustained bidirectional operation, your system must have at least 4GB of RAM installed. More RAM can be used. The more RAM that is made available, the larger the internal logs buffers will be.
For up to 10Gbps of sustained bidirectional operation, your system must have at least 16GB of RAM installed, with 64GB strongly recommended. The more RAM that is made available, the larger the internal logs buffers will be.
Important Note: The threatER Enforce software reserves a quantity of 2M system hugepages at startup. System hugepages should not be reserved via the linux command line nor should any other system process resident on the server utilize system hugepages.
Storage
For physical server deployments, a Solid-State Drive (SSD) is required for the installation target. It must be at least 32GB in size. Installations leveraging other media types are not supported and may cause the system to drop packets or otherwise perform poorly.
NIC
At least three NIC ports are required to be installed for the software to function properly:
NIC port 1 - administration: the first port is for administration access, and should be attached to a protected-side network switch with DHCP access to the Internet. This port must be connected prior to commencing an ISO installation, or the installation will not complete correctly.
NIC port 2 - inside: this is the inside port for the layer 2 bridge (bump-in-a-wire). Once in production, it should be connected to your inside protected traffic. Leave this port unconnected during the install. You don’t need to connect this port until you are ready to put the device inline in your production network post-installation. The port must be supported by DPDK in order for it to be included as part of the bridging pair. For our stock hardware offerings, this is always the case, but if you are bringing your own hardware, be sure to make sure your NICs are supported by DPDK before attempting to use them. You’ll need to do some searching online in the DPDK pages to discover if your NIC hardware is supported. This link is a good place to start - you’ll need to click through the various sections in order to match your specific NIC model: https://core.dpdk.org/supported/#nics. You don’t need to connect this port until you are ready to put the device inline in your production network post-installation and configuration.
NIC port 3 - outside: this is the outside port for the layer 2 bridge (bump-in-a-wire). Once in production, it should be connected to your outside network. Leave this port unconnected during the install. You don’t need to connect this port until you are ready to put the device inline in your production network post-installation. The port must be supported by DPDK in order for it to be included as part of the bridging pair. For our stock hardware offerings, this is always the case, but if you are bringing your own hardware, be sure to make sure your NICs are supported by DPDK before attempting to use them. You’ll need to do some searching online in the DPDK pages to discover if your NIC hardware is supported. This link is a good place to start - you’ll need to click through the various sections in order to match your specific NIC model: https://core.dpdk.org/supported/#nics. You don’t need to connect this port until you are ready to put the device inline in your production network post-installation and configuration.
Internet
You MUST have DHCP-enabled internet access for the installation to succeed. Prior to powering on the system to be installed, be sure to connect an ethernet cable to the admin port on your target server and make sure it is connected to a network with a DHCP server (so that it can pull the IP it will use at installation time for package pulls and security updates) and access to the Internet.
Serial Port or VGA+Keyboard Access
For necessary interactions during the installation, you will need to have either 38400 baud serial port access or VGA+keyboard access to your target installation system.
VGA+keyboard access is straightforward. If your target system supports a VGA connection, you can simply plug in a compatible VGA monitor to your target system’s VGA port, and plug in a USB keyboard, and off you go.
If using serial port access, especially when the target system-to-be-installed does not have video output capability (for example, several Lanner variants do not supply video output connectors), we recommend connecting to the serial port with a linux laptop, and leverage the popular screen utility. Use ‘sudo apt update && sudo apt install screen’ if it is not already installed on your host linux laptop. You can then connect a suitable USB serial port adapter between a USB port on your host laptop and the target system’s serial port for access. Be sure to investigate your target system’s hardware user manual for information about its physical serial port connection requirements before purchasing a suitably matched USB serial port adapter from a third-party supplier (such as Amazon, Walmart, Target, Best Buy, and so forth), if that’s the route you’re taking.
For reference, our own go-to command line invocation to use screen from a linux-enabled laptop is:
$ sudo screen -L -Logfile /tmp/screen.log -c ~/.screen-config /dev/ttyUSB0 38400
where ~/.screen-config is a file with the following contents:
efscrollback 1024
ignorecase yes
bindkey -d -k kb stuff "\010"
You can use any popular linux text editor of your choice (vim, nano, etc) to create that configuration file in your home directory.
Note that you are not forced to use a linux laptop and/or screen to access the serial port. You can use other tools, as long as you know how to configure and use them. For example, we often see Windows users relying on the popular tool putty.
Note that if you are using serial port access, you must configure the serial port baud rate in your BIOS settings for 38400 baud. The installer requires that all serial port access be at the rate of 38400 baud.
Turnkey shipments
When customers are procuring their own hardware, it may be useful to know which hardware we ship for our turnkey customers. This information can be found in the Turnkey Shipments section in our threatER Enforce Software ISO Installation Guide.
Software deployment
Documentation on deploying Enforce on self-procured hardware is available in our Threater Enforce Software ISO Installation Guide.
Comments
0 comments
Please sign in to leave a comment.