AWS Marketplace (Classic) sizing

Sizing guidelines for Deep Security in AWS Marketplace (Classic) vary by type of environment and other factors such as network, hardware, software, and applications.

These recommendations have been classified into Small (1-10 000), Medium (10 000-20 000) and Large (20 000+) deployments.

Deep Security Manager

Number of agents Instance type Number of Deep Security Manager nodes
1 - 10 000 m4.large - c3.large 1 - 2
10 000 - 20 000 m4.xlarge 2
20 000 + r3.xlarge 3

M3 instance types can be used instead of M4 in regions where M4 is not yet supported.

Database

Number of agents Hard drive size
1 - 10 000 10 - 20 GB
10 000 - 20 000 20 - 30 GB
20 000 + 30 - 40 GB

The table above helps determine the initial database size to set for the Deep Security Database. These estimates are provided based on the following assumptions:

  • Log inspection and web reputation service (WRS) are not enabled.
  • Intrusion prevention (IPS) is enabled efficiently with very few false positive events.
  • Anti-malware (AM) events are insignificant in terms of size and are not part of the calculation. Anti-malware only logs events occasionally, unless there is an outbreak in place.
  • Log retention period is 30 days.
  • Firewall events are around 50 per day.

Notes

  1. Other factors, such as the modules in use, items such as the number of security updates held, the number of policies will affect database size. In general, centrally collected firewall and intrusion prevention event logs form the bulk of the database volume. Event retention (Administration > System Settings > Storage), is relevant to maintain a reasonable sized database. Make sure to review these settings as this will help determine how much space is needed.
  2. For environments in which a significant number of firewall events are anticipated, consider disabling "Out of allowed policy" events. This can be configured for each agent or applied to at the Base policy level. (Open the Computer or Policy details page and go to Firewall> Advanced).
  3. Environments with large retention requirements should consider SIEM or Syslog server for log storage. When logs are stored in SIEM or Syslog, less storage is required in the Deep Security database.
  4. Imported Deep Security software in the Deep Security Manager can affect database size. Always review the number of software versions you plan to keep in the database and remove unnecessary versions.