5. System Requirements and Software Installation

Installing Wanguard will not generate any negative side effects on the network’s performance. Full installation and configuration may take less than an hour; after that, the network will be monitored and protected immediately. No baseline data gathering is required.

The software runs exclusively on Linux platforms. To install and configure the software you need basic Linux operation skills and at least medium computer networking skills. If you encounter software installation issues or if you have questions about the system requirements listed below, please contact support@andrisoft.com.

5.1. System Requirements

Wanguard 8.0 can be installed on the following 64-bit Linux distributions: CentOS 7 or 8 (free, Red Hat-based), Red Hat Enterprise Linux 7 or 8 (commercial), Debian Linux 7 to 10 (free, community-supported), Ubuntu Server 14 to 20 (free, Debian-based).

Wanguard was designed to be completely scalable, so it can be installed either on a single server with adequate hardware resources or on multiple servers distributed across the network.

It is highly recommended to install the software on dedicated servers and not on Virtual Machines, mainly because:

➢ Having fast and uninterrupted access to the hard disk is a critical requirement of the Console

➢ The resources must be provisioned in a predictable and timely manner

➢ Some virtualized environments do not have a stable-enough clock source

5.1.1. Importance of Hardware Resources

	CPU Speed	CPU Cores	RAM Size	Disk Size	Disk Speed	Network Adapter
Console	High	High	High	Very High	Very High	Very Low
Packet Sensor	Very High	High	Medium	Low	Low	Very High
Flow Sensor	Low	Low	High	Medium	High	Very Low
SNMP Sensor	Very Low	Low	Very Low	Very Low	Very Low	Very Low
Sensor Cluster	Medium	Medium	Medium	Very Low	Very Low	Very Low
Packet Filter	Very High	Very High	Medium	Very Low	Very Low	Very High
Flow Filter	Low	Low	High	Very Low	Very Low	Very Low
Filter Cluster	Medium	Medium	High	Very Low	Very Low	Very High

5.1.2. Minimum System Requirements for Console

Capacity	10+ components (Sensors, Filters, BGP Connectors)
Architecture	64-bit x86
CPU	1x 2.4 GHz quad-core Xeon
RAM	1 x 8 GB
NICs	1 x Fast Ethernet for management
HDDs	2 x 7200 RPM HDD (SSD highly recommended), RAID 1, 350 GB

The Console server stores the database and centralizes all operational logs, graphs and IP accounting data. Its performance is determined by its configuration, the performance of the I/O and the performance of the applications it relies on: MySQL/MariaDB, Apache HTTPD and PHP.

To access the web interface, use one of the following web browsers: Google Chrome 64+, Firefox 52+, Microsoft Edge 12+, Opera 43+. JavaScript and cookies must be enabled. Java and Adobe Flash are not required. For the contextual help you may need to install Adobe PDF Reader.

For the best experience, we recommend using Google Chrome and a 1280x1024 or higher resolution display.

5.1.3. Minimum System Requirements for Packet Sensor

Capacity	10 Gbit/s, 14 Mpkts/s (wire rate)	40 Gbit/s, ±30 Mpkts/s
Architecture	Intel Xeon 64-bit, dedicated server	Intel Xeon 64-bit, dedicated server
CPU	1x 2.4 GHz Xeon E5-2640v4	1 x 2.4 GHz Xeon E5-2680v4
RAM	4 x 2 GB DDR4 (quad channel)	4 x 8 GB DDR4 (quad channel)
NICs	1 x 10 GbE adapter (Intel 82599+ or PF_RING/DPDK-supported chipset) 1 x Fast Ethernet for management	1 x 40 GbE adapter (Intel XL710+ or most DPDK-supported chipsets) 1 x Fast Ethernet for management
HDDs	2 x 5400 HDD, RAID 1, 10 GB (including OS)	2 x 5400 HDD, RAID 1, 10 GB (including OS)

Packet Sensor can run load-balanced over multiple CPU cores with the following hardware/Capture Engines:

➢ Intel 82599 chipset network adapters, such as Intel X520, Intel X540, HP X560 or Silicom PE310G4DBi9-T

➢ PF_RING (with or without ZC) high-speed packet I/O framework

➢ Netmap high-speed packet I/O framework and its supported NICs

➢ Data Plane Development Kit (DPDK) and most of its supported NICs

You can easily scale the Packet Sensor’s capacity above 100 Gbit/s by enabling packet sampling on the switch or TAP, or by defining a Sensor Cluster that aggregates multiple Packet Sensor instances running on different servers equipped with 10, 40 or 100 Gbit/s network adapters.

5.1.4. Minimum System Requirements for Flow Sensor

Capacity	15000+ flows/s
Architecture	64-bit x86
CPU	1 x 2.0 GHz dual-core Xeon
RAM	1 x 8 GB
NICs	1 x Fast Ethernet for management
HDDs	2 x 7200 RPM HDD, RAID 1, 60 GB

Flow Sensor can monitor an almost unlimited number of interfaces. On modern hardware, the processing of tens of thousands of flows/s is also not a problem. Each Flow Sensor can handle the flows of a single flow exporter. Any server with enough RAM can run tens of Flow Sensor instances. For this type of Sensor, the amount of RAM is much more important than the speed of the CPU.

Flow Sensor can store flow data on the local disk in a highly compressed binary format.

5.1.5. Minimum System Requirements for SNMP Sensor

Capacity	20+ devices
Architecture	64-bit x86
CPU	1 x 1.6 GHz dual-core Xeon
RAM	1 x 1 GB
NICs	1 x Fast Ethernet for management
HDDs	2 x 5200 RPM HDD, RAID 1, 20 GB

Each SNMP Sensor can monitor a single device with an unlimited number of interfaces. Any server can run an almost unlimited number of SNMP Sensor instances.

5.1.6. Minimum System Requirements for Sensor Cluster

The hardware requirements for Sensor Cluster are very low because the traffic information is pre-aggregated by the associated Flow Sensor, Packet Sensor or SNMP Sensor instances. It is best to run it on the Console server.

5.1.7. Minimum System Requirements for Packet Filter

Capacity	10 Gbit/s, 14 Mpkts/s	40 Gbit/s, >30 Mpkts/s
Architecture	Intel Xeon 64-bit, dedicated server	Intel Xeon 64-bit, dedicated server
CPU	1 x 2.4 GHz Intel Xeon E5-2640v4	1 x 2.4 GHz Intel Xeon E5-2690v4
RAM	4 x 2 GB DDR4 (quad channel)	4 x 8 GB DDR4 (quad channel)
NICs	2 x 10 GbE interfaces (Chelsio T5+, Intel X520+, or other DPDK-supported chipset) 1 x Fast Ethernet for management	2 x 40 Gbe interfaces (Chelsio T5+, Intel XL710+, or most DPDK-supported chipsets) 1 x Fast Ethernet for management
HDDs	2 x 5200 RPM HDD, RAID 1, 35 GB	2 x 5200 RPM HDD, RAID 1, 35 GB

The main task of Packet Filter is to inspect the traffic flooding the attacked IP destination(s) and to generate dynamic filtering rules that isolate the malicious packets. When it generates a filtering rule, it announces it to the Console and applies it on the local Netfilter firewall, embedded Dataplane firewall, in-NIC hardware filter, BGP Flowspec-capable router or third-party filtering appliance.

The firewall backends used by Packet Filter have no need for the connection tracking mechanism specific to stateful firewalls and IPSes. This ensures a much better filtering and routing performance during spoofed attacks and SYN floods. However, the filtering and packet-forwarding capacity may still not be line-rate, especially during powerful attacks with small packets.

Packet Filter achieves line-rate packet filtering on:

➢ Chelsio T5+ network adapters. On the Chelsio T5 or T6, Packet Filter is able to program 486 LE-TCAM filter rules to block traffic for source/destination IPv4/IPv6 addresses, source/destination TCP/UDP ports and IP protocols

➢ Intel 82599 chipset network adapters, such as Intel X520, Intel X540, HP X560. Packet Filter is able to program 4096 filter rules to block IPv4 addresses, but either sources or destinations, not both

➢ Servers meeting the minimum system requirements configured to use the DPDK Capture Engine and the embedded Dataplane Firewall

➢ Most adapters supporting the DPDK Flow API

To scale the packet filtering capacity above 100 Gbits/s, either use BGP Flowspec or split the traffic with a hardware load balancer or by using equal-cost multi-path routing. You can then configure a Filter Cluster to aggregate multiple Packet Filter instances running on different servers equipped with 10/40/100 Gbit/s network adapters.

5.1.8. Minimum System Requirements for Flow Filter

The hardware requirements for Flow Filter are very low because it analyzes traffic information pre-aggregated by Flow Sensor. If Flow Filter is used only for reporting and not for packet filtering, it is best to run it on the same server with the Console.

Flow Filter can apply filtering rules just the same as Packet Filter. The requirements for software-based and/or hardware-based traffic filtering are listed in the previous section.

5.1.9. Minimum System Requirements for Filter Cluster

Filter Cluster groups, aggregates and controls multiple Packet Filter and/or Flow Filter instances.

The hardware requirements for Filter Cluster are very low because the traffic information is pre-aggregated by the associated Filter instances. If Filter Cluster is used only for reporting and not for packet filtering, it is best to run it on the same server with the Console.

Filter Cluster can apply filtering rules just the same as Packet Filter and Flow Filter. The requirements for software-based and/or hardware-based traffic filtering are listed in the Packet Filter Hardware Requirements section.

5.2. Software Installation

The download link is listed in the email with the trial license key. The latest software installation instructions are listed on www.andrisoft.com.

Each trial license key activates all features for 30 days. You can install the trial license key on any number of servers. To switch to a full, registered version, apply a license key purchased from the online store.

5.3. Opening the Console

Wanguard Console provides a web interface and centralized system through which you can control and monitor all the other components. If you have correctly followed the installation instructions, from now on you will only need to log in to Console to manage and monitor servers and software components. SSH access will be needed for updating the software.

Open the Console at http://<console_hostname>/wanguard. If the page cannot be displayed, make sure that the Apache web server is running and the firewall does not block incoming traffic on port 80 or 443. You can also access it securely via HTTPS if the Apache web server was configured to serve pages over SSL/TLS.

If you have not licensed the software, you will be asked to do so. Upload the trial.key file emailed to you by clicking the key icon. The license key contains encrypted information about the licensed capabilities of the software. You can replace the license key in Configuration » General Settings » License Manager.

Log in to the Console using the default username/password combination: admin/changeme.

If the Console is installed on a public server, you should immediately change the default password of the “admin” account. To do so, click the Admin menu at the top-right corner of the browser window and select [Change Password]. From the same menu you can change the Console layout and theme.

To understand how to navigate within the Console, read the Basic Concepts of Wanguard Console chapter.

5.4. Licensing Procedure

When the trial period is over you will have to purchase as many Sensor and Filter licenses, in form of annual subscriptions, as the number of Sensors and Filters configured and enabled in Configuration » Components.

➢ You will have to purchase as many Sensor licenses as the number of flow exporters (usually border or edge routers) monitored by Flow Sensors. There is no limit on the number of interfaces a Flow Sensor can monitor.

➢ You will have to purchase as many Sensor licenses as the number of interfaces (ports) listened by Packet Sensors. Multiple Packet Sensors listening to the same interface (e.g. when using a multi-queue NIC) use a single Sensor license. Packet Sensor can monitor an unlimited number of IPs/domains

➢ You can mix Wanguard Sensor licenses together with Wansight Sensor licenses

➢ You will need as many Wanguard Filter licenses as the number of Filters enabled in Configuration » Components. A single Packet Filter can clean the traffic received from multiple parts of the network, but it can listen to a single interface (port). Multiple Flow Sensors can use a single Flow Filter. Wanguard Filter works only in conjunction with Wanguard Sensor

➢ Sensor Cluster and Filter Cluster do not require licensing

➢ Console does not require licensing

You can distribute the licensed Sensors and Filters on any number of servers without additional licensing costs. The license key must contain the hardware keys listed under Configuration » General Settings » License Manager » Requirements. The minimum licensing period is 12 months. The maximum licensing period is 48 months.

5.5. Quick Configuration Steps

➔ Estimate storage requirements, review decoders and IP graph settings

➔ Setup anomaly detection parameters and decoders

➔ Configure the reaction to traffic anomalies

➔ Add your IP address ranges and important hosts to an IP Zone

➔ Configure anomaly detection for prefixes, create threshold templates

➔ Configure a Packet Sensor, Flow Sensor, or SNMP Sensor

➔ Configure BGP Connectors for black hole routing, traffic diversion or Flowspec

➔ For DDoS mitigation configure a Packet Filter, or a Flow Filter

➔ Generate reports and send them periodically by email

➔ Watch the event log. Receive error notifications by email

➔ Create personalized Console accounts for your staff or customers

➔ Create dashboards and add widgets containing useful information