This article provides you with best practices for configuring the software with the recommended number of scanners.
Definitions
Requestor:
|
Any storage appliance node, physical or virtual, that transmits scan requests directly to ENSSP.
|
Scanner:
|
A ENSSP scanner.
|
Physical scanner count
The minimum scanner count = 1 x Requestors + 1
Examples:
Number of
Requestors |
Absolute Minimum
Number of
ENSSP Scanners
|
2
|
3
|
4 |
5 |
8 |
9 |
12 |
13 |
NOTE: You can follow this formula in a lab environment, but you must supplement the formula as needed in production.
Best practices scanner count
The best practices scanner count = 2 x Requestors
Examples:
Number of
Requestors
|
Minimum
Number of
ENSSP Scanners
|
2
|
4
|
4
|
8
|
8
|
16
|
12
|
24
|
NOTES:
- The actual load experienced ultimately determines the scanner count.
- An infrastructure that handles only average load is insufficient.
- An infrastructure that handles peak load must exist, or periodic denial-of-service issues under peak load occurs.
- If any physical scanners are replaced with Virtual Machine (VM) scanners, see the VM scanners section below.
VM scanners
WARNING: Both storage appliance and antivirus vendors don’t recommend VM scanners. VMs are subject to many more limiting factors than standalone nodes. The reason is because of their interaction with and presence on the hypervisor with many other nodes. All nodes compete for resources. VM scanners can be constructed so that there’s little or no difference between their performance, compared to physical scanners for any given scenario. But, this construction requires planning and diligent monitoring. Storage appliances are some of the most expensive assets in an IT organization. Because they’re charged with protecting an enterprise's most sensitive and important data, it makes them an unideal area for cost cutting. If VM scanners are to be used, the below guidance must be observed.
Best practices for VM systems:
- When a VM scanner with a dedicated hardware Network Interface Card (NIC) in the hypervisor displaces a physical scanner, you must account for the possible need for 1.5x the number of physical scanners.
- If a VM scanner with a virtualized NIC displaces a physical scanner, you must account for the possible need for 2x the number of physical scanners.
Virtualization factors to consider
The following list describes the performance-sensitive functions that you must consider when using VM scanners:
- ICAP and RPC virtualization factors
- A denial-of-service can occur when both the following conditions are met:
- Mandatory scanning is enabled on storage appliances.
- VM scanners can't service the load.
- It’s less expensive to acquire fewer physical scanners (each requiring operating system, ENSSP, and ENSSP licenses). It costs more for VM scanners (each requiring hypervisor, operating system, ENSSP, and ENSSP licenses).
- Performance can degrade asymptomatically under heavy load with VM scanners, even with dedicated physical NICs per scanner in the hypervisor: Though load, network hardware, hypervisor hardware, virtualized hardware, and other environmental factors can provide acceptable performance, we discourage the use of VM scanners if your expectation is turn-key equivalence to physical scanners.
- The number of scan requests and their complexity, can lead to a heavy load.
- CPU, disk access, and network bandwidth resource contention between VM scanners can also cause heavy load.
- ICAP-specific virtualization factors
- Upon the receipt of a scan request from an ICAP storage appliance, the ICAP storage appliance must send the entire file to the scanner before scanning begins. So, ICAP storage appliances require more effective use of network bandwidth.
- Performance is negatively impacted with VM scanners that have ICAP storage appliances, more than with RPC storage appliances.
- RPC-specific virtualization factors
- Upon receipt of a scan request from an RPC storage appliance, ENSSP requests only parts of the actual file that the scanner engine needs to examine. This action can help mitigate performance latency issues associated with VM scanners.
- Physical scanners can expect 1–5 ms average scan request fulfillment times. This time is within expected parameters.
- VM scanners with dedicated physical NICs in an unburdened hypervisor might experience up to 5 ms or more average scan request fulfillment times. If this fulfillment time occurs, it might indicate that more resources are needed.
- VM scanners with virtualized NICs on an unburdened hypervisor might experience up to 7 ms or more average scan request fulfillment times. If this fulfillment time occurs, it might indicate that more resources are needed.