Configuring maximum performance in an enterprise environment
This section provides system configuration tips and best practices to help ensure optimal performance of the Security Console in an enterprise-scale deployment. However, smaller environments may still benefit from some of these recommendations, particularly the sections on tuning the database and disaster recovery.
About the Security Console host
The Security Console is the base of operations in a deployment. It manages Scan Engines and creates a repository of information about each scan, each discovered asset, and each discovered vulnerability in its database. With each ensuing scan, the Security Console updates the repository while maintaining all historical data about scans, assets, and vulnerabilities. The Security Console hosts the web-based interface for configuring and operating the application, managing sites and scans, generating reports, and administering users.
The Security Console is designed to meet the scaling demands of an enterprise-level deployment. One Security Console can handle hundreds of Scan Engines, thousands of assets, and any number of reports as long as it is running on sufficient hardware resources and is configured correctly.
In an enterprise environment, the Security Console’s most resource-intensive activities are processing, storing, and displaying scan data.
For information on resources needed at different scales, see Planning for capacity requirements.
Selecting an Operating System to host the Security Console
The Security Console is available in Linux and Windows versions that can be installed on your organization’s hardware running a supported operating system. Rapid7 recommends installing the Security Console on a supported Linux operating system for large enterprise deployments due to enhanced performance and scalability.
For officially supported system requirements, see the InsightVM System Requirements page.
Configuring an optimal RAID array
Rapid7 recommends deploying the Security Console on a high performance RAID array.
Rapid7 recommends arranging multiple disks in a configuration of striped mirrors, also known as a RAID 1+0 or RAID 10 array. This provides better random disk I/O performance without sacrifice to redundancy. The Security Console and PostgreSQL should be installed on this RAID 10 array. The operating system, which should generate very little disk I/O, may also share this array.
For reference, Rapid7 appliances use a single RAID 10 configuration spanning 8 or 16 disks. This configuration provides the storage performance necessary for the Security Console and the OS. While the Security Console will benefit from SSDs, they are not required.
Rapid7 recommends the Security Console be installed on a separate partition from the operating system.
Tuning the PostgreSQL database
To ensure the PostgreSQL database is tuned correctly, create a Rapid7 support case to schedule a review of your console tuning settings.
When you contact Rapid7 support, have the following information ready:
- Total Memory
- Drive type: HDD, SSD, or SAN
During tuning, the console must be temporarily taken offline. After turning, the console restart will apply changes.
Maintaining the database
Given the volume of data the application generates, it is highly recommended to perform regularly scheduled backups. During a database backup, the Security Console enters maintenance mode and cannot run scans. Planning a deployment involves coordinating backup periods with scan windows. The time needed for backing up the database depends on the amount of data and may take several hours to complete.
For information on performing database backups and maintenance, see Database backup/restore and data retention.
PostgreSQL also has an autovacuum feature that works in the background performing several necessary database maintenance chores. It is enabled by default and should remain enabled.
Disaster recovery considerations
As previously mentioned, one Security Console is sufficient for handling all activities at the enterprise level. However, an additional, standby Security Console may be warranted for your organization’s disaster recovery plan for critical systems. If a disaster recovery plan goes into effect, this “cold standby” Security Console would require one database-restore routine in order to contain the most current data.
Disaster recovery may not warrant doubling the fleet of Scan Engines in the data center. Instead, a recovery plan could indicate having a number of spares on hand to perform a minimal requirement of scans—for example, on a weekly basis instead of daily—until production conditions return to normal. For example, if your organization has 10 Scan Engines in the data center, an additional 5 may suffice as temporary backup. Having a number of additional Scan Engines is also helpful for handling occasional scan spikes required by events such as monthly Microsoft patch verification.
Using anti-virus software on the server
Anti-virus programs may sometimes impact critical operations that are dependent on network communication, such as downloading updates and scanning. Blocking the latter may cause degraded scan accuracy. If you are running anti-virus software on your intended host, configure the software to allow the application to receive the files and data that it needs for optimal performance in support your security goals:
- Add the application update server, updates.rapid7.com, to a whitelist, so that the application can receive updates.
- Add the application installation directory to a whitelist to prevent the anti-virus program from deleting vulnerability- and exploit-related files in this directory that it would otherwise regard as “malicious.”
Consult your anti-virus vendor for more information on configuring the software to work with the application.
The Nexpose installer auto-tunes the console upon its first start up after installation.
Minimum Memory Size
Your console must have a minimum of 16GB of memory.
If you already have the security console installed, you can run the command below from the administration > run security console commands to tune the security console.
|Tune Assistant Calculate
|Gives a breakdown of the tuning that will be applied.
|Tune Assistant Apply
|Applies the specified tuning.