Follow

Deploying Trust Protection Platform for SSH

Summary:

Deployment scheme of Trust Protection Platform for SSH depends on amount of keys, devices and agents in your infrastructure. While small amounts of keys/devices may just require 1 TPP server, large setups need proper amount of platforms and configuration to perform efficiently.

 

The general advice is as following:

  • Consuming agent input is expensive. For that reason, overall amount of TPPs with VEDClient installed depends on amount of agents and their checkin interval. The recommendation is at least 1 VEDClient pool per 1000 agents checking in for remediation every 15 minutes and for discovery every 1 hour. If the intervals can be made bigger, number of agents handled by single VEDClient can be increased linearly, for example if remediation schedule is 1/hour and checkin and discovery schedule is 1/day, VEDClient can handle 4000 agents.
  • In case of high agent load, it is recommended to not have any applications and services running at the same platform. 
  • Agentless needs can be extrapolated from the base point of 1000 devices per processor core for 1/day discovery. So 2 SSH Managers with 4 cores each will scan 8000 devices per day. Having hourly discovery for same amount of devices will require x24 number of cores, e.g. 12 SSH Managers with 16 cores each.
  • For best performance, it is recommended to separate user-facing applications (WebSDK, Aperture, VEDAdmin) from background applications and services (such as VPlatform and SSHManager) in the setup.
  • Having certificates increases amount of platform for background services.

More Info:

Example:

5000 agents will be checking in the system with both TLS certificates and SSH keys. Business needs allow to have 1 hour remediation interval and daily discovery/checkin interval.

Minimal setup is 5 TPP engines:

2 for VEDClient (they will handle roughly 5500 connections per hour)

2 for VPlatform, Certificate Manager, SSH Manager and other background services (they will operate on key and certificate data)

1 for WebSDK and Aperture UI (not a lot of users are expected to use the system concurrently).

 

Was this article helpful?
0 out of 0 found this helpful

Comments