Installation Requirements
Sandfly uses a server to manage the user interface and database. Scanning nodes are used to do the actual connection to remote systems to hunt for intruders on your network.
In order to get the best performance, we recommend the following.
Server Requirements
The server runs Docker containers for the user interface and PostgreSQL database. They have been tested to work on many Linux distributions as long as they can run the latest version of Docker or Podman on an amd64 architecture.
We recommend using a system with at least 4GB of RAM and two or more CPU cores dedicated to it. A SSD drive is recommended for the best performance.
If you are running a very large number of systems you will need to scale this figure up appropriately.
A server that is under-powered will have database timeout issues. If the User Interface is taking a long time to load data, then you have too little resources and need to upgrade the RAM and CPU cores.
IMPORTANT: Latest Version of Docker Required
Regardless of what version of Linux you want to use to run the Server and Node, they must be running the latest version of Docker. Some Linux distributions have very old versions of Docker in their package repositories. Please use the Sandfly Docker install scripts to be sure you are running only the latest version of Docker and not an out of date version.
Node Requirements
The scanning nodes are Docker containers that are multi-threaded. You can run multiple node containers on a single system instance.
The node containers have been tested to work on many Linux distributions as long as they can run the latest version of Docker or Podman on an amd64 architecture.
For best performance we recommend your system instances have at least 4GB of RAM.
Under the above configuration you can run 4 scanning node containers. Each scanning node container has 500 threads running. Therefore, running 4 node containers will give you 2000 scanning threads available to monitor hosts on your enterprise.
Of course you can increase RAM even more to add more scanning node containers. Or you can start a second virtual machine instance and run nodes there for even more redundancy in case one of them goes offline for whatever reason.
The nodes communicate with the server to automatically handle connections and load management. As long as the node containers can see the server then they will organize themselves correctly regardless of where they are running.
For further details on scaling, especially for larger deployments, please refer to the Sandfly Scaling Guide.
Updated 3 months ago