Expanding Deployments to Add More Capacity
Your business might create or expand a deployment beyond an JSA All-in-One appliance because of the lack of processing or data storage capacity, or when you have specific data collection requirements.
The topology and composition of your JSA deployment are influenced by the capability and capacity of that deployment to collect, process, and store all the data that you want to analyze in your network.
To get rough estimates of the events per second (EPS) or flows per minute (FPM) that you need to process in your deployment, use the size of your logs that are collected from firewalls, proxy servers, and Windows boxes.
Reasons to Add Event or Flow Processors to an All-in-One Deployment
You might need to add flow or event collectors to your deployment under these conditions:
Your data collection requirements exceed the collection capability of the All-in-One appliance.
You must collect events and flows in a different location than where your All-in-One appliance is installed.
You are monitoring larger, or higher-rate packet-based flow sources that are faster than the 50 Mbps connection on the All-in-One.
An All-in-One appliance can collect up to 15,000 events per second (EPS) and 300,000 flows per minute (FPM). If your collection requirements are greater, you might want to add event collectors and flow processors to your deployment.
An All-in-One appliance processes the events and flows that are collected. By adding event collectors and flow processors, you can use the processing that the All-in-One appliance usually does for searches and other security tasks.
Packet-based flow sources require a flow processor that is connected either to a Flow Processor, or to an All-in-One appliance in deployments where there is no Flow Processor appliance. You can collect external flow sources, such as NetFlow, or IPFIX, directly on a Flow Processor or All-in-One appliance.
Adding Remote Collectors to a Deployment
Add JSA event collectors or JSA flow processors to expand a deployment when you need to collect more events locally and collect events and flows from a remote location.
For example, you are a manufacturing company that has a JSA All-in-One deployment and you add e-commerce and a remote sales office. You now must monitor for security threats and are also now subject to PCI audits.
You hire more employees and the Internet usage changes from mostly downloading to two-way traffic between your employees and the Internet. Here are details about your company.
The current events per second (EPS) license is 1000 EPS.
You want to collect events and flows at the sales office and events from the e-commerce platform.
Event collection from the e-commerce platform requires up to 2000 events-per-second (EPS).
Event collection from the remote sales office requires up to 2000 events-per-second (EPS).
The flows per minute (FPM) license is sufficient to collect flows at the remote office.
You take the following actions:
You add the e-commerce platform at your head office, and then you open a remote sales office.
You install an Event Collector and a flow processor at the remote sales office that sends data over the Internet to the All-in-One appliance at your head office.
You upgrade your EPS license from 1000 EPS to 5000 EPS to meet the requirements for the extra events that are collected at the remote office.
The following diagram shows an example deployment of when an Event Collector and a flow processor are added at a remote office.
In this deployment, the following processes occur:
At your remote office, the Event Collector collects data from log sources and the flow processor collects data from routers and switches. The collectors coalesce and normalize the data.
The collectors compress and send data to the All-in-One appliance over the wide area network.
The All-in-One appliance processes, and stores the data.
Your company monitors network activity by using the JSA web application for searches, analysis, reporting, and for managing alerts and offenses.
The All-in-one collects and processes events from the local network.