Tiered Deployments

Related Reading: Tiered Remote Repositories in the Tenable Security Center User Guide and Hardware Requirements in the General Requirements Guide

A tiered remote repository configuration uses remote repositories to share data between multiple Tenable Security Center instances.

  • For environments that support more than 100,000 hosts or multiple Tenable Security Center consoles, Tenable recommends Tenable Security Center Director to provide additional operational insight to your Tenable environment.

  • If you plan to support 100,000-249,999 hosts, Tenable recommends a tiered remote repository configuration.
  • If you plan to support 250,000 or more hosts, Tenable requires a tiered remote repository configuration.

Tiered Tenable Security Center instances perform informal roles in your overall Tenable Security Center deployment. Tenable recommends at least one designated reporting Tenable Security Center and an additional Tenable Security Center instance for every 100,000 to 150,000 hosts on your network.

  • A scanning tier Tenable Security Center optimizes scanning by managing scan jobs across your attached scanners. Scanning tier Tenable Security Center instances prioritize efficient collection of scan data.
  • A reporting tier Tenable Security Center optimizes dashboards and reporting by centralizing the data collected by scanning tier Tenable Security Center instances. Tenable Security Center Director can serve as a reporting tier, bringing in data from scanning tiers as remote repositories and providing insight to operational activities such as active scan jobs, plugin updates, and scanner configurations.

Note: Your scanning tier and reporting tier Tenable Security Center instances must be running the same Tenable Security Center version.

Without a tiered remote repository configuration, enterprise-scale scanning and analysis may cause performance issues on a single Tenable Security Center. Tiered remote repositories optimize your analysis and report generation without negatively impacting scanning performance.

Tip: While you could connect two Tenable Security Center instances as offline repositories, offline repositories do not establish a true connection between the instances. All data must be transferred manually between offline repositories.

Connect Tiers Using Repositories

Connect your scanning tiers to your reporting tiers as read-only repositories in your reporting tier Tenable Security Center deployments.

To configure a tiered remote repository deployment:

  1. On the scanning tier Tenable Security Center instance, create one or more repositories for storing scan result data.

    Note: To view trend data for scanning tier Tenable Security Center instances on your reporting tier Tenable Security Center instance, enable the Generate Trend Data option for each repository on your scanning tier Tenable Security Center instances. For more information, see Agent Repositories and IPv4/IPv6 Repositories.

  2. On the scanning tier Tenable Security Center instance, run scans to populate the repositories with data.
  3. On the reporting tier Tenable Security Center instance, create a remote repository for each repository on your scanning tier Tenable Security Center instance.

    The reporting tier Tenable Security Center syncs scan result data from the scanning tier Tenable Security Center repositories.

By default, remote repositories synchronize daily. You can use the Tenable Security Center API to initiate more frequent data refreshes.

Version and Upgrade Considerations

Your scanning tier and reporting tier Tenable Security Center instances must be running the same Tenable Security Center version. When upgrading to a new version of Tenable Security Center, update your reporting tier instance before your scanning tier instances.

Hardware Considerations

For optimal performance, customize the hardware on your scanning tier and reporting tier instances.

Scanning Tier Instance Reporting Tier Instance

Scanning tier instances benefit from:

  • High CPU speeds

  • High disk I/O speeds

Consider adding additional CPU and disk I/O resources to support your active scanning and sensor management.

Reporting tier instances benefit from:

  • High capacity, high-speed RAM

  • High capacity disk space

Consider adding additional RAM and disk space to support your reporting, user management, and data queries.

Tenable recommends 128 GB of RAM for every 100,000 active IP addresses (for example, for 150,000 IP addresses, allocate 192 GB of RAM).

For more information, see Performance.

Plan User Access Control

Consider the following account structure when granting users access to match the purpose of your scanning tier and reporting tier instances.

Scanning Tier Instance

Reporting Tier Instance

Create accounts for:

  • Technical users who need to configure administrative settings on the instance.

  • Technical users who need to configure and run scans.

Create accounts for:

  • Technical users who need to manage your repositories and tiered configuration.

  • Business users who need a centralized view of cumulative and trend data for reporting.

  • Technical users who need a centralized view of cumulative and trend data for vulnerability analysis.