System and License Requirements
To install and run Tenable Core + Tenable OT Security or Tenable OT Security Sensor, your application and system must meet the following requirements.
Tip: Tenable OT Security offers turnkey appliances that ship directly that come pre-imaged. This option is much easier to use and deploy, with a faster time to value. However, you can also source your own hardware and apply our ISO image to it. If you supply your own or choose to use ours, please refer to our Tenable OT hardware specs as a guideline or best practice. All components of Tenable OT Security, the ICP EM and Sensor can be ran on any hardware that meets the specs.
Note: Tenable does not recommend deploying multiple applications on a single instance of Tenable Core. If you want to deploy several applications on Tenable Core, deploy a unique instance for each application.
Note: Tenable Support does not assist with issues related to your host operating system, even if you encounter them during installation or deployment.
| Environment | Tenable Core File Format | More Information | |
|---|---|---|---|
| Virtual Machine | VMware | .ova file | |
| Microsoft Hyper-V | .zip file | ||
|
|
.iso image | ||
Note: While you could use the packages to run Tenable Core in other environments, Tenable does not provide documentation for those procedures.
OT Security Hardware Requirements
For more information about hardware requirements specifically for OT Security or Tenable OT Security Sensor, see Tenable OT Security Hardware Specifications in the General Requirements Guide.
OT Security Virtual Hardware Requirements
Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource requirements to consider for deployments include raw network speed, the size of the network to monitor, and the configuration of the application.
The following chart outlines basic guidelines for operating Tenable Core + Tenable OT Security in a virtual environment.
Tenable Core + Tenable OT Security requires CPUs with AVX and AVX2 (for example, Intel Haswell or newer).
| Installation Scenario | CPU Cores | Memory | Disk Space |
|---|---|---|---|
| Virtual Machine | 8 cores | 16 GB RAM | 200 GB |
Tenable recommends installing OT Security on direct-attached storage (DAS) devices, preferably solid-state drives (SSD), for best performance. Tenable strongly encourages the use of solid-state storage (SSS) that have a high drive-writes-per-day (DWPD) rating to ensure longevity.
Tenable does not support installing OT Security on network-attached storage (NAS) devices. Storage area networks (SAN) with a storage latency of 10 milliseconds or less, or Tenable hardware appliances, are a good alternative in such cases.
Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource requirements to consider for deployments include raw network speed, the size of the network to monitor, and the configuration of the application. Processors, memory, and network card selection are heavily based on these deployment configurations. Disk space requirements vary depending on usage based on the amount of data, and length of time, you store data on the system.
Note: OT Security needs to be able to perform full packet captures of monitored traffic1, and the size of the policy event data stored by OT Security depends on the number of devices and the type of environment.
ICP System Requirement Guidelines (Virtual or Tenable Core)
| Maximum SPAN/TAP Throughput (Mbps) | CPU Cores2 | Memory (DDR4) | Storage Requirements | Network Interfaces |
|---|---|---|---|---|
| 50 Mbps or less | 4 | 16 GB RAM | 128 GB | Minimum 4 x 1 Gbps |
| 50-150 Mbps | 16 | 32 GB RAM | 512 GB | Minimum 4 x 1 Gbps |
| 150-300 Mbps | 32 | 64 GB RAM | 1 TB | Minimum 4 x 1 Gbps |
| 300 Mbps to 1 GB | 32-64 | 128 GB RAM or more | 2 TB or more | Minimum 4 x 1 Gbps |
OT Security uses the following mounted partitions:
| Partition | Content |
|---|---|
| / | operating system |
| /opt | application and database files |
| /var/pcap | packet captures (full packet capture, event, query) |
The standard install process places these partitions on the same disk. Tenable recommends moving these to partitions on separate disks to increase throughput. OT Security is a disk-intensive application and using disks with high read/write speeds, such as SSDs, results in the best performance. Tenable recommends using an SSD with high DWPD ratings on customer-supplied hardware installations when using the packet capture feature in OT Security.
Tip: Deploying OT Security on a hardware platform configured with a redundant array of independent disks (RAID 0) can dramatically boost performance.
Tip: Tenable does not require RAID disks for even our largest customers. However, in one instance, response times for queries with a faster RAID disk for a customer with more than one million managed vulnerabilities moved from a few seconds to less than a second.
Network Interface Requirements
You must have two (or more) network interfaces present on your device before installing OT Security. Tenable recommends the use of gigabit interfaces. The VMWare OVA creates these interfaces automatically. Create these interfaces manually when you are installing the ISO (such as Hyper-V).
Note: Tenable does not provide SR-IOV support for the use of 10 G network cards and does not guarantee 10 G speeds with the use of 10 G network cards.
-
Tenable OT Security requires only one NIC for EM.
-
Tenable OT Security requires a minimum of two NICs for the ICP and Sensors.
-
Tenable OT Security requires static IP addresses to be used for ICP/EM/Sensors.
-
Both the sensor and ICP can be configured to monitor multiple SPAN interfaces.
nic0 (192.168.1.5) and nic3 (192.168.3.3) have static IP addresses when you install Tenable Core + Tenable OT Security in a hardware, or virtual, environment. Other network interface controllers (NICs) use DHCP.
nic3 (192.168.3.3) has a static IP address when you deploy Tenable Core + Tenable OT Security on VMware. Other NICs use DHCP. Confirm that the Tenable Core nic1 MAC address matches the NIC MAC address in your VMware passive scanning configuration. Modify your VMware configuration to match your Tenable Core MAC address if necessary.
For more information, see Manually Configure a Static IP Address, Manage System Networking, and the VMware Documentation.