GUIDE

McAfee DLP Prevent v10.0.202

Sizing Guide—DLP 6600

1 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600

 Table of Contents

3 Introduction
3 Test Methodology
4 SMTP
4 ICAP
4 Hardware Tested
4 Test Results
6 Cluster
7 Sizing Calculator
7 Protocol Options
8 Notes
9 About McAfee

2 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600 CONFIDENTIAL For Internal and Partner use only.
 GUIDE

McAfee DLP Prevent v10.0.202

Sizing Guide—DLP 6600

Introduction incidents and events to the ePO server. The evidence

The aim of this document is to help customers files were copied to the local CIFS server during the
determine the correct size and quantity of McAfee® execution of the test. The test load was generated using
Data Loss Prevention Prevent (McAfee DLP Prevent) a load generator capable of generating high volume of
appliances to meet their requirements. This document is transactions with various file types as attachments. The
intended to be used as a companion to the DLP Prevent distribution of common file types used in the tests is
Sizing Calculator. shown in Chart 1. The test corpus was created such that
the rule match % was 5 for all of the tests.
McAfee DLP identifies and protects data within your
network. McAfee DLP helps you understand the types Test Corpus File Type Distribution
of data on your network, how the data is accessed
and transmitted, and if the data contains sensitive or 1%
3%
10% PPT
confidential information. McAfee DLP Prevent integrates 20%
DOCX
with an MTA server or web proxy to monitor email and XLS
14%
web traffic and prevent potential data loss incidents. DOC
PDF
19%
Test Methodology JPG
15% ZIP
The process of determining capacity figures for a
XLSX
particular appliance involves treating an appliance as 18%

a SUT (System Under Test), effectively turning it into a

“black box” model. Figure 1. Test corpus distribution

The test environment consists of a load generator,

a McAfee ePO server and the SUT. The SUT was The performance tests simulate real world messaging
configured with either SMTP or ICAP rules using and web environments. Results of the tests should allow
dictionaries containing 15k terms (terms include most customers to accurately predict the performance Connect With Us

keywords and regexes). It was configured to send all that they would see in their environment.

3 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600 CONFIDENTIAL For Internal and Partner use only.
 GUIDE

The method used to determine the capacity of an customer. The number of appliances necessary to
appliance (SUT) was as follows: sustain the level of service required will be based on the
information obtained from the customer.
SMTP
The load generator starts sending emails with the files The appliances are run for many days, with a load just
in the test corpus as a MIME attachment to the SUT. below the tipping point to ensure that the throughput
If an SUT is responsive to new emails, with no backlog is maintainable with no degradation in performance
built up and without errors, then the number of inbound overtime.
connections to the appliance is increased along with the
Hardware Tested
number of emails. Once emails start building up on the
appliance or sending email server, pending delivery, the CPU Memory Disk
DLP 6600 Intel® Xeon® CPU E5-2620 v4 @ 32 GB 2 x 600 GB
load is reduced, until the load can be maintained with no 2.00GHz
backlog, delay to emails or other undesired symptoms. ESX 5.1 4v CPU running on Intel® Xeon® 12 GB 300 GB
This tipping point is then used to derive the throughput CPU E5-2620 0 @ 2.00GHz
each appliance model can handle. Table 1. Hardware tested

ICAP
Test Results
The load generator starts sending ICAP REQMOD
requests encapsulating the files in the test corpus as The following tests were conducted to obtain the
a MIME attachment inside a HTTP POST message to performance figures:
the SUT. If a SUT is responsive and without errors, then 1. Average attachment size of 50k, 100k, 500k, 1M with
the number of inbound connections along with the 15k terms, where the performance figure for “average
number of requests to the appliance is increased. Once attachment size of 100k and 15k terms” was used as a
the appliance becomes less responsive to the inbound baseline to calculate the performance impact.
requests, the load is reduced until the load can be
2. TLS with average attachment size of 100k and 15k terms
maintained with reasonable responsiveness and no other
undesired symptoms. This tipping point is then used to 3. RegDoc with average attachment size of 100k and 15k
derive the throughput each appliance model can handle. terms where RegDoc database was populated with
1k signatures, 10k signatures, 100k signatures and 1
When a solution needs to be sized, McAfee will obtain million signatures
(or estimate, if agreed) these metrics and any associated
4. Virtual machine with average attachment size of 100k
growth prediction, redundancy models etc. from a
and 15k terms

4 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600 CONFIDENTIAL For Internal and Partner use only.
 GUIDE

Performance figures quoted in this document were Avg. Sample Size Performance Impact

measured with the SUT running at 60% capacity. McAfee 400

350
recommends the customers choose their estate so that

Transactions/sec
300
the appliances run around 60% of their total capacity for 250
200
smooth performance.
150
100
Baseline performance figures were obtained using 15k 50
terms and the average attachment size of 100KB. The 0
0 100 200 300 400 500 600 700 800 900 1,000
table below shows the performance figures for various
Average Sample Size in KB
supported hardware at 60% of maximum load.
SMTP ICAP

SMTP emails/sec ICAP requests/sec Figure 2. Graph showing the impact of Sample Size on performance.

DLP Version 9.3 10.0.202 9.3 10.0.202

DLP 6600 12 205 93 296 We have found that average latency is proportional to
VM 4vCPU N/A 30 N/A 50 the size of the request/email. For example, there will
Table 2. Baseline performance figures on different hardware. 100KB be a significant increase in latency to process a 1 MB
sample size and 15k terms. payload in comparison to processing a 50K payload.

Our test results show that the performance of the Chart 3 shows the impact of configuring different
appliance is influenced significantly by the average size numbers of terms on a DLP Prevent appliance. There is a
of the payload sent to the appliance and the number gradual performance impact on SMTP, where increasing
of terms (dictionary keywords and regexes) configured the number of terms in use will have a proportional
on the appliance. Both protocols, ICAP and SMTP, impact on performance. ICAP is significantly faster with
display similar performance impacts over the range of smaller numbers of terms as the appliance does not
tests we conducted. The effect of average size of the have to send the whole payload back to the client.
samples used during the test is shown in Chart 2. The
performance impact starts tailing off after reaching 500k
sample size.

5 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600 CONFIDENTIAL For Internal and Partner use only.
 GUIDE

# of Terms Performance Impact appliance isn’t included when the ICAP response is sent
500
back from the appliance. Whereas, sending an email
400
through the appliance; the email content is analysed,
Transactions/sec

300 X-RCIS-Action header is added and the email is sent

200 onwards to the configured Smart Host.
100
It is important to note that, when enabling TLS in FIPS
0
1000 6000 11000 16000 21000 26000 31000 36000 41000 mode, the performance impact on SMTP is significant.
# of Terms
Feature SMTP ICAP
SMTP ICAP
TLS 59% 2%
Figure 3. Graph showing the impact of # of Terms on performance. TLS FIPS mode 81% 2%
Registered Douments 10% 15%
Selection of the appropriate payload size and the required Virtual Machine 14% 14%
number of terms is critical to obtain an accurate sizing.
Table 3. Table showing the impact of different features on performance
Therefore, it is vital to ensure that these parameters are
carefully considered prior to starting the sizing process.
Cluster
Performance impact due to different features is shown DLP Prevent appliance supports clustering to load
in Table 3. Running the appliance as a virtual machine balance incoming traffic and ensure high availability.
has a 14% impact on both protocols. Please note that cluster performance per node scales at
90% per additional node.
Enabling RegDocs on the appliance has a 10% impact on
Cluster Performance
performance for SMTP and 15% impact on ICAP regardless 2000
of the number of signatures contained in the RegDocs 1800
1600
Transactions/sec

database. We observed that the performance impact 1400

1200
was constant across various numbers of signatures. 1000
800
Our tests included databases with 1k signatures, 10k 600

signatures, 100k signatures and 1 million signatures. This 400

200
observation can be attributed to the appliance doing a 0
1 2 3 4 5 6 7 8
quick hash lookup for each signature in an indexed table. # of nodes

SMTP ICAP
The impact TLS has on performance is 59% for SMTP
and 2% for ICAP. ICAP impact is significantly lower Figure 4. Graph showing the performance result of a 8 node cluster.

because the original HTTP POST content sent to the

6 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600 CONFIDENTIAL For Internal and Partner use only.
 GUIDE

Sizing Calculator Hardware Options

The sizing calculator produces sizing recommendations Currently the sizing calculator provides sizing based on
that aims to help customers determine the correct size units of the DLP 6600 appliance for physical hardware
and quantity of McAfee DLP Prevent appliances to meet sizing and units of 4vCPU virtual machines with 12GB
their requirements. RAM and 300GB disk for virtual appliance sizing. This
will be revised each time there is a significant hardware
Protocol Options update or functionality change.
Protocol
Features
Sizing recommendations are provided for SMTP and
ICAP. The calculator currently supports sizing SMTP and Using TLS to encrypt data transmission to and from the
ICAP independently, it doesn’t support mixed protocol appliance is highly recommended. Hence, TLS is enabled
sizing. We do not recommend sending ICAP and SMTP by default for both protocols.
traffic to the same appliance due to the possible impact Enable RegDoc if you want to include registered
of mail traffic (which is less sensitive to latency) on web documents in your sizing calculation. The number of
traffic (which is highly sensitive to latency). documents or number signatures doesn’t affect the
Peak rate sizing recommendations the calculator produces.

Sizing is based on the Customer’s Peak Email/Request Required Terms

rate. This must be provided by the customer, and You can either select the common built-in dictionaries
is typically obtained by analysis of log files from the to work out the number of terms or directly enter the
customer’s existing web or email gateway product. number of terms as required. Terms includes keywords
File Size and regexes.

Average payload size of the email (if sizing for SMTP) Note: Number of terms is limited to 43000 Terms at
or web (if sizing for ICAP) traffic can be selected in the present for physical appliances on SMTP and ICAP.
respective size dropdown under protocol options, Please contact Engineering if you want to size with
you can select from 50KB, 100KB, 500KB, 1MB. It is greater number of terms.
important to consider the average size of the data in the
customer environment to get an accurate sizing. Use the
nearest average file size to calculate the sizing.

7 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600 CONFIDENTIAL For Internal and Partner use only.
 GUIDE

Recommendation Notes
The sizing calculator produces the sizing in terms of the Unable to Generate Sizing
required number of DLP 6600 appliances for physical If the calculator does not generate a sizing for your
sizing, or the required number of 4vCPU VMs for virtual desired configuration, please contact Engineering.
sizing. It also produces an equivalent recommendation
for a cluster deployment. We recommend the use of Network Speed
external load balancers to distribute the workload DLP Prevent can achieve a maximum throughput of
evenly across all nodes if clustering isn’t used. 850 mbps.

You can print/save the sizing sheet - it has been scaled This figure is a guideline for maximum possible
to fit one A4 page in portrait orientation without you performance running at full capacity, and will vary based
having to resize. on customer policy and traffic.

Memory Usage
During normal operation, DLP Prevent appliance may
consume all available memory, this behaviour is as
expected. As long as the appliance is not swapping to
disk excessively it is safe to let it continue as normal.

8 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600 CONFIDENTIAL For Internal and Partner use only.
 About McAfee
McAfee is one of the world’s leading independent
cybersecurity companies. Inspired by the power of
working together, McAfee creates business and
consumer solutions that make the world a safer place.
By building solutions that work with other companies’
products, McAfee helps businesses orchestrate
cyber environments that are truly integrated, where
protection, detection and correction of threats happen
simultaneously and collaboratively. By protecting
consumers across all their devices, McAfee secures
their digital lifestyle at home and away. By working
with other security players, McAfee is leading the effort
to unite against cybercriminals for the benefit of all.

Visita us at www.mcafee.com.

2821 Mission College Blvd. McAfee and the McAfee logo, ePolicy Orchestrator, and McAfee ePO are trademarks or registered trademarks of McAfee, LLC or its
Santa Clara, CA 95054 subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright © 2018 McAfee, LLC.
888.847.8766 gd-dlp-prevent-10-sizing-guide-for-6600
FEBRUARY 2017
www.mcafee.com

9 McAfee DLP Prevent v10.0.202 Sizing Guide—DLP 6600 CONFIDENTIAL For Internal and Partner use only.