-
Data SheetIBM Software
IBM QRadar Security Intelligence Platform
appliancesComprehensive, state-of-the-art solutions providing
next-generation security intelligence
IBM QRadar Security Intelligence Platform appliances combine
typically disparate network and security management capabilities
into a single, comprehensive solution. Appliance versions are
offered for IBM Security QRadar Log Manager, IBM Security QRadar
SIEM, IBM Security QRadar Risk Manager and IBM Security QRadar
Network Anomaly Detection. For additional network visibility, IBM
Security QRadar QFlow Collector solutions and IBM Security QRadar
VFlow Collector solutions can be added to the platforms network
analysis and content capture capabilities.
IBM QRadar Security Intelligence Platform appliances are
preconfigured, optimized systems that do not require expensive
external storage, third-party databases or ongoing database
administration. Deployment options include dedicated,
high-performance appliances; Linux-based software packages; and
virtualized appliances for VMware-based environments.
Organizations use these appliances to protect and grow with
their businesses and to achieve the maximum benefit from their
security intelligence deployments. Six categories of appliances are
offered:
Log managementCollection, archiving and analysis of events from
various network and security devices, systems and applications
SIEMIntegrated log management and network f low collection with
advanced correlation, anomaly detection, workflow and reporting
capabilities
Flow processingLayer 4 NetFlow and Layer 7 QFlow collection and
correlation
Highlights Collect and aggregate diverse sets of
logs and event data
Provide integrated log management, security information and
event management (SIEM), and configuration and vulnerability
management
Monitor network flow data and Layer 7 application payloads,
providing increased visibility into network activity
Deploy quickly and easily as a centralized all-in-one system or
with a distributed architecture using preconfigured systems
Utilize specialized configurations for virtualized
environments
Provide high availability and disaster recovery
Deliver rapid time-to-value using thousands of predefined rules
and out-of-the-box report templates
-
Data SheetIBM Software
2
Configuration and vulnerability managementProactive
configuration audit, risk and compliance policy assessment, and
advanced threat simulation
Network anomaly detectionSpecialized capabilities that
complement IBM Security SiteProtector System and IBM Security
Network Intrusion Prevention System installations
High availability and disaster recoveryBackup capabilities that
can pair secondary systems with any member of the appliance family
to help ensure continuous operations
IBM Security QRadar Log Manager appliancesQRadar Log Manager
appliances are ideal for organizations that need simplified
capabilities for log management today, with the ability to expand
capacity for event processing and upgrade to a full SIEM solution
in the future. These appliances are designed to meet the needs of
small and midsize organizations, as well as large businesses that
are geographically dispersed and require an enterprise-class,
scalable solution.
The IBM Security QRadar Log Manager all-in-one appliance is an
entry-level system that utilizes on-board event collection and
correlation capabilities, and can process up to 5,000 events per
second. It can easily expand as the organization grows, with the
ability to support hundreds of thousands of events per sec-ond
through conversion into a console (distributed) deployment with the
addition of separate event processor appliances.
Larger organizations can utilize the capabilities of the IBM
Security QRadar Log Manager console appliance with its external
event collection and correlation approach, which allows for
dedicated search processing, distributed correlation, report-ing
and central administration of a distributed log management
deployment. Console appliances require at least one add-on event
processor.
The scalable architecture of these appliances includes
distributed event processor and event collector appliances. Add-on
event processor appliances perform real-time collec-tion, storage,
indexing, correlation and analysis of up to 20,000 events (log
entries) per second per appliance. Large,
multi-appliance deployments can support more than one mil-lion
events per second, with all data correlated in real time. For
situations where network connectivity is either unreliable or
temporarily unavailable, or in locations with low event volumes,
event collector appliances can be deployed to collect events and
forward them to an event processor or all-in-one appliance.
IBM Security QRadar 1605 and 1624 Event Processor appliancesIBM
Security QRadar event processor appliances provide scalable event
collection and correlation for organizations of all sizes. The IBM
Security QRadar 1605 and 1624 Event Processor appliances are
expansion solutions that can be deployed in conjunction with QRadar
Log Manager and QRadar SIEM console appliances. They offer turnkey
collec-tion, storage, indexing and real-time correlation of log
data and can be deployed in a distributed manner that can support
some of the largest deployments in the world.
QRadar Log Manager solutions can begin as a single turnkey
appliance and grow into highly distributed solutions, supporting
multiple event processor and event collector appliances when
network availability conditions warrant.
Sample IBM Security QRadar Log Manager 3105distributed
deployment
QRadar web console
3105
1605
16051501
Routers, switches and othernetwork devices exporting flow
data
Security devicesexporting logs
Routers Switches IDS Firewall
-
Data SheetIBM Software
3
IBM Security QRadar 1501 Event Collector appliancesIBM Security
QRadar event collector appliances provide continuous capabilities
for event logging when network connec-tivity is unavailable. Event
collector appliances simply collect events and forward them to an
event processor or all-in-one appliance for correlation, analysis
and long-term storage. Also designed to collect events and logs in
distributed locations with relatively low event volumes (such as
retail stores and satellite offices), they provide a more
economical approach than deploy-ing event processors in such
scenarios.
IBM Security QRadar SIEM appliancesQRadar SIEM appliances
deliver integrated log management and security intelligence
technology for organizations of all sizes. Available in either
all-in-one or distributed deployment configurations, they are ideal
for growing organizations that seek maximum security and compliance
capabilities. These appliances offer the ability to correlate logs,
network f lows, vulnerabilities, user identities, threat
intelligence and other security telemetry. They also offer
application-level packet inspection and content capture for
superior network visibility and forensics. QRadar SIEM appliances
often serve as the base platform for large, geographically
dispersed businesses that require an enterprise-class, scalable
solution.
The QRadar SIEM appliance architecture offers an easy-to-deploy,
scalable model through the use of distributed event and f low
processor appliances. An event processor appli-ance (see 1605 or
1624 descriptions within the QRadar Log Manager table) can perform
real-time collection, storage, indexing, correlation and analysis
of up to 20,000 events (logs) per second. A f low processor
appliance can perform real-time collection, storage, indexing,
correlation and analysis of up to 1,200,000 bidirectional f lows
per minute. Large, multi- appliance deployments can support more
than one million events per second, and millions of f lows per
minute, with all data correlated in real time.
The IBM Security QRadar SIEM 2100 All-In-One appliance delivers
a single appliance for small and midsize organizations. It provides
an integrated security solution, and its intuitive user interface
makes it easy to deploy in minutes. The QRadar 2100 All-in-One
Appliance also includes an embedded version of IBM Security QRadar
QFlow Collector, which provides Layer 7 collection of network
traffic f lows and deep application visibility for advanced threat
detection and forensic capabilities. No additional event processors
or f low processors can be used to expand this system.
Security QRadar Log Manager Appliance features
All-in-One 2100
All-in-One 3105
All-in-One 3124
Console 3105
Console 3124
1501 1605 1624
Single turnkey solution X X X
Part of distributed solution X X X X X
Event collection, correlation, analysis and storage
Max. 1,000 EPS (sustained)
Max. 5,000 EPS (sustained)
Max. 5,000 EPS (sustained)
Not applicable
Not applicable
Max. 2,500 EPS (sustained) collection and forwarding only
Max. 20,000 EPS (sustained)
Max. 20,000 EPS (sustained)
Long-term data storage 1.3 TB 6.5 TB 16 TB 6.5 TB 16 TB 1.3 TB
6.5 TB 16 TB
Typical event storage capacity 1 year 3 years 3 years Not
applicable
Not applicable
Not applicable
1 year 3 years
Support for high availability and disaster recovery
X X X X X X X
-
Data SheetIBM Software
4
The IBM Security QRadar SIEM 3105 and 3124 All-in-One appliances
utilize on-board event and f low collection and correlation
capabilities, providing a single-appliance solution. They are
expandable into console configurations in which sepa-rate event and
f low processor appliances are used to collect and store data.
These appliances can directly collect events from all supported log
sources, as well as NetFlow, J-Flow, sFlow and IPFIX data from
network devices. They can also utilize external QRadar QFlow
Collector and QRadar VFlow Collector appliances for Layer 7 network
analysis and content capture.
The IBM Security QRadar SIEM 3105 and 3124 Console appliances
utilize external event and f low processor appliances, allowing the
console to perform dedicated search processing, offense management,
reporting and central administration of the distributed SIEM
deployment. At least one add-on event processor, f low processor,
or combined event and f low proces-sor appliance is required.
Teamed with one or more QRadar QFlow Collector appliances, the
console can also receive Layer 7 network analysis and content
capture while aggregating other network activity data, such as
NetFlow, J-Flow, sFlow and IPFIX. QRadar VFlow Collector appliances
provide the same visibility and network f low collection within
VMware virtual environments.
Sample IBM Security QRadar SIEM 2100all-in-one deployment
Sample IBM Security QRadar SIEM 3124distributed deployment
QRadar web console QRadar web console
2100 3124
1724
1202 1624
Routers Switches
Firewall
IDS
QFlow collection onpassive tap
Routers, switches and othernetwork devices exporting
flow data
Servers Routers Switches IDS Firewall Laptop
Collection of log events from networkand security
infrastructure
Layer 7 data analysisthrough SPAN or tap
Layer 4 NetFlow forexternal flow services
QRadar SIEM solutions can start small with an all-in-one
solution and grow to support enterprise environments, using a
centralized console and any number of dis-tributed event and
network flow collection appliances.
-
Data SheetIBM Software
5
IBM Security QRadar 1705 and 1724 Flow Processor appliancesIBM
Security QRadar f low processor appliances provide scalable f low
collection, correlation and storage for organiza-tions of all
sizes. These appliances are expansion appliances deployed in
conjunction with QRadar SIEM All-in-One or QRadar SIEM Console
appliances. They offer turnkey collec-tion, storage, indexing and
real-time correlation of f low data and are designed to be deployed
in a distributed manner. QRadar f low processor appliances collect
and analyze network
f low data in a variety of formats including NetFlow, J-Flow,
sFlow, and IPFIX. They can even process Layer 7 application-level
data gathered by QRadar QFlow Collector appliances.
IBM Security QRadar 1805 Combined Event and Flow Processor
appliancesIBM Security QRadar 1805 Combined Event and Flow
Processor appliances provide event and network activity moni-toring
and correlation for remote or branch offices and for large,
distributed organizations seeking scalable solutions. They are
expansion appliances for use with QRadar SIEM Console systems.
Security QRadar SIEM Appliance features
All-in-One 2100
All-in-One 3105
All-in-One 3124
Console 3105
Console 3124
1705 1724 1805
Single turnkey solution X X X
Part of distributed solution X X X X X
Event collection, correlation, analysis and storage
Max. 1,000 EPS (sustained)
Max. 5,000 EPS (sustained)
Max. 5,000 EPS (sustained)
Not applicable
Not applicable
Not applicable
Not applicable
Max. 5,000 EPS (sustained)
Support for expandable log source (devices) data
Not applicable
Requires Console conversion
Requires Console conversion
Requires 1605/1624 Event Processor appliances
Requires 1605/1624 Event Processor appliances
Not applicable
Not applicable
Not applicable
Flow collection, correlation, analysis and storage
Max. 50,000 bidirectional flows/minute
Max. 200,000 bidirectional flows/minute
Max. 200,000 bidirectional flows/minute
Not applicable
Not applicable
Max. 600,000 bidirectional flows/minute
Max. 1.2 million bidirectional flows/minute
Max. 200,000 bidirectional flows/minute
Optional use of QFlow and VFlow Collectors
On-board QFlow Collector included
X X Requires 1705/1724 Flow Processor appliances
Requires 1705/1724 Flow Processor appliances
X X X
Long-term data storage 1.3 TB 6.5 TB 16 TB 6.5 TB 16 TB 6.5 TB
16 TB 6.5 TB
Typical Event storage capacity 1 year 3 years 3 years Not
applicable
Not applicable
Not applicable
Not applicable
1 year
Typical Flow storage capacity 1 year 1 year 3 years Not
applicable
Not applicable
1 year 3 years 1 year
Support for high availability and disaster recovery
X X X X X X X X
-
Data SheetIBM Software
6
IBM Security QFlow and VFlow Collector appliances for Layer 7
visibilityIBM Security QRadar QFlow Collector and VFlow Collector
appliances offer a powerful solution for gathering rich network
activity data in both physical and virtual infrastructures. They
surpass traditional f low data (such as NetFlow) by using deep
packet inspection to collect more detailed and revealing Layer 7
data. This enables application-level network activity analysis and
anomaly detection, as well as content capture for forensic
activities. This information, when correlated with event data,
enables a more advanced analysis of the overall security posture of
the network.
QRadar QFlow Collector appliances gather network traffic
passively through network taps and SPAN ports. They can detect more
than 1,000 applications such as Voice over Internet Protocol
(VoIP), social media such as Twitter and LinkedIn, multimedia
including Skype, enterprise resource planning (ERP), and peer to
peer (P2P), among many others. QFlow Collector appliances must be
paired with either a 17XX f low processor, 1805 Combined Event and
Flow Processor, or an all-in-one SIEM appliance.
There are four QRadar QFlow Collector models:
IBM Security QRadar 1201 QFlow Collector: Offers midrange,
multi-port collection capabilities for underutilized gigabit
Ethernet connections up to 200 Mbps
IBM Security QRadar 1202 QFlow Collector: Provides line-rate
gigabit Ethernet network performance and multi-port f lexibility
for copper-based networks; is well suited for collecting and
monitoring high rates of network traffic at the data center and
core of an enterprise
IBM Security QRadar 1301 QFlow Collector: Provides line-rate
gigabit Ethernet network performance with multi-port f lexibility
for fiber-based networks; is well suited for collecting and
monitoring high rates of network traffic at the data center and
core of an enterprise
IBM Security QRadar 1310 QFlow Collector: Delivers advanced
network and application visibility and collection on 10-Gbps
Ethernet networks
QRadar VFlow Collector appliances are virtual activity moni-tors
that provide the same collection and visibility for virtual network
and server resources as QRadar QFlow Collector appliances provide
for physical resources. QRadar VFlow Collector appliances are
virtual appliances that connect to the virtual switch within a
VMware virtual host. They can support up to four virtual interfaces
and up to 10,000 bidirectional f lows per minute. The product can
also analyze port-mirrored traffic for a physical network switch,
helping bridge the gap between the physical and virtual realms.
IBM Security QRadar Risk Manager appliancesIBM Security QRadar
Risk Manager appliances deliver proactive risk management
capabilities for organizations of all sizes by extending QRadar
SIEM capabilities to provide multi-vendor configuration audit,
risk/compliance policy assessment, continuous monitoring and
advanced threat simulation. These systems are deployed as an add-on
to an existing IBM Security QRadar SIEM appliance.
QRadar Risk Manager appliances feature:
A turnkey hardware-based appliance system Support for 50
configuration sources (any supported device);
expandable to thousands of configuration sources through license
upgrade
6.5 TB of usable on-board storage for long-term data
retention
-
Data SheetIBM Software
7
IBM Security QRadar Network Anomaly Detection ApplianceThe IBM
Security QRadar Network Anomaly Detection Appliance is optimized to
complement and integrate with IBM Security SiteProtector System and
IBM Security Network Intrusion Prevention System to provide greater
insight into network behavior and abnormal activities. It offers
the anomaly detection and real-time correlation capabilities of
QRadar SIEM to enhance the SiteProtector solutions numerous threat
protection techniques. Network and application vulnerability data
is also collected from vulnerability scanners and used to
prioritize threats and risks seen by the intrusion prevention
system product.
QRadar Network Anomaly Detection is typically deployed as an
add-on to an existing SiteProtector and Network Intrusion
Prevention System installation. This appliance uses the same
hardware as IBM Security QRadar SIEM 3105. It includes entitlement
for collecting 500 events per second (upgradable to 1,000 events
per second) and 25,000 network f lows per minute (upgradable to
200,000 f lows per minute).
IBM Security QRadar high-availability appliancesEasy-to-deploy
IBM Security QRadar high-availability appliances provide fully
automated disk synchronization and failover for high availability
of data collection, correlation, analysis and reporting
capabilities. These systems help organi-zations store, correlate
and analyze large volumes of events, f lows and other networking
and asset data without interruption when the primary appliances are
not functional for any reason.
QRadar high-availability appliances offer the f lexibility to
use disk synchronization or leverage shared SAN/IP SAN storage,
according to the available infrastructure. Disk synchronization is
a built-in feature used to replicate data between a primary
appliance and a secondary high-availability appliance. This
simple-to-deploy solution delivers excellent performance without
the configuration challenges, high costs and ongoing administration
requirements of third-party fault tolerance products. QRadar
high-availability appliances can be deployed on a per-appliance
basis, enabling distributed QRadar deploy-ments to add these
capabilities where and when they are needed.
IBM Security QRadar disaster-recovery appliancesIBM Security
QRadar disaster-recovery appliances provide a means of safeguarding
collected event and f low data by mirror-ing it to a secondary,
identical backup appliance deployment. Disaster recovery differs
from high availability in that disaster-recovery appliances do not
perform continuous synchronization between primary and backup
appliances.
All data mirroring is unidirectional and only event and f low
data are covered. The QRadar disaster-recovery approach requires
that the production and disaster-recovery deployments be identical
in terms of topology, appliance model and event/f low processing
capacity. Each console, event or f low processor appliance in the
primary deployment must have an identical counterpart in the
disaster-recovery deployment. QRadar disaster-recovery appliances
can also be used in conjunction with QRadar high-availability
solutions to achieve optimal system protection.
-
Copyright IBM Corporation 2013
IBM Corporation Software Group Route 100 Somers, NY 10589
Produced in the United States of America January 2013
IBM, the IBM logo, ibm.com, QRadar, and X-Force are trademarks
of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at Copyright and trademark
information at ibm.com/legal/copytrade.shtml
Linux is a registered trademark of Linus Torvalds in the United
States, other countries, or both.
This document is current as of the initial date of publication
and may be changed by IBM at any time. Not all offerings are
available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY
WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY
OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted
according to the terms and conditions of the agreements under which
they are provided.
IT system security involves protecting systems and information
through prevention, detection and response to improper access from
within and outside your enterprise. Improper access can result in
information being altered, destroyed or misappropriated or can
result in damage to or misuse of your systems, including to attack
others. No IT system or product should be considered completely
secure and no single product or security measure can be completely
effective in preventing improper access. IBM systems and products
are designed to be part of a comprehensive security approach, which
will necessarily involve additional operational procedures, and may
require other systems, products or services to be most effective.
IBM does not warrant that systems and products are immune from the
malicious or illegal conduct of any party.
Please Recycle
Why IBM?IBM operates a worldwide security research, development
and delivery organization comprising 10 security operations
centers, nine IBM Research centers, 11 software security
development labs and an Institute for Advanced Security with
chapters in the United States, Europe and Asia Pacific. IBM
solutions empower organizations to reduce their security
vulnerabilities and focus more on the success of their strategic
initiatives. These products build on the threat intelligence
expertise of the IBM X-Force research and development team to
provide a preemptive approach to security. As a trusted partner in
secu-rity, IBM delivers the solutions to keep the entire enterprise
infrastructure, including the cloud, protected from the latest
security risks.
For more informationTo learn more about IBM QRadar Security
Intelligence Platform appliances, contact your IBM representative
or IBM Business Partner, or visit: ibm.com/security
For more information about IBM Security QRadar SIEM software,
please see the IBM Security QRadar SIEM data sheet.
Additionally, IBM Global Financing can help you acquire the
software capabilities that your business needs in the most
cost-effective and strategic way possible. Well partner with
credit-qualified clients to customize a financing solution to suit
your business and development goals, enable effective cash
management, and improve your total cost of ownership. Fund your
critical IT investment and propel your business forward with IBM
Global Financing. For more information, visit:
ibm.com/financing
WGD03019-USEN-00