(169383025) qradar appliance datasheet

D ATASHEE T

QRadar® Security IntelligencePlatform Appliances

Total Security Intelligence | An IBM Company

QRadar® Security Intelligence Platform appliances combine typically disparate network and

security management capabilities into a single, comprehensive solution. Appliance versions are offered for QRadar Log Manager, QRadar SIEM, QRadar Risk Manager, QRadar QFlow and QRadar VFlow (a virtual appliance).The QRadar Security Intelligence Platform appliances are pre-configured, optimized systems that enable

high performance and rapid deployment using state-of-the-art hardware. They do not require expensive

external storage, third-party databases or ongoing database administration. Organizations use QRadar

appliances to achieve maximum benefit from their security intelligence deployments.

QRadar Log Manager AppliancesQRadar Log Manager Appliances deliver QRadar Log Manager for organizations of all sizes. They are ideal fororganizations that need simplified log management capabilities, with the ability to expand event processingcapacity in the future. They meet the needs of small and midsize organizations, as well as large businesses that aregeographically dispersed and require an enterprise-class scalable solution.

The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed eventprocessor appliances. Add-on event processor appliances perform real-time collection, storage, indexing, correla-tion and analysis of up to 20,000 events (logs) per second each.

The QRadar Log Manager All-in-One Appliance utilizes on-board event collection and correlation capabilities, andis expandable with event processor appliances.

The QRadar Log Manager Console Appliance utilizes external event collection and correlation, allowing for dedi-cated search processing, distributed correlation, reporting and central administration of a distributed log manage-ment deployment. Organizations using a console appliance require at least one add-on event processor.

Common Features:

All-in-One Appliance Features:

events per second with add-on 1601/1605 Event Processors Q1Labs.co

m

• Includes 3 TB or 6.2 TB of usable on-board storage for long-term data retention

• Supports 750 log sources (devices); expandable to tens of thousands of log sources

• Dual redundant power supplies (auto-sensing)

• Embedded hardware RAID 10 or 5 for high availability and redundancy of OS and storage

• Option to deploy turnkey, integrated HA appliance

• Includes all capabilities (collection, storage, indexing, correlation, analysis and reporting) for compre-

hensive log management in a single turnkey appliance

• Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of

Total Security Intelligence | An IBM Company QRadar Security Intelligence Platform Appliances

• Provides one year of event storage for typical deployments *

Console Appliance Features:

•

•

Provides global view of all event activity, with federated global searching and correlation, and centralized management, analysis and reporting

Does not include event processing on-board; requires deployment of 1601/1605 Event Processor Appliance(s), which can support tens of thousands of

events per second (fully correlated)

For more information about QRadar Log Manager software, please see the QRadar Log Manager data sheet.

QRadar SIEM AppliancesQRadar 2100 All-In-One ApplianceThe QRadar 2100 All-In-One Appliance delivers QRadar SIEM in a single appliance for small and medium-sized organizations. It provides an integrated security solu-

tion that is fast and easy to deploy. With its intuitive user interface, configuration is so simple that you can deploy a QRadar 2100 All-in-One Appliance and begin

protecting your network in minutes.The QRadar 2100 All-in-One Appliance includes an embedded version of QRadar QFlow Collector, which provides layer 7 collection of network traffic flows and

deep application visibility for advanced threat detection and forensic capabilities. Additional distributed QFlow Collectors can also be used in conjunction with the

QRadar 2100 All-in-One Appliance for even broader network visibility.Features:

•

•

•

•

•

Includes all capabilities (collection, storage, indexing, correlation, offense management, S a m p l e Q R a d a r

2 1 0 0 D e p loymentanalysis and reporting) for comprehensive SIEM in a single turnkey appliance QRadar Web ConsoleSupports 1,000 events per second

Supports up to 50,000 bi-directional flows per minute

Includes on-board 50 Mbps QRadar QFlow Collector, with collection via

passive tap or SPAN ports

Supports 750 log sources (devices); expandable to tens of thousands

of log sources

Includes 1.5 TB of usable on-board storage for long-term data retention

Provides one year of event and flow storage for typical deployments *

Supports Fibre Channel for integration with storage area networks

10/100/1000 BASE-T connectivity for monitoring

10/100/1000 BASE-T management

Dual redundant power supplies (auto-sensing)

Embedded hardware RAID 10 for high availability and redundancy

of OS and storage

Option to deploy turnkey, integrated HA appliance

2100•

•

•

•

•

•

•

•

Firewall

Routers SwitchesIDS

Routers, Switches and Other NetworkDevices Exporting Flow Data

QFlow Collection on Passive Tap

QRadar 3100/3105 All-In-One and Console AppliancesQRadar 3100/3105 Appliances deliver QRadar SIEM for organizations of all sizes. They are ideal for growing organizations that will need additional network activity

and event monitoring capacity in the future. They are also the base platform for large businesses that are geographically dispersed and require an enterprise-class

scalable solution.

Q1Labs.com

2


The QRadar 3100/3105 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event processor, flow

processor, and combined event and flow processor appliances. It can directly collect NetFlow, J-Flow, sFlow and IPFIX data, and utilize external QRadar

QFlow Collectors for layer 7 network analysis and content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture

within VMware virtual environments.

The QRadar 3100/3105 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correla-

tion, offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors

for layer 7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sFlow and IPFIX.

It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console

appliance require at least one add-on event processor, flow processor, or combined event and flow processor appliance.

The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on proces-

sor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second or 600,000 bi-directional flows per

minute each.Common Features:

• Includes 3 TB (3100 Appliance) or 6.2 TB (3105 Appliance) of usable

on-board storage for long-term data retention


(3100 Appliance only)

Option to deploy QRadar QFlow and QRadar VFlow Collectors in

conjunction, for Layer 7 network activity monitoring


of log sources


Embedded hardware RAID 10 (3100 Appliance) or RAID 5 (3105 Appliance) for

high availability and redundancy of OS and storage

Option to deploy turnkey, integrated HA appliance

Sample QRadar 3105 Deployment

•

•

•

QRadar Web Console

Firewall

3105•

•

•

IDS

12011201


•

•

•

•

•

Includes all capabilities (collection, storage, indexing, correlation, offense

management, analysis and reporting) for comprehensive SIEM in a single

turnkey appliance

Routers Switches

Routers, Switches and Other NetworkDevices Exporting Flow Data

QFlow Collectionon Passive Tap

Supports up to 5,000 events per second (fully correlated); expandable to tens

of thousands of events per second with add-on 1601/1605 Event Processors

Supports up to 200,000 bi-directional flows per minute (fully correlated);

expandable to millions of flows per minute with add-on 1701 Flow Processors


Option to deploy 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction


• Provides global view of all event and network flow activity, with federated global searching and correlation, and centralized offense management,

analysis and reporting

Q1Labs.com

3

QRadar Security Intelligence Platform AppliancesTotal Security Intelligence | An IBM Company

•

•

Expandable to tens of thousands of events per second (fully correlated) with add-on 1601/1605 Event Processors, and to millions of flows per minute

(fully correlated) with add-on 1701 Flow Processors; does not include event or flow processing on-board

Requires deployment of 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances

in conjunctionQRadar 3124 All-In-One and Console AppliancesQRadar 3124 Appliances deliver QRadar SIEM for large, distributed enterprises – such as those running security and network operations centers (SOCs and NOCs).

These appliances are ideal for customers requiring high capacity and global correlation.

The QRadar 3124 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event and flow processor ap-

pliances. It can directly collect NetFlow, J-Flow, sFlow and IPFIX data, and utilize external QRadar QFlow Collectors for layer 7 network analysis and

content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments.

The QRadar 3124 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correlation,

offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors for layer

7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sFlow and IPFIX. It can

also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console appliance

require at least one add-on event or flow processor appliance.The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on processor

appliances perform real-time collection, storage, indexing correlation and analysis of up to 20,000 events (logs) per second or 1.2 million bi-directional flows per

minute each.

Sample QRadar 3124Distributed Deployment

QRadar Web Console

Common Features:

•

•

•

Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis

and reporting) for comprehensive SIEM in a single turnkey appliance

Includes 16 TB of usable on-board storage for very-long-term data retention

Option to deploy QRadar QFlow and QRadar VFlow Collectors in conjunction, for layer 7 network

activity monitoring


of log sources


Embedded hardware RAID 5 for high availability and redundancy

• 3124

•

•

•

1724of OS and storage

Option to deploy turnkey, integrated HA appliance 16241201


• Includes all capabilities (collection, storage, indexing, correlation, offense management,

analysis and reporting) for comprehensive SIEM in a single turnkey appliance• Supports up to 5,000 events per second (fully correlated); expandable to tens of

Routers Switches IDS Firewall thousands of events per second with add-on 1624 Event Processors• Supports up to 200,000 bi-directional flows per minute (fully correlated); expandable R o u t e r s , S w i t c h e s a n d O t h e r N e t w o r k S e c u r i t y D e v i c e s Devices Exporting Flow Data Exporting Logs to millions of flows per minute with add-on 1724 Flow Processors • Provides three years of event and flow storage for typical

deployments * Q1Labs.com

4


• Option to deploy 1624 Event Processor and/or 1724 Flow Processor Appliances

in conjunction


• Provides global view of all event and network flow activity, with federated global searching and cor-

relation, and centralized offense management, analysis and reporting

Expandable to tens of thousands of events per second (fully correlated) with add-on 1624 Event

Processors, and to millions of flows per minute (fully correlated) with add-on 1724 Flow Processors; does not include event or flow processing on-board

Requires deployment of 1624 Event Processor and/or 1724 Flow Processor

Appliances in conjunction

•

•

QRadar Risk Manager Appliance Packages Risk ManagerQRadar Risk Manager Add-On and Stand-Alone Appliance PackagesQRadar Risk Manager Appliance Packages deliver QRadar Risk Manager for organizations of all sizes. QRadar Risk Manager extends QRadar SIEM, providing multi-

vendor configuration audit, risk/compliance policy assessment, continuous monitoring, and advanced threat simulation.

QRadar Risk Manager can be deployed as an add-on to an existing QRadar SIEM appliance (2100, 3100, 3105 or 3124) or as a stand-alone package.

Common Package Features:

• Includes QRadar Risk Manager Appliance:

•

•

•

•

•

Includes all capabilities for network risk management (automated configuration monitoring, network modeling and simulation, and intelligent vulner-

ability prioritization), in a turnkey appliance

Supports up to 50 configuration sources (any supported network or security device); expandable to thousands of configuration sources



Embedded hardware RAID 5 for high availability and redundancy of OS and storage

Add-On Appliance Package Features:

•

•

Complements and easily integrates with an existing QRadar SIEM deployment

Includes one server, a QRadar Risk Manager Appliance (described above)

Stand-Alone Appliance Package Features:

• Includes two servers, a QRadar Risk Manager Appliance (described above) and a QRadar SIEM Appliance

• QRadar SIEM Appliance includes:•

•

•

•

•

3 TB of usable on-board storage for long-term data retention

Provides two years of event and flow storage for typical deployments *

Support for up to 1,000 events per second (fully correlated); expandable to tens of thousands of events per second with QRadar Risk Manager upgrade

and add-on 1601/1605 Event Processors

Support for up to 25,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with QRadar Risk Manager

upgrade and add-on 1701 Flow Processors

Support for up to 375 log sources (devices); expandable to tens of thousands of log sources with QRadar Risk Manager upgrade and add-on

Q1Labs.com

1601/1605 Event Processors

5


Complementary Modules

Event Processor AppliancesEvent processors provide scalable event collection and correlation for organizations of all sizes. They support QRadar SIEM, QRadar Log Manager and QRadar Risk

Manager deployments.

QRadar 1601, 1605 and 1624 Event Processor Appliances

The QRadar 1601, 1605 and 1624 Event Processors are expansion appliances that can be deployed in conjunction with QRadar Log Manager and QRadar

3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of log data and can be deployed in a distributed manner that

supports the largest deployments in the world.

Common Features:

•

•

•

Event Processors can be deployed in a distributed fashion, to support massive scaling


Option to deploy turnkey, integrated HA

appliance1601 Features:

• Supports up to 10,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of

thousands of events per second

Includes 3 TB of usable on-board storage for long-term data retention

Provides one year of event storage for typical deployments *



•

•

•

•

1605 Features:




Provides one year of event storage for typical deployments *


•

•

•

1624 Features:




Provides three years of event storage for typical deployments *


•

•

•

Flow Processor AppliancesFlow processors provide scalable flow collection and correlation for organizations of all sizes. They support QRadar SIEM and QRadar Risk Manager deployments.

Q1Labs.com

6

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

QRadar 1701 and 1724 Flow Processor Appliances

QRadar Flow Processors enable the collection, storage and analysis of network flow data in a variety of formats including NetFlow, J-Flow, sFlow,

QFlow and VFlow. They can extract native flow information from the network infrastructure, or process layer 7 network data provided by QRadar

QFlow Collectors. The QRadar 1701 and 1724 Flow Processors are expansion appliances deployed in conjunction with QRadar 3100/3105/3124

Appliances. They offer turnkey collection, storage, indexing and real-time correlation of flow data and can be deployed in a distributed manner that

supports the largest deployments in the world.

Common Features:

•

•

•

Flow Processors can be deployed in a distributed fashion, to support massive scaling


Option to deploy turnkey, integrated HA

appliance1701 Features:

•

•

•

•

•

Supports up to 600,000 bi-directional flows per minute (fully correlated) per appliance; can serve as

component of distributed solution expandable to millions of flows per minute


Provides one year of flow storage for typical deployments *


Embedded hardware RAID 10 for high availability and redundancy of OS and storage1724 Features:

•

•

•

•

Supports up to 1.2 million bi-directional flows per minute (fully correlated) per appliance;

can serve as component of distributed solution expandable to millions of flows per minute


Provides three years of flow storage for typical deployments *


Combined Event and Flow Processor Appliances

Combined event and flow processor appliances provide scalable event log and flow collection and correlation in one consolidated system. They

support QRadar SIEM and QRadar Risk Manager deployments.

QRadar 1801 and 1802 Combined Event and Flow Processor Appliances

The QRadar 1801 and 1802 Combined Event and Flow Processors provide event and network activity monitoring and processing for remote/branch of-

fices and for large, distributed organizations seeking scalable solutions. They are expansion appliances that can be deployed in conjunction with QRadar

3100/3105/3124 and QRadar Risk Manager Appliances. These appliances offer collection and real-time correlation of event and flow data, and can be

deployed in a distributed manner that supports the largest deployments in the world.Common Features:

•

•

•

•

•

•

Event and flow processing in a single appliance





Option to deploy turnkey, integrated HA appliance Q1Labs.com

7


1801 Features:

• Supports 1,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands

of events per second

Supports up to 50,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to

millions of flows per minute


•

•

1802 Features:

• Supports up to 5,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands

of events per second

Supports up to 200,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to

millions of flows per minute


•

•

Flow Collectors for Layer 7 VisibilityQRadar QFlow and QRadar VFlow Collectors offer a powerful solution for gathering rich network activity data over physical and virtual infrastructures.

They surpass traditional flow-based data capture by collecting layer 7 data via deep packet inspection. This enables application-level network activity analysis

and anomaly detection, as well as content capture for forensic activities. This information, when correlated with network and security events, enables a more

advanced analysis of the overall security posture of the network.

QRadar QFlow Collectors

QRadar QFlow Collectors gather network traffic passively through network taps and SPAN ports. They can detect more than 1,000 applications such as VoIP, social

media, multimedia, ERP, and peer to peer (P2P), among many others.

QRadar 1101 QFlow Collector:

The 1101 QFlow Collector is a cost-effective collector for lower bandwidth monitoring (less than 100 Mbps) in remote locations or for Internet connections.


The 1201 QFlow Collector provides a mid range multi-port collection appliance for underutilized Gigabit Ethernet connections (under 500 Mbps).


The 1202 QFlow collector appliance provides line-rate gigabit network performance and multi-port flexibility. The 1202 is well suited for collecting and

monitoring high rates of network traffic at the data center and core of an enterprise.


The 1301 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1301 is well suited for

collecting and monitoring high rates of network traffic at the data center and core of an enterprise.


The 1302 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1302 is well suited for

collecting and monitoring high rates of network traffic at the data center and core of an enterprise.


The 1310 QFlow Collector delivers advanced network and application visibility and collection on 10 Gbps networks. Q1Labs.co

m

8


QRadar VFlow Collectors

QRadar VFlow Collectors are virtual activity monitors that provide the same collection and visibility for virtual network and server resources as QRadar

QFlow Collec- tors provide for physical resources. QRadar VFlow Collectors are virtual appliances that connect to the virtual switch within a VMware virtual

host. As with QFlow Col- lectors, the layer 7 data collected by VFlow Collectors is used for network activity monitoring as well as correlation against log

activity, for superior detection of security threats. The product can also analyze port-mirrored traffic for a physical network switch, which helps bridge the gap

between the physical and virtual realms.

Features:

•

•

Supports up to 10,000 bi-directional flows per minute (fully correlated)

Supports up to 4 virtual interfaces

QRadar Virtual AppliancesQRadar virtual appliances offer an alternative deployment form factor for organizations seeking to leverage VMware virtual infrastructures. They are well

suited for large virtual and cloud environments, small organizations targeting compact and cost-efficient solutions, and branch and remote offices with lower

data volumes. QRadar virtual appliances provide the exact same software as the respective hardware appliances described above, but they are delivered in

software-only form and are supported on VMware ESX Server 4.1.

Organizations can freely use any combination of virtual and hardware appliances together, allowing for flexible expansion according to the needs of each business.

SIEM and Log Manager virtual appliances are offered for both centralized and distributed deployments. As with hardware appliances, distributed deployments of

virtual appliances enable total processing capacity well in excess of the individual virtual appliance capacities.

The following QRadar virtual appliances are offered (in addition to QRadar VFlow Collectors):

•

•

•

•

•

•

•

QRadar 3190 SIEM All-in-One

QRadar 3190 SIEM Console

QRadar 3190 Log Manager All-in-One

QRadar 3190 Log Manager Console

QRadar 1690 SIEM Event Processor

QRadar 1690 Log Manager Event Processor

QRadar 1790 Flow ProcessorQRadar 3190 SIEM All-in-One, QRadar 3190 Log Manager All-in-One, QRadar 1690 SIEM Event Processor and QRadar 1690 Log Manager Event Processor virtual appli-

ances support event rates of 100, 200, 500 or 1,000 EPS. QRadar 3190 SIEM All-in-One and QRadar 1790 Flow Processor virtual appliances support flow rates of 15K,

25K or 50K flows per minute.

Q1Labs.com

9


QRadar High AvailabilityQRadar’s easy-to-deploy high availability (HA) appliances provide fully automated disk synchronization and failover, for high availability of data

collection, correlation, analysis and reporting capabilities. QRadar High Availability addresses the demand for scalable solutions that enable organizations

to store, correlate and analyze large volumes of events, flows and other networking and asset data without interruption.

QRadar High Availability appliances offer the flexibility to use disk synchronization or leverage shared storage (SAN / IP SAN) – whichever option best meets your

available infrastructure. Disk synchronization is a built-in QRadar HA feature that is used to replicate data between a primary appliance and an HA

appliance. This simple-to-deploy solution delivers excellent performance, without the configuration challenges, high costs and ongoing administration

requirements of third-party fault tolerance products. QRadar HA appliances can be deployed on a per appliance basis, enabling distributed QRadar

deployments to add HA appliances as needed.

* Actual storage duration will vary based on event and flow size, events per second, flows per minute, compression policy, compression ratio and coalescing ratio.

Q1 Labs, an IBM Company

890 Winter Street, Suite 230

Waltham, MA 02451 USA

1.781.250.5800, [email protected]

Copyright 2012 Q1 Labs, an IBM Company. All rights reserved. Q1 Labs, an IBM Company, the Q1 Labs, an IBM Company logo, Total Security Intelligence, and QRadar are trademarks or registered

trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks, registered trademarks, or service marks of their respective holders. The specifications and information

contained herein are subject to change without notice.

Q1Labs.com

DSAPPL0312

10

mailto:[email protected]







(169383025) qradar appliance datasheet

Documents