Data SheetIBM Software

IBM QRadar Security Intelligence Platform appliancesComprehensive, state-of-the-art solutions providing next-generation security intelligence

IBM QRadar Security Intelligence Platform appliances combine typically disparate network and security management capabilities into a single, comprehensive solution. Appliance versions are offered for IBM Security QRadar Log Manager, IBM Security QRadar SIEM, IBM Security QRadar Risk Manager and IBM Security QRadar Network Anomaly Detection. For additional network visibility, IBM Security QRadar QFlow Collector solutions and IBM Security QRadar VFlow Collector solutions can be added to the platforms network analysis and content capture capabilities.

IBM QRadar Security Intelligence Platform appliances are preconfigured, optimized systems that do not require expensive external storage, third-party databases or ongoing database administration. Deployment options include dedicated, high-performance appliances; Linux-based software packages; and virtualized appliances for VMware-based environments.

Organizations use these appliances to protect and grow with their businesses and to achieve the maximum benefit from their security intelligence deployments. Six categories of appliances are offered:

Log managementCollection, archiving and analysis of events from various network and security devices, systems and applications

SIEMIntegrated log management and network f low collection with advanced correlation, anomaly detection, workflow and reporting capabilities

Flow processingLayer 4 NetFlow and Layer 7 QFlow collection and correlation

Highlights Collect and aggregate diverse sets of

logs and event data

Provide integrated log management, security information and event management (SIEM), and configuration and vulnerability management

Monitor network flow data and Layer 7 application payloads, providing increased visibility into network activity

Deploy quickly and easily as a centralized all-in-one system or with a distributed architecture using preconfigured systems

Utilize specialized configurations for virtualized environments

Provide high availability and disaster recovery

Deliver rapid time-to-value using thousands of predefined rules and out-of-the-box report templates

Data SheetIBM Software

2

Configuration and vulnerability managementProactive configuration audit, risk and compliance policy assessment, and advanced threat simulation

Network anomaly detectionSpecialized capabilities that complement IBM Security SiteProtector System and IBM Security Network Intrusion Prevention System installations

High availability and disaster recoveryBackup capabilities that can pair secondary systems with any member of the appliance family to help ensure continuous operations

IBM Security QRadar Log Manager appliancesQRadar Log Manager appliances are ideal for organizations that need simplified capabilities for log management today, with the ability to expand capacity for event processing and upgrade to a full SIEM solution in the future. These appliances are designed to meet the needs of small and midsize organizations, as well as large businesses that are geographically dispersed and require an enterprise-class, scalable solution.

The IBM Security QRadar Log Manager all-in-one appliance is an entry-level system that utilizes on-board event collection and correlation capabilities, and can process up to 5,000 events per second. It can easily expand as the organization grows, with the ability to support hundreds of thousands of events per sec-ond through conversion into a console (distributed) deployment with the addition of separate event processor appliances.

Larger organizations can utilize the capabilities of the IBM Security QRadar Log Manager console appliance with its external event collection and correlation approach, which allows for dedicated search processing, distributed correlation, report-ing and central administration of a distributed log management deployment. Console appliances require at least one add-on event processor.

The scalable architecture of these appliances includes distributed event processor and event collector appliances. Add-on event processor appliances perform real-time collec-tion, storage, indexing, correlation and analysis of up to 20,000 events (log entries) per second per appliance. Large,

multi-appliance deployments can support more than one mil-lion events per second, with all data correlated in real time. For situations where network connectivity is either unreliable or temporarily unavailable, or in locations with low event volumes, event collector appliances can be deployed to collect events and forward them to an event processor or all-in-one appliance.

IBM Security QRadar 1605 and 1624 Event Processor appliancesIBM Security QRadar event processor appliances provide scalable event collection and correlation for organizations of all sizes. The IBM Security QRadar 1605 and 1624 Event Processor appliances are expansion solutions that can be deployed in conjunction with QRadar Log Manager and QRadar SIEM console appliances. They offer turnkey collec-tion, storage, indexing and real-time correlation of log data and can be deployed in a distributed manner that can support some of the largest deployments in the world.

QRadar Log Manager solutions can begin as a single turnkey appliance and grow into highly distributed solutions, supporting multiple event processor and event collector appliances when network availability conditions warrant.

Sample IBM Security QRadar Log Manager 3105distributed deployment

QRadar web console

3105

1605

16051501

Routers, switches and othernetwork devices exporting flow data

Security devicesexporting logs

Routers Switches IDS Firewall

Data SheetIBM Software

3

IBM Security QRadar 1501 Event Collector appliancesIBM Security QRadar event collector appliances provide continuous capabilities for event logging when network connec-tivity is unavailable. Event collector appliances simply collect events and forward them to an event processor or all-in-one appliance for correlation, analysis and long-term storage. Also designed to collect events and logs in distributed locations with relatively low event volumes (such as retail stores and satellite offices), they provide a more economical approach than deploy-ing event processors in such scenarios.

IBM Security QRadar SIEM appliancesQRadar SIEM appliances deliver integrated log management and security intelligence technology for organizations of all sizes. Available in either all-in-one or distributed deployment configurations, they are ideal for growing organizations that seek maximum security and compliance capabilities. These appliances offer the ability to correlate logs, network f lows, vulnerabilities, user identities, threat intelligence and other security telemetry. They also offer application-level packet inspection and content capture for superior network visibility and forensics. QRadar SIEM appliances often serve as the base platform for large, geographically dispersed businesses that require an enterprise-class, scalable solution.

The QRadar SIEM appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and f low processor appliances. An event processor appli-ance (see 1605 or 1624 descriptions within the QRadar Log Manager table) can perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second. A f low processor appliance can perform real-time collection, storage, indexing, correlation and analysis of up to 1,200,000 bidirectional f lows per minute. Large, multi- appliance deployments can support more than one million events per second, and millions of f lows per minute, with all data correlated in real time.

The IBM Security QRadar SIEM 2100 All-In-One appliance delivers a single appliance for small and midsize organizations. It provides an integrated security solution, and its intuitive user interface makes it easy to deploy in minutes. The QRadar 2100 All-in-One Appliance also includes an embedded version of IBM Security QRadar QFlow Collector, which provides Layer 7 collection of network traffic f lows and deep application visibility for advanced threat detection and forensic capabilities. No additional event processors or f low processors can be used to expand this system.

Security QRadar Log Manager Appliance features

All-in-One 2100

All-in-One 3105

All-in-One 3124

Console 3105

Console 3124

1501 1605 1624

Single turnkey solution X X X

Part of distributed solution X X X X X

Event collection, correlation, analysis and storage

Max. 1,000 EPS (sustained)

Max. 5,000 EPS (sustained)

Max. 5,000 EPS (sustained)

Not applicable

Not applicable

Max. 2,500 EPS (sustained) collection and forwarding only

Max. 20,000 EPS (sustained)

Max. 20,000 EPS (sustained)

Long-term data storage 1.3 TB 6.5 TB 16 TB 6.5 TB 16 TB 1.3 TB 6.5 TB 16 TB

Typical event storage capacity 1 year 3 years 3 years Not applicable

Not applicable

Not applicable

1 year 3 years

Support for high availability and disaster recovery

X X X X X X X

Data SheetIBM Software

4

The IBM Security QRadar SIEM 3105 and 3124 All-in-One appliances utilize on-board event and f low collection and correlation capabilities, providing a single-appliance solution. They are expandable into console configurations in which sepa-rate event and f low processor appliances are used to collect and store data. These appliances can directly collect events from all supported log sources, as well as NetFlow, J-Flow, sFlow and IPFIX data from network devices. They can also utilize external QRadar QFlow Collector and QRadar VFlow Collector appliances for Layer 7 network analysis and content capture.

The IBM Security QRadar SIEM 3105 and 3124 Console appliances utilize external event and f low processor appliances, allowing the console to perform dedicated search processing, offense management, reporting and central administration of the distributed SIEM deployment. At least one add-on event processor, f low processor, or combined event and f low proces-sor appliance is required. Teamed with one or more QRadar QFlow Collector appliances, the console can also receive Layer 7 network analysis and content capture while aggregating other network activity data, such as NetFlow, J-Flow, sFlow and IPFIX. QRadar VFlow Collector appliances provide the same visibility and network f low collection within VMware virtual environments.

Sample IBM Security QRadar SIEM 2100all-in-one deployment

Sample IBM Security QRadar SIEM 3124distributed deployment

QRadar web console QRadar web console

2100 3124

1724

1202 1624

Routers Switches

Firewall

IDS

QFlow collection onpassive tap

Routers, switches and othernetwork devices exporting

flow data

Servers Routers Switches IDS Firewall Laptop

Collection of log events from networkand security infrastructure

Layer 7 data analysisthrough SPAN or tap

Layer 4 NetFlow forexternal flow services

QRadar SIEM solutions can start small with an all-in-one solution and grow to support enterprise environments, using a centralized console and any number of dis-tributed event and network flow collection appliances.

Data SheetIBM Software

5

IBM Security QRadar 1705 and 1724 Flow Processor appliancesIBM Security QRadar f low processor appliances provide scalable f low collection, correlation and storage for organiza-tions of all sizes. These appliances are expansion appliances deployed in conjunction with QRadar SIEM All-in-One or QRadar SIEM Console appliances. They offer turnkey collec-tion, storage, indexing and real-time correlation of f low data and are designed to be deployed in a distributed manner. QRadar f low processor appliances collect and analyze network

f low data in a variety of formats including NetFlow, J-Flow, sFlow, and IPFIX. They can even process Layer 7 application-level data gathered by QRadar QFlow Collector appliances.

IBM Security QRadar 1805 Combined Event and Flow Processor appliancesIBM Security QRadar 1805 Combined Event and Flow Processor appliances provide event and network activity moni-toring and correlation for remote or branch offices and for large, distributed organizations seeking scalable solutions. They are expansion appliances for use with QRadar SIEM Console systems.

Security QRadar SIEM Appliance features

All-in-One 2100

All-in-One 3105

All-in-One 3124

Console 3105

Console 3124

1705 1724 1805

Single turnkey solution X X X

Part of distributed solution X X X X X

Event collection, correlation, analysis and storage

Max. 1,000 EPS (sustained)

Max. 5,000 EPS (sustained)

Max. 5,000 EPS (sustained)

Not applicable

Not applicable

Not applicable

Not applicable

Max. 5,000 EPS (sustained)

Support for expandable log source (devices) data

Not applicable

Requires Console conversion

Requires Console conversion

Requires 1605/1624 Event Processor appliances

Requires 1605/1624 Event Processor appliances

Not applicable

Not applicable

Not applicable

Flow collection, correlation, analysis and storage

Max. 50,000 bidirectional flows/minute

Max. 200,000 bidirectional flows/minute

Max. 200,000 bidirectional flows/minute

Not applicable

Not applicable

Max. 600,000 bidirectional flows/minute

Max. 1.2 million bidirectional flows/minute

Max. 200,000 bidirectional flows/minute

Optional use of QFlow and VFlow Collectors

On-board QFlow Collector included

X X Requires 1705/1724 Flow Processor appliances

Requires 1705/1724 Flow Processor appliances

X X X

Long-term data storage 1.3 TB 6.5 TB 16 TB 6.5 TB 16 TB 6.5 TB 16 TB 6.5 TB

Typical Event storage capacity 1 year 3 years 3 years Not applicable

Not applicable

Not applicable

Not applicable

1 year

Typical Flow storage capacity 1 year 1 year 3 years Not applicable

Not applicable

1 year 3 years 1 year

Support for high availability and disaster recovery

X X X X X X X X

Data SheetIBM Software

6

IBM Security QFlow and VFlow Collector appliances for Layer 7 visibilityIBM Security QRadar QFlow Collector and VFlow Collector appliances offer a powerful solution for gathering rich network activity data in both physical and virtual infrastructures. They surpass traditional f low data (such as NetFlow) by using deep packet inspection to collect more detailed and revealing Layer 7 data. This enables application-level network activity analysis and anomaly detection, as well as content capture for forensic activities. This information, when correlated with event data, enables a more advanced analysis of the overall security posture of the network.

QRadar QFlow Collector appliances gather network traffic passively through network taps and SPAN ports. They can detect more than 1,000 applications such as Voice over Internet Protocol (VoIP), social media such as Twitter and LinkedIn, multimedia including Skype, enterprise resource planning (ERP), and peer to peer (P2P), among many others. QFlow Collector appliances must be paired with either a 17XX f low processor, 1805 Combined Event and Flow Processor, or an all-in-one SIEM appliance.

There are four QRadar QFlow Collector models:

IBM Security QRadar 1201 QFlow Collector: Offers midrange, multi-port collection capabilities for underutilized gigabit Ethernet connections up to 200 Mbps

IBM Security QRadar 1202 QFlow Collector: Provides line-rate gigabit Ethernet network performance and multi-port f lexibility for copper-based networks; is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise

IBM Security QRadar 1301 QFlow Collector: Provides line-rate gigabit Ethernet network performance with multi-port f lexibility for fiber-based networks; is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise

IBM Security QRadar 1310 QFlow Collector: Delivers advanced network and application visibility and collection on 10-Gbps Ethernet networks

QRadar VFlow Collector appliances are virtual activity moni-tors that provide the same collection and visibility for virtual network and server resources as QRadar QFlow Collector appliances provide for physical resources. QRadar VFlow Collector appliances are virtual appliances that connect to the virtual switch within a VMware virtual host. They can support up to four virtual interfaces and up to 10,000 bidirectional f lows per minute. The product can also analyze port-mirrored traffic for a physical network switch, helping bridge the gap between the physical and virtual realms.

IBM Security QRadar Risk Manager appliancesIBM Security QRadar Risk Manager appliances deliver proactive risk management capabilities for organizations of all sizes by extending QRadar SIEM capabilities to provide multi-vendor configuration audit, risk/compliance policy assessment, continuous monitoring and advanced threat simulation. These systems are deployed as an add-on to an existing IBM Security QRadar SIEM appliance.

QRadar Risk Manager appliances feature:

A turnkey hardware-based appliance system Support for 50 configuration sources (any supported device);

expandable to thousands of configuration sources through license upgrade

6.5 TB of usable on-board storage for long-term data retention

Data SheetIBM Software

7

IBM Security QRadar Network Anomaly Detection ApplianceThe IBM Security QRadar Network Anomaly Detection Appliance is optimized to complement and integrate with IBM Security SiteProtector System and IBM Security Network Intrusion Prevention System to provide greater insight into network behavior and abnormal activities. It offers the anomaly detection and real-time correlation capabilities of QRadar SIEM to enhance the SiteProtector solutions numerous threat protection techniques. Network and application vulnerability data is also collected from vulnerability scanners and used to prioritize threats and risks seen by the intrusion prevention system product.

QRadar Network Anomaly Detection is typically deployed as an add-on to an existing SiteProtector and Network Intrusion Prevention System installation. This appliance uses the same hardware as IBM Security QRadar SIEM 3105. It includes entitlement for collecting 500 events per second (upgradable to 1,000 events per second) and 25,000 network f lows per minute (upgradable to 200,000 f lows per minute).

IBM Security QRadar high-availability appliancesEasy-to-deploy IBM Security QRadar high-availability appliances provide fully automated disk synchronization and failover for high availability of data collection, correlation, analysis and reporting capabilities. These systems help organi-zations store, correlate and analyze large volumes of events, f lows and other networking and asset data without interruption when the primary appliances are not functional for any reason.

QRadar high-availability appliances offer the f lexibility to use disk synchronization or leverage shared SAN/IP SAN storage, according to the available infrastructure. Disk synchronization is a built-in feature used to replicate data between a primary appliance and a secondary high-availability appliance. This simple-to-deploy solution delivers excellent performance without the configuration challenges, high costs and ongoing administration requirements of third-party fault tolerance products. QRadar high-availability appliances can be deployed on a per-appliance basis, enabling distributed QRadar deploy-ments to add these capabilities where and when they are needed.

IBM Security QRadar disaster-recovery appliancesIBM Security QRadar disaster-recovery appliances provide a means of safeguarding collected event and f low data by mirror-ing it to a secondary, identical backup appliance deployment. Disaster recovery differs from high availability in that disaster-recovery appliances do not perform continuous synchronization between primary and backup appliances.

All data mirroring is unidirectional and only event and f low data are covered. The QRadar disaster-recovery approach requires that the production and disaster-recovery deployments be identical in terms of topology, appliance model and event/f low processing capacity. Each console, event or f low processor appliance in the primary deployment must have an identical counterpart in the disaster-recovery deployment. QRadar disaster-recovery appliances can also be used in conjunction with QRadar high-availability solutions to achieve optimal system protection.

Copyright IBM Corporation 2013

IBM Corporation Software Group Route 100 Somers, NY 10589

Produced in the United States of America January 2013

IBM, the IBM logo, ibm.com, QRadar, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.

Please Recycle

Why IBM?IBM operates a worldwide security research, development and delivery organization comprising 10 security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM solutions empower organizations to reduce their security vulnerabilities and focus more on the success of their strategic initiatives. These products build on the threat intelligence expertise of the IBM X-Force research and development team to provide a preemptive approach to security. As a trusted partner in secu-rity, IBM delivers the solutions to keep the entire enterprise infrastructure, including the cloud, protected from the latest security risks.

For more informationTo learn more about IBM QRadar Security Intelligence Platform appliances, contact your IBM representative or IBM Business Partner, or visit: ibm.com/security

For more information about IBM Security QRadar SIEM software, please see the IBM Security QRadar SIEM data sheet.

Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. Well partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing

WGD03019-USEN-00