Вы находитесь на странице: 1из 10

D ATASHEE T

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

QRadar Security Intelligence Platform appliances combine typically disparate network and security management capabilities into a single, comprehensive solution. Appliance versions are offered for QRadar Log Manager, QRadar SIEM, QRadar Risk Manager, QRadar QFlow and QRadar VFlow (a virtual appliance).
The QRadar Security Intelligence Platform appliances are pre-configured, optimized systems that enable high performance and rapid deployment using state-of-the-art hardware. They do not require expensive external storage, third-party databases or ongoing database administration. Organizations use QRadar appliances to achieve maximum benefit from their security intelligence deployments.

QRadar Log Manager Appliances


QRadar Log Manager Appliances deliver QRadar Log Manager for organizations of all sizes. They are ideal for organizations that need simplified log management capabilities, with the ability to expand event processing capacity in the future. They meet the needs of small and midsize organizations, as well as large businesses that are geographically dispersed and require an enterprise-class scalable solution.

The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event processor appliances. Add-on event processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second each. The QRadar Log Manager All-in-One Appliance utilizes on-board event collection and correlation capabilities, and is expandable with event processor appliances.

The QRadar Log Manager Console Appliance utilizes external event collection and correlation, allowing for dedicated search processing, distributed correlation, reporting and central administration of a distributed log management deployment. Organizations using a console appliance require at least one add-on event processor.

Common Features: Includes 3 TB or 6.2 TB of usable on-board storage for long-term data retention Supports 750 log sources (devices); expandable to tens of thousands of log sources Dual redundant power supplies (auto-sensing) Embedded hardware RAID 10 or 5 for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance

All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, analysis and reporting) for comprehensive log management in a single turnkey appliance Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1601/1605 Event Processors

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

Provides one year of event storage for typical deployments *

Console Appliance Features: Provides global view of all event activity, with federated global searching and correlation, and centralized management, analysis and reporting Does not include event processing on-board; requires deployment of 1601/1605 Event Processor Appliance(s), which can support tens of thousands of events per second (fully correlated) For more information about QRadar Log Manager software, please see the QRadar Log Manager data sheet.

QRadar SIEM Appliances


QRadar 2100 All-In-One Appliance The QRadar 2100 All-In-One Appliance
solution that is fast and easy to deploy. With its intuitive user interface, configuration is so simple that you can deploy a QRadar 2100 All-in-One Appliance and begin protecting your network in minutes. The QRadar 2100 All-in-One Appliance includes an embedded version of QRadar QFlow Collector, which provides layer 7 collection of network traffic flows and deep application visibility for advanced threat detection and forensic capabilities. Additional distributed QFlow Collectors can also be used in conjunction with the QRadar 2100 All-in-One Appliance for even broader network visibility. Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, delivers QRadar SIEM in a single appliance for small and medium-sized organizations. It provides an integrated security

Sa m p le QR a d a r 2 1 0 0 De p
QRadar Web Console

loyment
analysis reporting) for second comprehensive SIEM in a single turnkey appliance Supportsand 1,000 events per Supports up to 50,000 bi-directional flows per minute Includes on-board 50 Mbps QRadar QFlow Collector, with collection via passive tap or SPAN ports Supports 750 log sources (devices); expandable to tens of thousands of log sources Includes 1.5 TB of usable on-board storage for long-term data retention Provides one year of event and flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks 10/100/1000 BASE-T connectivity for monitoring 10/100/1000 BASE-T management Dual redundant power supplies (auto-sensing) Embedded hardware RAID 10 for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance
QFlow Collection on Passive Tap Routers Switches IDS 2100

Firewall

Routers, Switches and Other Network Devices Exporting Flow Data

QRadar 3100/3105 Appliances

All-In-One

and

Console

QRadar 3100/3105 Appliances deliver QRadar SIEM for organizations of all sizes. They are ideal for growing organizations that will need additional network activity and event monitoring capacity in the future. They are also the base platform for large businesses that are geographically dispersed and require an enterprise-class scalable solution.

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

The QRadar 3100/3105 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event processor, flow processor, and combined event and flow processor appliances. It can directly collect NetFlow, J-Flow, sFlow and IPFIX data, and utilize external QRadar QFlow Collectors for layer 7 network analysis and content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. The QRadar 3100/3105 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correlation, offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors for layer 7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sFlow and IPFIX. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console appliance require at least one add-on event processor, flow processor, or combined event and flow processor appliance. The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second or 600,000 bi-directional flows per minute each. Common Features: Includes 3 TB (3100 Appliance) or 6.2 TB (3105 Appliance) of usable on-board storage for long-term data retention Supports Fibre Channel for integration with storage area networks (3100 Appliance only) Option to deploy QRadar QFlow and QRadar VFlow Collectors in conjunction, for Layer 7 network activity monitoring Supports 750 log sources (devices); expandable to tens of thousands of log sources
3105 Firewall QRadar Web Console

Sample QRadar 3105 Deployment

Dual redundant power supplies (auto-sensing)


IDS

Embedded hardware RAID 10 (3100 Appliance) or RAID 5 (3105 Appliance) for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance

1201

1201

All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single Supports up to 5,000 events per second (fully correlated); expandable to tens turnkey appliance of thousands of events per second with add-on 1601/1605 Event Processors Supports up to 200,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with add-on 1701 Flow Processors Provides one year of event and flow storage for typical deployments *

Routers

Switches QFlow Collection on Passive Tap

Routers, Switches and Other Network Devices Exporting Flow Data

Option to deploy 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction

Console Appliance Features: Provides global view of all event and network flow activity, with federated global searching and correlation, and centralized offense management, analysis and reporting

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

Expandable to tens of thousands of events per second (fully correlated) with add-on 1601/1605 Event Processors, and to millions of flows per minute (fully correlated) with add-on 1701 Flow Processors; does not include event or flow processing on-board

Requires deployment of 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction

QRadar 3124 All-In-One and Console Appliances


QRadar 3124 Appliances deliver QRadar SIEM for large, distributed enterprises such as those running security and network operations centers (SOCs and NOCs). These appliances are ideal for customers requiring high capacity and global correlation. The QRadar 3124 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event and flow processor appliances. It can directly collect NetFlow, J-Flow, sFlow and IPFIX data, and utilize external QRadar QFlow Collectors for layer 7 network analysis and content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. The QRadar 3124 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correlation, offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors for layer 7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sFlow and IPFIX. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console appliance require at least one add-on event or flow processor appliance. The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on processor appliances perform real-time collection, storage, indexing correlation and analysis of up to 20,000 events (logs) per second or 1.2 million bi-directional flows per minute each. Common Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance Includes 16 TB of usable on-board storage for very-long-term data retention Option to deploy QRadar QFlow and QRadar VFlow Collectors in conjunction, for layer 7 network activity monitoring Supports 750 log sources (devices); expandable to tens of thousands of log sources Dual redundant power supplies (auto-sensing) Embedded hardware RAID 5 for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance
1724 3124

Sample QRadar 3124 Distributed Deployment


QRadar Web Console

1201

1624

All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1624 Event Processors Supports up to 200,000 bi-directional flows per minute (fully correlated); expandable
D e v ic e s Routers Switches IDS Firewall S e c u rit y Exporting Logs

to millions of flows per minute with add-on 1724 Flow Processors Provides three years of event and flow storage for typical deployments *

R o u te rs, S w it c h e s a n d O th e r N e t w o r k Devices Exporting Flow Data

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

Option to deploy 1624 Event Processor and/or 1724 Flow Processor Appliances in conjunction

Console Appliance Features: Provides global view of all event and network flow activity, with federated global searching and correlation, and centralized offense management, analysis and reporting Expandable to tens of thousands of events per second (fully correlated) with add-on 1624 Event Processors, and to millions of flows per minute (fully correlated) with add-on 1724 Flow Processors; does not include event or flow processing on-board Requires deployment of 1624 Event Processor and/or 1724 Flow Processor Appliances in conjunction

QRadar Risk Manager Appliance Packages


QRadar Risk Manager Add-On and Stand-Alone Appliance Packages QRadar Risk Manager Appliance Packages deliver QRadar Risk Manager for organizations of all sizes.
providing multivendor configuration audit, risk/compliance policy assessment, continuous monitoring, and advanced threat simulation. QRadar Risk Manager can be deployed as an add-on to an existing QRadar SIEM appliance (2100, 3100, 3105 or 3124) or as a stand-alone package. Common Package Features:

Risk Manager
QRadar Risk Manager extends QRadar SIEM,

Includes QRadar Risk Manager Appliance: Includes all capabilities for network risk management (automated configuration monitoring, network modeling and simulation, and intelligent vulnerability prioritization), in a turnkey appliance Supports up to 50 configuration sources (any supported network or security device); expandable to thousands of configuration sources Includes 5.5 TB of usable on-board storage for long-term data retention Dual redundant power supplies (auto-sensing) Embedded hardware RAID 5 for high availability and redundancy of OS and storage

Add-On Appliance Package Features: Complements and easily integrates with an existing QRadar SIEM deployment Includes one server, a QRadar Risk Manager Appliance (described above) Stand-Alone Appliance Package Features: Includes two servers, a QRadar Risk Manager Appliance (described above) and a QRadar SIEM Appliance QRadar SIEM Appliance includes: 3 TB of usable on-board storage for long-term data retention Provides two years of event and flow storage for typical deployments * Support for up to 1,000 events per second (fully correlated); expandable to tens of thousands of events per second with QRadar Risk Manager upgrade and add-on 1601/1605 Event Processors Support for up to 25,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with QRadar Risk Manager upgrade and add-on 1701 Flow Processors Support for up to 375 log sources (devices); expandable to tens of thousands of log sources with QRadar Risk Manager upgrade and add-on 1601/1605 Event Processors

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

Complementary Modules
Event Processor Appliances
Event processors provide scalable event collection and correlation for organizations of all sizes. They support QRadar SIEM, QRadar Log Manager and QRadar Risk Manager deployments. QRadar 1601, 1605 and 1624 Event Processor Appliances The QRadar 1601, 1605 and 1624 Event Processors are expansion appliances that can be deployed in conjunction with QRadar Log Manager and QRadar 3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of log data and can be deployed in a distributed manner that supports the largest deployments in the world.

Common Features: Event Processors can be deployed in a distributed fashion, to support massive scaling Dual redundant power supplies (auto-sensing) Option to deploy turnkey, integrated HA appliance 1601 Features: Supports up to 10,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 3 TB of usable on-board storage for long-term data retention Provides one year of event storage for typical deployments * Supports Fibre Channel for integration with storage area networks Embedded hardware RAID 10 for high availability and redundancy of OS and storage

1605 Features: Supports up to 20,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 6.2 TB of usable on-board storage for long-term data retention Provides one year of event storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage

1624 Features: Supports up to 20,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 16 TB of usable on-board storage for very-long-term data retention Provides three years of event storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage

Flow Processor Appliances


Flow processors provide scalable flow collection and correlation for organizations of all sizes. They support QRadar SIEM and QRadar Risk Manager deployments.

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

QRadar 1701 and 1724 Flow Processor Appliances QRadar Flow Processors enable the collection, storage and analysis of network flow data in a variety of formats including NetFlow, J-Flow, sFlow, QFlow and VFlow. They can extract native flow information from the network infrastructure, or process layer 7 network data provided by QRadar QFlow Collectors. The QRadar 1701 and 1724 Flow Processors are expansion appliances deployed in conjunction with QRadar 3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of flow data and can be deployed in a distributed manner that supports the largest deployments in the world.

Common Features: Flow Processors can be deployed in a distributed fashion, to support massive scaling Dual redundant power supplies (auto-sensing) Option to deploy turnkey, integrated HA appliance 1701 Features: Supports up to 600,000 bi-directional flows per minute (fully correlated) per appliance; can serve as component of distributed solution expandable to millions of flows per minute Includes 3 TB of usable on-board storage for long-term data retention Provides one year of flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks Embedded hardware RAID 10 for high availability and redundancy of OS and storage

1724 Features: Supports up to 1.2 million bi-directional flows per minute (fully correlated) per appliance; can serve as component of distributed solution expandable to millions of flows per minute Includes 16 TB of usable on-board storage for very-long-term data retention Provides three years of flow storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage

Combined Event and Flow Processor Appliances


Combined event and flow processor appliances provide scalable event log and flow collection and correlation in one consolidated system. They support QRadar SIEM and QRadar Risk Manager deployments.

QRadar 1801 and 1802 Combined Event and Flow Processor Appliances The QRadar 1801 and 1802 Combined Event and Flow Processors provide event and network activity monitoring and processing for remote/branch offices and for large, distributed organizations seeking scalable solutions. They are expansion appliances that can be deployed in conjunction with QRadar 3100/3105/3124 and QRadar Risk Manager Appliances. These appliances offer collection and real-time correlation of event and flow data, and can be deployed in a distributed manner that supports the largest deployments in the world.

Common Features: Event and flow processing in a single appliance Provides one year of event and flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks Dual redundant power supplies (auto-sensing) Embedded hardware RAID 10 for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

1801 Features: Supports 1,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands of events per second Supports up to 50,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to millions of flows per minute Includes 1.5 TB of usable on-board storage for long-term data retention

1802 Features: Supports up to 5,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands of events per second Supports up to 200,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to millions of flows per minute Includes 3 TB of usable on-board storage for long-term data retention

Flow Collectors for Layer 7 Visibility


QRadar QFlow and QRadar VFlow Collectors offer a powerful solution for gathering rich network activity data over physical and virtual infrastructures. They surpass traditional flow-based data capture by collecting layer 7 data via deep packet inspection. This enables application-level network activity analysis and anomaly detection, as well as content capture for forensic activities. This information, when correlated with network and security events, enables a more advanced analysis of the overall security posture of the network.

QRadar QFlow Collectors QRadar QFlow Collectors gather network traffic passively through network taps and SPAN ports. They can detect more than 1,000 applications such as VoIP, social media, multimedia, ERP, and peer to peer (P2P), among many others. QRadar 1101 QFlow Collector: The 1101 QFlow Collector is a cost-effective collector for lower bandwidth monitoring (less than 100 Mbps) in remote locations or for Internet connections. QRadar 1201 QFlow Collector: The 1201 QFlow Collector provides a mid range multi-port collection appliance for underutilized Gigabit Ethernet connections (under 500 Mbps). QRadar 1202 QFlow Collector: The 1202 QFlow collector appliance provides line-rate gigabit network performance and multi-port flexibility. The 1202 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise.

QRadar 1301 QFlow Collector: The 1301 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1301 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1302 QFlow Collector: The 1302 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1302 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1310 QFlow Collector: The 1310 QFlow Collector delivers advanced network and application visibility and collection on 10 Gbps networks.

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

QRadar VFlow Collectors QRadar VFlow Collectors are virtual activity monitors that provide the same collection and visibility for virtual network and server resources as QRadar QFlow Collec- tors provide for physical resources. QRadar VFlow Collectors are virtual appliances that connect to the virtual switch within a VMware virtual host. As with QFlow Col- lectors, the layer 7 data collected by VFlow Collectors is used for network activity monitoring as well as correlation against log activity, for superior detection of security threats. The product can also analyze port-mirrored traffic for a physical network switch, which helps bridge the gap between the physical and virtual realms. Features: Supports up to 10,000 bi-directional flows per minute (fully correlated) Supports up to 4 virtual interfaces

QRadar Virtual Appliances


QRadar virtual appliances offer an alternative deployment form factor for organizations seeking to leverage VMware virtual infrastructures. They are well suited for large virtual and cloud environments, small organizations targeting compact and cost-efficient solutions, and branch and remote offices with lower data volumes. QRadar virtual appliances provide the exact same software as the respective hardware appliances described above, but they are delivered in softwareonly form and are supported on VMware ESX Server 4.1.

Organizations can freely use any combination of virtual and hardware appliances together, allowing for flexible expansion according to the needs of each business. SIEM and Log Manager virtual appliances are offered for both centralized and distributed deployments. As with hardware appliances, distributed deployments of virtual appliances enable total processing capacity well in excess of the individual virtual appliance capacities. The following QRadar virtual appliances are offered (in addition to QRadar VFlow Collectors): QRadar 3190 SIEM All-in-One QRadar 3190 SIEM Console QRadar 3190 Log Manager All-inOne QRadar 3190 Log Manager Console QRadar 1690 SIEM Event Processor QRadar 1690 Log Manager Event Processor

QRadar 1790 Flow Processor QRadar 3190 SIEM All-in-One, QRadar 3190 Log Manager All-in-One, QRadar 1690 SIEM Event Processor and QRadar 1690 Log Manager Event Processor virtual appliances support event rates of 100, 200, 500 or 1,000 EPS. QRadar 3190 SIEM All-in-One and QRadar 1790 Flow Processor virtual appliances support flow rates of 15K, 25K or 50K flows per minute.

Q1Labs.com

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

QRadar High Availability


QRadars easy-to-deploy high availability (HA) appliances provide fully automated disk synchronization and failover, for high availability of data collection, correla- tion, analysis and reporting capabilities. QRadar High Availability addresses the demand for scalable solutions that enable organizations to store, correlate and analyze large volumes of events, flows and other networking and asset data without interruption. QRadar High Availability appliances offer the flexibility to use disk synchronization or leverage shared storage (SAN / IP SAN) whichever option best meets your available infrastructure. Disk synchronization is a built-in QRadar HA feature that is used to replicate data between a primary appliance and an HA appliance. This simple-to-deploy solution delivers excellent performance, without the configuration challenges, high costs and ongoing administration requirements of thirdparty fault tolerance products. QRadar HA appliances can be deployed on a per appliance basis, enabling distributed QRadar deployments to add HA appliances as needed.

* Actual storage duration will vary based on event and flow size, events per second, flows per minute, compression policy, compression ratio and coalescing ratio.

Q1 Labs, an IBM Company 890 Winter Street, Suite 230 Waltham, MA 02451 USA 1.781.250.5800, info@Q1Labs.com

Copyright 2012 Q1 Labs, an IBM Company. All rights reserved. Q1 Labs, an IBM Company, the Q1 Labs, an IBM Company logo, Total Security Intelligence, and QRadar are trademarks or registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks, registered trademarks, or service marks of their respective holders. The specifications and information contained herein are subject to change without notice.

DSAPPL0312

Q1Labs.com

10