(169383025) QRadar Appliance Datasheet

June 25, 2016 | Author: Katie Fletcher | Category: Types, Brochures
Share Embed Donate


Short Description

Qradar datasheet...

Description

D ATASHEE T

Total Security Intelligence | An IBM Company

QRadar® Security Intelligence Platform Appliances

QRadar® Security Intelligence Platform appliances combine typically disparate network and security management capabilities into a single, comprehensive solution. Appliance versions are offered for QRadar Log Manager, QRadar SIEM, QRadar Risk Manager, QRadar QFlow and QRadar VFlow (a virtual appliance). The QRadar Security Intelligence Platform appliances are pre-configured, optimized systems that enable high performance and rapid deployment using state-of-the-art hardware. They do not require expensive external storage, third-party databases or ongoing database administration. Organizations use QRadar appliances to achieve maximum benefit from their security intelligence deployments.

QRadar Log Manager Appliances QRadar Log Manager Appliances deliver QRadar Log Manager for organizations of all sizes. They are ideal for organizations that need simplified log management capabilities, with the ability to expand event processing capacity in the future. They meet the needs of small and midsize organizations, as well as large businesses that are geographically dispersed and require an enterprise-class scalable solution.

The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event processor appliances. Add-on event processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second each. The QRadar Log Manager All-in-One Appliance utilizes on-board event collection and correlation capabilities, and is expandable with event processor appliances.

The QRadar Log Manager Console Appliance utilizes external event collection and correlation, allowing for dedicated search processing, distributed correlation, reporting and central administration of a distributed log management deployment. Organizations using a console appliance require at least one add-on event processor.

Common Features: •

Includes 3 TB or 6.2 TB of usable on-board storage for long-term data retention



Supports 750 log sources (devices); expandable to tens of thousands of log sources



Dual redundant power supplies (auto-sensing)



Embedded hardware RAID 10 or 5 for high availability and redundancy of OS and storage



Option to deploy turnkey, integrated HA appliance

All-in-One Appliance Features: • Includes all capabilities (collection, storage, indexing, correlation, analysis and reporting) for comprehensive log management in a single turnkey appliance •

Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1601/1605 Event Processors

Q1Labs.com

Total Security Intelligence | An IBM Company



QRadar Security Intelligence Platform Appliances

Provides one year of event storage for typical deployments *

Console Appliance Features: •

Provides global view of all event activity, with federated global searching and correlation, and centralized management, analysis and reporting



Does not include event processing on-board; requires deployment of 1601/1605 Event Processor Appliance(s), which can support tens of thousands of events per second (fully correlated)

For more information about QRadar Log Manager software, please see the QRadar Log Manager data sheet.

QRadar SIEM Appliances QRadar 2100 All-In-One Appliance The QRadar 2100 All-In-One Appliance

delivers QRadar SIEM in a single appliance for small and medium-sized organizations. It provides an integrated security

solution that is fast and easy to deploy. With its intuitive user interface, configuration is so simple that you can deploy a QRadar 2100 All-in-One Appliance and begin protecting your network in minutes. The QRadar 2100 All-in-One Appliance includes an embedded version of QRadar QFlow Collector, which provides layer 7 collection of network traffic flows and deep application visibility for advanced threat detection and forensic capabilities. Additional distributed QFlow Collectors can also be used in conjunction with the QRadar 2100 All-in-One Appliance for even broader network visibility. Features: •

Sa m p le QR a d a r 2 1 0 0 De p

Includes all capabilities (collection, storage, indexing, correlation, offense management,

loyment •

analysis reporting) for second comprehensive SIEM in a single turnkey appliance Supportsand 1,000 events per



Supports up to 50,000 bi-directional flows per minute



Includes on-board 50 Mbps QRadar QFlow Collector, with collection via

QRadar Web Console

passive tap or SPAN ports •

Supports 750 log sources (devices); expandable to tens of thousands of log sources

• • • • • • •

2100

Includes 1.5 TB of usable on-board storage for long-term data retention Provides one year of event and flow storage for typical deployments *

Firewall

Supports Fibre Channel for integration with storage area networks 10/100/1000 BASE-T connectivity for monitoring

Routers

Switches

IDS

Routers, Switches and Other Network Devices Exporting Flow Data

10/100/1000 BASE-T management Dual redundant power supplies (auto-sensing) Embedded hardware RAID 10 for high availability and redundancy



of OS and storage QFlow Collection on Passive Tap

Option to deploy turnkey, integrated HA appliance

QRadar 3100/3105 Appliances

All-In-One

and

Console

QRadar 3100/3105 Appliances deliver QRadar SIEM for organizations of all sizes. They are ideal for growing organizations that will need additional network activity and event monitoring capacity in the future. They are also the base platform for large businesses that are geographically dispersed and require an enterprise-class scalable solution.

Q1Labs.com

2

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

The QRadar 3100/3105 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event processor, flow processor, and combined event and flow processor appliances. It can directly collect NetFlow, J-Flow, sFlow and IPFIX data, and utilize external QRadar QFlow Collectors for layer 7 network analysis and content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. The QRadar 3100/3105 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correlation, offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors for layer 7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sFlow and IPFIX. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console appliance require at least one add-on event processor, flow processor, or combined event and flow processor appliance. The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second or 600,000 bi-directional flows per minute each. Common Features: •

Includes 3 TB (3100 Appliance) or 6.2 TB (3105 Appliance) of usable

Sample QRadar 3105 Deployment

on-board storage for long-term data retention •

Supports Fibre Channel for integration with storage area networks

QRadar Web Console

(3100 Appliance only) •

Option to deploy QRadar QFlow and QRadar VFlow Collectors in conjunction, for Layer 7 network activity monitoring



Supports 750 log sources (devices); expandable to tens of thousands Firewall

of log sources 3105



Dual redundant power supplies (auto-sensing)



Embedded hardware RAID 10 (3100 Appliance) or RAID 5 (3105 Appliance) for



high availability and redundancy of OS and storage

IDS 1201

1201

Option to deploy turnkey, integrated HA appliance All-in-One Appliance Features: • Includes all capabilities (collection, storage, indexing, correlation, offense



management, analysis and reporting) for comprehensive SIEM in a single Supports up to 5,000 events per second (fully correlated); expandable to tens turnkey appliance of thousands of events per second with add-on 1601/1605 Event Processors



Supports up to 200,000 bi-directional flows per minute (fully correlated);

Routers

Switches

Routers, Switches and Other Network Devices Exporting Flow Data

QFlow Collection on Passive Tap

expandable to millions of flows per minute with add-on 1701 Flow Processors •

Provides one year of event and flow storage for typical deployments *



Option to deploy 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction

Console Appliance Features: •

Provides global view of all event and network flow activity, with federated global searching and correlation, and centralized offense management, analysis and reporting

Q1Labs.com

3

Total Security Intelligence | An IBM Company



QRadar Security Intelligence Platform Appliances

Expandable to tens of thousands of events per second (fully correlated) with add-on 1601/1605 Event Processors, and to millions of flows per minute (fully correlated) with add-on 1701 Flow Processors; does not include event or flow processing on-board



Requires deployment of 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction

QRadar 3124 All-In-One and Console Appliances QRadar 3124 Appliances deliver QRadar SIEM for large, distributed enterprises – such as those running security and network operations centers (SOCs and NOCs). These appliances are ideal for customers requiring high capacity and global correlation. The QRadar 3124 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event and flow processor appliances. It can directly collect NetFlow, J-Flow, sFlow and IPFIX data, and utilize external QRadar QFlow Collectors for layer 7 network analysis and content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. The QRadar 3124 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correlation, offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors for layer 7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sFlow and IPFIX. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console appliance require at least one add-on event or flow processor appliance. The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on processor appliances perform real-time collection, storage, indexing correlation and analysis of up to 20,000 events (logs) per second or 1.2 million bi-directional flows per minute each.

Sample QRadar 3124 Distributed Deployment

Common Features: •

QRadar Web Console

Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance



Includes 16 TB of usable on-board storage for very-long-term data retention



Option to deploy QRadar QFlow and QRadar VFlow Collectors in conjunction, for layer 7 network activity monitoring



Supports 750 log sources (devices); expandable to tens of thousands

3124

of log sources •

Dual redundant power supplies (auto-sensing)



Embedded hardware RAID 5 for high availability and redundancy of OS and storage



Option to deploy turnkey, integrated HA appliance

1724

1624

1201

All-in-One Appliance Features: • Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance • Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1624 Event Processors • Supports up to 200,000 bi-directional flows per minute (fully correlated); expandable D e v ic e s

to millions of flows per minute with add-on 1724 Flow Processors • Provides three years of event and flow storage for typical deployments *

Routers

Switches

IDS

R o u te rs, S w it c h e s a n d O th e r N e t w o r k Devices Exporting Flow Data

Firewall S e c u rit y Exporting Logs

Q1Labs.com

4

Total Security Intelligence | An IBM Company



QRadar Security Intelligence Platform Appliances

Option to deploy 1624 Event Processor and/or 1724 Flow Processor Appliances in conjunction

Console Appliance Features: •

Provides global view of all event and network flow activity, with federated global searching and cor-



relation, and centralized offense management, analysis and reporting Expandable to tens of thousands of events per second (fully correlated) with add-on 1624 Event Processors, and to millions of flows per minute (fully correlated) with add-on 1724 Flow Processors; does not include event or flow processing on-board



Requires deployment of 1624 Event Processor and/or 1724 Flow Processor Appliances in conjunction

QRadar Risk Manager Appliance Packages QRadar Risk Manager Add-On and Stand-Alone Appliance Packages QRadar Risk Manager Appliance Packages deliver QRadar Risk Manager for organizations of all sizes.

Risk Manager QRadar Risk Manager extends QRadar SIEM,

providing multivendor configuration audit, risk/compliance policy assessment, continuous monitoring, and advanced threat simulation. QRadar Risk Manager can be deployed as an add-on to an existing QRadar SIEM appliance (2100, 3100, 3105 or 3124) or as a stand-alone package. Common Package Features: • Includes QRadar Risk Manager Appliance: • Includes all capabilities for network risk management (automated configuration monitoring, network modeling and simulation, and intelligent vulnerability prioritization), in a turnkey appliance •

Supports up to 50 configuration sources (any supported network or security device); expandable to thousands of configuration sources



Includes 5.5 TB of usable on-board storage for long-term data retention



Dual redundant power supplies (auto-sensing)



Embedded hardware RAID 5 for high availability and redundancy of OS and storage

Add-On Appliance Package Features: • •

Complements and easily integrates with an existing QRadar SIEM deployment Includes one server, a QRadar Risk Manager Appliance (described above)

Stand-Alone Appliance Package Features: • Includes two servers, a QRadar Risk Manager Appliance (described above) and a QRadar SIEM Appliance •

QRadar SIEM Appliance includes: • 3 TB of usable on-board storage for long-term data retention •

Provides two years of event and flow storage for typical deployments *



Support for up to 1,000 events per second (fully correlated); expandable to tens of thousands of events per second with QRadar Risk Manager upgrade and add-on 1601/1605 Event Processors



Support for up to 25,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with QRadar Risk Manager upgrade and add-on 1701 Flow Processors



Support for up to 375 log sources (devices); expandable to tens of thousands of log sources with QRadar Risk Manager upgrade and add-on 1601/1605 Event Processors

Q1Labs.com

5

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

Complementary Modules Event Processor Appliances Event processors provide scalable event collection and correlation for organizations of all sizes. They support QRadar SIEM, QRadar Log Manager and QRadar Risk Manager deployments. QRadar 1601, 1605 and 1624 Event Processor Appliances The QRadar 1601, 1605 and 1624 Event Processors are expansion appliances that can be deployed in conjunction with QRadar Log Manager and QRadar 3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of log data and can be deployed in a distributed manner that supports the largest deployments in the world.

Common Features: • • •

Event Processors can be deployed in a distributed fashion, to support massive scaling Dual redundant power supplies (auto-sensing) Option to deploy turnkey, integrated HA

appliance 1601 Features: •

Supports up to 10,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second



Includes 3 TB of usable on-board storage for long-term data retention



Provides one year of event storage for typical deployments *



Supports Fibre Channel for integration with storage area networks



Embedded hardware RAID 10 for high availability and redundancy of OS and storage

1605 Features: •

Supports up to 20,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second



Includes 6.2 TB of usable on-board storage for long-term data retention



Provides one year of event storage for typical deployments *



Embedded hardware RAID 5 for high availability and redundancy of OS and storage

1624 Features: •

Supports up to 20,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second



Includes 16 TB of usable on-board storage for very-long-term data retention



Provides three years of event storage for typical deployments *



Embedded hardware RAID 5 for high availability and redundancy of OS and storage

Flow Processor Appliances Flow processors provide scalable flow collection and correlation for organizations of all sizes. They support QRadar SIEM and QRadar Risk Manager deployments.

Q1Labs.com

6

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

QRadar 1701 and 1724 Flow Processor Appliances QRadar Flow Processors enable the collection, storage and analysis of network flow data in a variety of formats including NetFlow, J-Flow, sFlow, QFlow and VFlow. They can extract native flow information from the network infrastructure, or process layer 7 network data provided by QRadar QFlow Collectors. The QRadar 1701 and 1724 Flow Processors are expansion appliances deployed in conjunction with QRadar 3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of flow data and can be deployed in a distributed manner that supports the largest deployments

in the world.

Common Features: • • •

Flow Processors can be deployed in a distributed fashion, to support massive scaling Dual redundant power supplies (auto-sensing) Option to deploy turnkey, integrated HA

appliance 1701 Features: •

Supports up to 600,000 bi-directional flows per minute (fully correlated) per appliance; can serve as component of distributed solution expandable to millions of flows per minute



Includes 3 TB of usable on-board storage for long-term data retention



Provides one year of flow storage for typical deployments *



Supports Fibre Channel for integration with storage area networks



Embedded hardware RAID 10 for high availability and redundancy of OS and storage

1724 Features: •

Supports up to 1.2 million bi-directional flows per minute (fully correlated) per appliance; can serve as component of distributed solution expandable to millions of flows per minute



Includes 16 TB of usable on-board storage for very-long-term data retention



Provides three years of flow storage for typical deployments *



Embedded hardware RAID 5 for high availability and redundancy of OS and storage

Combined Event and Flow Processor Appliances Combined event and flow processor appliances provide scalable event log and flow collection and correlation in one consolidated system. They support QRadar SIEM and QRadar Risk Manager deployments.

QRadar 1801 and 1802 Combined Event and Flow Processor Appliances The QRadar 1801 and 1802 Combined Event and Flow Processors provide event and network activity monitoring and processing for remote/branch offices and for large, distributed organizations seeking scalable solutions. They are expansion appliances that can be deployed in conjunction with QRadar 3100/3105/3124 and QRadar Risk Manager Appliances. These appliances offer collection and real-time correlation of event and flow data, and can be deployed in a distributed manner that supports the largest deployments in the world.

Common Features: •

Event and flow processing in a single appliance



Provides one year of event and flow storage for typical deployments *

• • • •

Supports Fibre Channel for integration with storage area networks Dual redundant power supplies (auto-sensing) Embedded hardware RAID 10 for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance

Q1Labs.com

7

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

1801 Features: •

Supports 1,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands of events per second



Supports up to 50,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to millions of flows per minute



Includes 1.5 TB of usable on-board storage for long-term data retention

1802 Features: •

Supports up to 5,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands of events per second



Supports up to 200,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to millions of flows per minute



Includes 3 TB of usable on-board storage for long-term data retention

Flow Collectors for Layer 7 Visibility QRadar QFlow and QRadar VFlow Collectors offer a powerful solution for gathering rich network activity data over physical and virtual infrastructures. They surpass traditional flow-based data capture by collecting layer 7 data via deep packet inspection. This enables application-level network activity analysis and anomaly detection, as well as content capture for forensic activities. This information, when correlated with network and security events, enables a more advanced analysis of the overall security posture of the network.

QRadar QFlow Collectors QRadar QFlow Collectors gather network traffic passively through network taps and SPAN ports. They can detect more than 1,000 applications such as VoIP, social media, multimedia, ERP, and peer to peer (P2P), among many others. QRadar 1101 QFlow Collector: The 1101 QFlow Collector is a cost-effective collector for lower bandwidth monitoring (less than 100 Mbps) in remote locations or for Internet connections. QRadar 1201 QFlow Collector: The 1201 QFlow Collector provides a mid range multi-port collection appliance for underutilized Gigabit Ethernet connections (under 500 Mbps). QRadar 1202 QFlow Collector: The 1202 QFlow collector appliance provides line-rate gigabit network performance and multi-port flexibility. The 1202 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise.

QRadar 1301 QFlow Collector: The 1301 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1301 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1302 QFlow Collector: The 1302 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1302 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1310 QFlow Collector: The 1310 QFlow Collector delivers advanced network and application visibility and collection on 10 Gbps networks.

Q1Labs.com

8

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

QRadar VFlow Collectors QRadar VFlow Collectors are virtual activity monitors that provide the same collection and visibility for virtual network and server resources as QRadar QFlow Collec- tors provide for physical resources. QRadar VFlow Collectors are virtual appliances that connect to the virtual switch within a VMware virtual host. As with QFlow Col- lectors, the layer 7 data collected by VFlow Collectors is used for network activity monitoring as well as correlation against log activity, for superior detection of security threats. The product can also analyze port-mirrored traffic for a physical network switch, which helps bridge the gap between the physical and virtual realms. Features: • •

Supports up to 10,000 bi-directional flows per minute (fully correlated) Supports up to 4 virtual interfaces

QRadar Virtual Appliances QRadar virtual appliances offer an alternative deployment form factor for organizations seeking to leverage VMware virtual infrastructures. They are well suited for large virtual and cloud environments, small organizations targeting compact and cost-efficient solutions, and branch and remote offices with lower data volumes. QRadar virtual appliances provide the exact same software as the respective hardware appliances described above, but they are delivered in softwareonly form and are supported on VMware ESX Server 4.1.

Organizations can freely use any combination of virtual and hardware appliances together, allowing for flexible expansion according to the needs of each business. SIEM and Log Manager virtual appliances are offered for both centralized and distributed deployments. As with hardware appliances, distributed deployments of virtual appliances enable total processing capacity well in excess of the individual virtual appliance capacities. The following QRadar virtual appliances are offered (in addition to QRadar VFlow Collectors): • QRadar 3190 SIEM All-in-One •

QRadar 3190 SIEM Console



QRadar 3190 Log Manager All-inOne

• • • •

QRadar 3190 Log Manager Console QRadar 1690 SIEM Event Processor QRadar 1690 Log Manager Event Processor

QRadar 1790 Flow Processor QRadar 3190 SIEM All-in-One, QRadar 3190 Log Manager All-in-One, QRadar 1690 SIEM Event Processor and QRadar 1690 Log Manager Event Processor virtual appliances support event rates of 100, 200, 500 or 1,000 EPS. QRadar 3190 SIEM All-in-One and QRadar 1790 Flow Processor virtual appliances support flow rates of 15K, 25K or 50K flows per minute.

Q1Labs.com

9

Total Security Intelligence | An IBM Company

QRadar Security Intelligence Platform Appliances

QRadar High Availability QRadar’s easy-to-deploy high availability (HA) appliances provide fully automated disk synchronization and failover, for high availability of data collection, correla- tion, analysis and reporting capabilities. QRadar High Availability addresses the demand for scalable solutions that enable organizations to store, correlate and analyze large volumes of events, flows and other networking and asset data without interruption. QRadar High Availability appliances offer the flexibility to use disk synchronization or leverage shared storage (SAN / IP SAN) – whichever option best meets your available infrastructure. Disk synchronization is a built-in QRadar HA feature that is used to replicate data between a primary appliance and an HA appliance. This simple-to-deploy solution delivers excellent performance, without the configuration challenges, high costs and ongoing administration requirements of thirdparty fault tolerance products. QRadar HA appliances can be deployed on a per appliance basis, enabling distributed QRadar deployments to add HA appliances as needed.

* Actual storage duration will vary based on event and flow size, events per second, flows per minute, compression policy, compression ratio and coalescing ratio.

Q1 Labs, an IBM Company 890 Winter Street, Suite 230 Waltham, MA 02451 USA 1.781.250.5800, [email protected]

Copyright 2012 Q1 Labs, an IBM Company. All rights reserved. Q1 Labs, an IBM Company, the Q1 Labs, an IBM Company logo, Total Security Intelligence, and QRadar are trademarks or registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks, registered trademarks, or service marks of their respective holders. The specifications and information contained herein are subject to change without notice.

DSAPPL0312

Q1Labs.com

10

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF