QRadar Security Intelligence Platform Appliances

Transcription

1 DATASHEET Total Security Intelligence An IBM Company QRadar Security Intelligence Platform Appliances QRadar Security Intelligence Platform appliances combine typically disparate network and security management capabilities into a single, comprehensive solution. Appliance versions are offered for QRadar Log Manager, QRadar SIEM, QRadar Risk Manager, QRadar QFlow and QRadar VFlow (a virtual appliance). The QRadar Security Intelligence Platform appliances are pre-configured, optimized systems that enable high performance and rapid deployment using state-of-the-art hardware. They do not require expensive external storage, third-party databases or ongoing database administration. Organizations use QRadar appliances to achieve maximum benefit from their security intelligence deployments. QRadar Log Manager Appliances QRadar Log Manager Appliances deliver QRadar Log Manager for organizations of all sizes. They are ideal for organizations that need simplified log management capabilities, with the ability to expand event processing capacity in the future. They meet the needs of small and midsize organizations, as well as large businesses that are geographically dispersed and require an enterprise-class scalable solution. The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event processor appliances. Add-on event processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second each. The QRadar Log Manager All-in-One Appliance utilizes on-board event collection and correlation capabilities, and is expandable with event processor appliances. The QRadar Log Manager Console Appliance utilizes external event collection and correlation, allowing for dedicated search processing, distributed correlation, reporting and central administration of a distributed log management deployment. Organizations using a console appliance require at least one add-on event processor. Includes 3 TB or 6.2 TB of usable on-board storage for long-term data retention Supports 750 log sources (devices); expandable to tens of thousands of log sources Embedded hardware RAID 10 or 5 for high availability and redundancy of OS and storage All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, analysis and reporting) for comprehensive log management in a single turnkey appliance Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1601/1605 Event Processors Q1Labs.com

2 Provides one year of event storage for typical deployments * Console Appliance Features: Provides global view of all event activity, with federated global searching and correlation, and centralized management, analysis and reporting Does not include event processing on-board; requires deployment of 1601/1605 Event Processor Appliance(s), which can support tens of thousands of events per second (fully correlated) For more information about QRadar Log Manager software, please see the QRadar Log Manager data sheet. QRadar SIEM Appliances QRadar 2100 All-In-One Appliance The QRadar 2100 All-In-One Appliance delivers QRadar SIEM in a single appliance for small and medium-sized organizations. It provides an integrated security solution that is fast and easy to deploy. With its intuitive user interface, configuration is so simple that you can deploy a QRadar 2100 All-in-One Appliance and begin protecting your network in minutes. The QRadar 2100 All-in-One Appliance includes an embedded version of QRadar QFlow Collector, which provides layer 7 collection of network traffic flows and deep application visibility for advanced threat detection and forensic capabilities. Additional distributed QFlow Collectors can also be used in conjunction with the QRadar 2100 All-in-One Appliance for even broader network visibility. Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance Supports 1,000 events per second Supports up to 50,000 bi-directional flows per minute Includes on-board 50 Mbps QRadar QFlow Collector, with collection via passive tap or SPAN ports Supports 750 log sources (devices); expandable to tens of thousands of log sources Includes 1.5 TB of usable on-board storage for long-term data retention Provides one year of event and flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks 10/100/1000 BASE-T connectivity for monitoring 10/100/1000 BASE-T management Embedded hardware RAID 10 for high availability and redundancy of OS and storage Routers Routers, Switches and Other Network Devices Exporting Flow Data Sample QRadar 2100 Deployment Switches QRadar Web Console 2100 QFlow Collection on Passive Tap IDS Firewall QRadar 3100/3105 All-In-One and Console Appliances QRadar 3100/3105 Appliances deliver QRadar SIEM for organizations of all sizes. They are ideal for growing organizations that will need additional network activity and event monitoring capacity in the future. They are also the base platform for large businesses that are geographically dispersed and require an enterprise-class scalable solution. Q1Labs.com 2

3 The QRadar 3100/3105 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event processor, flow processor, and combined event and flow processor appliances. It can directly collect NetFlow, J-Flow, sflow and IPFIX data, and utilize external QRadar QFlow Collectors for layer 7 network analysis and content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. The QRadar 3100/3105 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correlation, offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors for layer 7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sflow and IPFIX. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console appliance require at least one add-on event processor, flow processor, or combined event and flow processor appliance. The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second or 600,000 bi-directional flows per minute each. Includes 3 TB (3100 Appliance) or 6.2 TB (3105 Appliance) of usable on-board storage for long-term data retention Supports Fibre Channel for integration with storage area networks (3100 Appliance only) Option to deploy QRadar QFlow and QRadar VFlow Collectors in conjunction, for Layer 7 network activity monitoring Supports 750 log sources (devices); expandable to tens of thousands of log sources Embedded hardware RAID 10 (3100 Appliance) or RAID 5 (3105 Appliance) for high availability and redundancy of OS and storage Sample QRadar 3105 Deployment QRadar Web Console Firewall IDS All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1601/1605 Event Processors Supports up to 200,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with add-on 1701 Flow Processors Provides one year of event and flow storage for typical deployments * QFlow Collection on Passive Tap Option to deploy 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction Routers Switches Routers, Switches and Other Network Devices Exporting Flow Data Console Appliance Features: Provides global view of all event and network flow activity, with federated global searching and correlation, and centralized offense management, analysis and reporting Q1Labs.com 3

4 Expandable to tens of thousands of events per second (fully correlated) with add-on 1601/1605 Event Processors, and to millions of flows per minute (fully correlated) with add-on 1701 Flow Processors; does not include event or flow processing on-board Requires deployment of 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction QRadar 3124 All-In-One and Console Appliances QRadar 3124 Appliances deliver QRadar SIEM for large, distributed enterprises such as those running security and network operations centers (SOCs and NOCs). These appliances are ideal for customers requiring high capacity and global correlation. The QRadar 3124 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event and flow processor appliances. It can directly collect NetFlow, J-Flow, sflow and IPFIX data, and utilize external QRadar QFlow Collectors for layer 7 network analysis and content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. The QRadar 3124 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correlation, offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors for layer 7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sflow and IPFIX. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console appliance require at least one add-on event or flow processor appliance. The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on processor appliances perform real-time collection, storage, indexing correlation and analysis of up to 20,000 events (logs) per second or 1.2 million bi-directional flows per minute each. Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance Includes 16 TB of usable on-board storage for very-long-term data retention Option to deploy QRadar QFlow and QRadar VFlow Collectors in conjunction, for layer 7 network activity monitoring Supports 750 log sources (devices); expandable to tens of thousands of log sources Embedded hardware RAID 5 for high availability and redundancy of OS and storage Sample QRadar 3124 Distributed Deployment QRadar Web Console All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1624 Event Processors Supports up to 200,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with add-on 1724 Flow Processors Provides three years of event and flow storage for typical deployments * Routers Switches Routers, Switches and Other Network Devices Exporting Flow Data IDS Security Devices Exporting Logs Q1Labs.com Firewall 4

5 Option to deploy 1624 Event Processor and/or 1724 Flow Processor Appliances in conjunction Console Appliance Features: Provides global view of all event and network flow activity, with federated global searching and correlation, and centralized offense management, analysis and reporting Expandable to tens of thousands of events per second (fully correlated) with add-on 1624 Event Processors, and to millions of flows per minute (fully correlated) with add-on 1724 Flow Processors; does not include event or flow processing on-board Requires deployment of 1624 Event Processor and/or 1724 Flow Processor Appliances in conjunction QRadar Risk Manager Appliance Packages QRadar Risk Manager Add-On and Stand-Alone Appliance Packages Risk Manager QRadar Risk Manager Appliance Packages deliver QRadar Risk Manager for organizations of all sizes. QRadar Risk Manager extends QRadar SIEM, providing multivendor configuration audit, risk/compliance policy assessment, continuous monitoring, and advanced threat simulation. QRadar Risk Manager can be deployed as an add-on to an existing QRadar SIEM appliance (2100, 3100, 3105 or 3124) or as a stand-alone package. Common Package Features: Includes QRadar Risk Manager Appliance: Includes all capabilities for network risk management (automated configuration monitoring, network modeling and simulation, and intelligent vulnerability prioritization), in a turnkey appliance Supports up to 50 configuration sources (any supported network or security device); expandable to thousands of configuration sources Includes 5.5 TB of usable on-board storage for long-term data retention Embedded hardware RAID 5 for high availability and redundancy of OS and storage Add-On Appliance Package Features: Complements and easily integrates with an existing QRadar SIEM deployment Includes one server, a QRadar Risk Manager Appliance (described above) Stand-Alone Appliance Package Features: Includes two servers, a QRadar Risk Manager Appliance (described above) and a QRadar SIEM Appliance QRadar SIEM Appliance includes: 3 TB of usable on-board storage for long-term data retention Provides two years of event and flow storage for typical deployments * Support for up to 1,000 events per second (fully correlated); expandable to tens of thousands of events per second with QRadar Risk Manager upgrade and add-on 1601/1605 Event Processors Support for up to 25,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with QRadar Risk Manager upgrade and add-on 1701 Flow Processors Support for up to 375 log sources (devices); expandable to tens of thousands of log sources with QRadar Risk Manager upgrade and add-on 1601/1605 Event Processors Q1Labs.com 5

6 Complementary Modules Event Processor Appliances Event processors provide scalable event collection and correlation for organizations of all sizes. They support QRadar SIEM, QRadar Log Manager and QRadar Risk Manager deployments. QRadar 1601, 1605 and 1624 Event Processor Appliances The QRadar 1601, 1605 and 1624 Event Processors are expansion appliances that can be deployed in conjunction with QRadar Log Manager and QRadar 3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of log data and can be deployed in a distributed manner that supports the largest deployments in the world. Event Processors can be deployed in a distributed fashion, to support massive scaling 1601 Features: Supports up to 10,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 3 TB of usable on-board storage for long-term data retention Provides one year of event storage for typical deployments * Supports Fibre Channel for integration with storage area networks Embedded hardware RAID 10 for high availability and redundancy of OS and storage 1605 Features: Supports up to 20,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 6.2 TB of usable on-board storage for long-term data retention Provides one year of event storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage 1624 Features: Supports up to 20,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 16 TB of usable on-board storage for very-long-term data retention Provides three years of event storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage Flow Processor Appliances Flow processors provide scalable flow collection and correlation for organizations of all sizes. They support QRadar SIEM and QRadar Risk Manager deployments. Q1Labs.com 6

7 QRadar 1701 and 1724 Flow Processor Appliances QRadar Flow Processors enable the collection, storage and analysis of network flow data in a variety of formats including NetFlow, J-Flow, sflow, QFlow and VFlow. They can extract native flow information from the network infrastructure, or process layer 7 network data provided by QRadar QFlow Collectors. The QRadar 1701 and 1724 Flow Processors are expansion appliances deployed in conjunction with QRadar 3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of flow data and can be deployed in a distributed manner that supports the largest deployments in the world. Flow Processors can be deployed in a distributed fashion, to support massive scaling 1701 Features: Supports up to 600,000 bi-directional flows per minute (fully correlated) per appliance; can serve as component of distributed solution expandable to millions of flows per minute Includes 3 TB of usable on-board storage for long-term data retention Provides one year of flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks Embedded hardware RAID 10 for high availability and redundancy of OS and storage 1724 Features: Supports up to 1.2 million bi-directional flows per minute (fully correlated) per appliance; can serve as component of distributed solution expandable to millions of flows per minute Includes 16 TB of usable on-board storage for very-long-term data retention Provides three years of flow storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage Combined Event and Flow Processor Appliances Combined event and flow processor appliances provide scalable event log and flow collection and correlation in one consolidated system. They support QRadar SIEM and QRadar Risk Manager deployments. QRadar 1801 and 1802 Combined Event and Flow Processor Appliances The QRadar 1801 and 1802 Combined Event and Flow Processors provide event and network activity monitoring and processing for remote/branch offices and for large, distributed organizations seeking scalable solutions. They are expansion appliances that can be deployed in conjunction with QRadar 3100/3105/3124 and QRadar Risk Manager Appliances. These appliances offer collection and real-time correlation of event and flow data, and can be deployed in a distributed manner that supports the largest deployments in the world. Event and flow processing in a single appliance Provides one year of event and flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks Embedded hardware RAID 10 for high availability and redundancy of OS and storage Q1Labs.com 7

8 1801 Features: Supports 1,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands of events per second Supports up to 50,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to millions of flows per minute Includes 1.5 TB of usable on-board storage for long-term data retention 1802 Features: Supports up to 5,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands of events per second Supports up to 200,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to millions of flows per minute Includes 3 TB of usable on-board storage for long-term data retention Flow Collectors for Layer 7 Visibility QRadar QFlow and QRadar VFlow Collectors offer a powerful solution for gathering rich network activity data over physical and virtual infrastructures. They surpass traditional flow-based data capture by collecting layer 7 data via deep packet inspection. This enables application-level network activity analysis and anomaly detection, as well as content capture for forensic activities. This information, when correlated with network and security events, enables a more advanced analysis of the overall security posture of the network. QRadar QFlow Collectors QRadar QFlow Collectors gather network traffic passively through network taps and SPAN ports. They can detect more than 1,000 applications such as VoIP, social media, multimedia, ERP, and peer to peer (P2P), among many others. QRadar 1101 QFlow Collector: The 1101 QFlow Collector is a cost-effective collector for lower bandwidth monitoring (less than 100 Mbps) in remote locations or for Internet connections. QRadar 1201 QFlow Collector: The 1201 QFlow Collector provides a mid range multi-port collection appliance for underutilized Gigabit Ethernet connections (under 500 Mbps). QRadar 1202 QFlow Collector: The 1202 QFlow collector appliance provides line-rate gigabit network performance and multi-port flexibility. The 1202 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1301 QFlow Collector: The 1301 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1301 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1302 QFlow Collector: The 1302 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1302 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1310 QFlow Collector: The 1310 QFlow Collector delivers advanced network and application visibility and collection on 10 Gbps networks. Q1Labs.com 8

9 QRadar VFlow Collectors QRadar VFlow Collectors are virtual activity monitors that provide the same collection and visibility for virtual network and server resources as QRadar QFlow Collectors provide for physical resources. QRadar VFlow Collectors are virtual appliances that connect to the virtual switch within a VMware virtual host. As with QFlow Collectors, the layer 7 data collected by VFlow Collectors is used for network activity monitoring as well as correlation against log activity, for superior detection of security threats. The product can also analyze port-mirrored traffic for a physical network switch, which helps bridge the gap between the physical and virtual realms. Features: Supports up to 10,000 bi-directional flows per minute (fully correlated) Supports up to 4 virtual interfaces QRadar Virtual Appliances QRadar virtual appliances offer an alternative deployment form factor for organizations seeking to leverage VMware virtual infrastructures. They are well suited for large virtual and cloud environments, small organizations targeting compact and cost-efficient solutions, and branch and remote offices with lower data volumes. QRadar virtual appliances provide the exact same software as the respective hardware appliances described above, but they are delivered in software-only form and are supported on VMware ESX Server 4.1. Organizations can freely use any combination of virtual and hardware appliances together, allowing for flexible expansion according to the needs of each business. SIEM and Log Manager virtual appliances are offered for both centralized and distributed deployments. As with hardware appliances, distributed deployments of virtual appliances enable total processing capacity well in excess of the individual virtual appliance capacities. The following QRadar virtual appliances are offered (in addition to QRadar VFlow Collectors): QRadar 3190 SIEM All-in-One QRadar 3190 SIEM Console QRadar 3190 Log Manager All-in-One QRadar 3190 Log Manager Console QRadar 1690 SIEM Event Processor QRadar 1690 Log Manager Event Processor QRadar 1790 Flow Processor QRadar 3190 SIEM All-in-One, QRadar 3190 Log Manager All-in-One, QRadar 1690 SIEM Event Processor and QRadar 1690 Log Manager Event Processor virtual appliances support event rates of 100, 200, 500 or 1,000 EPS. QRadar 3190 SIEM All-in-One and QRadar 1790 Flow Processor virtual appliances support flow rates of 15K, 25K or 50K flows per minute. Q1Labs.com 9

10 QRadar High Availability QRadar s easy-to-deploy high availability (HA) appliances provide fully automated disk synchronization and failover, for high availability of data collection, correlation, analysis and reporting capabilities. QRadar High Availability addresses the demand for scalable solutions that enable organizations to store, correlate and analyze large volumes of events, flows and other networking and asset data without interruption. QRadar High Availability appliances offer the flexibility to use disk synchronization or leverage shared storage (SAN / IP SAN) whichever option best meets your available infrastructure. Disk synchronization is a built-in QRadar HA feature that is used to replicate data between a primary appliance and an HA appliance. This simple-to-deploy solution delivers excellent performance, without the configuration challenges, high costs and ongoing administration requirements of third-party fault tolerance products. QRadar HA appliances can be deployed on a per appliance basis, enabling distributed QRadar deployments to add HA appliances as needed. * Actual storage duration will vary based on event and flow size, events per second, flows per minute, compression policy, compression ratio and coalescing ratio. Q1 Labs, an IBM Company 890 Winter Street, Suite 230 Waltham, MA USA , [email protected] Copyright 2012 Q1 Labs, an IBM Company. All rights reserved. Q1 Labs, an IBM Company, the Q1 Labs, an IBM Company logo, Total Security Intelligence, and QRadar are trademarks or registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks, registered trademarks, or service marks of their respective holders. The specifications and information contained herein are subject to change without notice. DSAPPL0312 Q1Labs.com 10