You are on page 1of 8

IBM Software

Data Sheet

IBM QRadar Security


Intelligence Platform
appliances
Comprehensive, state-of-the-art solutions providing
next-generation security intelligence

Highlights

Collect and aggregate diverse sets of


logs and event data
Provide integrated log management,
security information and event
management (SIEM), and configuration
and vulnerability management
Monitor network flow data and
Layer 7 application payloads, providing
increased visibility into network activity
Deploy quickly and easily as a centralized
all-in-one system or with a distributed
architecture using preconfigured systems
Utilize specialized configurations for
virtualized environments
Provide high availability and disaster
recovery

Deliver rapid time-to-value using


thousands of predefined rules and
out-of-the-box report templates

IBM QRadar Security Intelligence Platform appliances combine


typically disparate network and security management capabilities into
a single, comprehensive solution. Appliance versions are offered for
IBM Security QRadar Log Manager, IBM Security QRadar SIEM,
IBM Security QRadar Risk Manager and IBM Security QRadar Network
Anomaly Detection. For additional network visibility, IBM Security
QRadar QFlow Collector solutions and IBM Security QRadar VFlow
Collector solutions can be added to the platforms network analysis and
content capture capabilities.
IBM QRadar Security Intelligence Platform appliances are preconfigured,
optimized systems that do not require expensive external storage, thirdparty databases or ongoing database administration. Deployment options
include dedicated, high-performance appliances; Linux-based software
packages; and virtualized appliances for VMware-based environments.
Organizations use these appliances to protect and grow with their
businesses and to achieve the maximum benefit from their security
intelligence deployments. Six categories of appliances are offered:

Log managementCollection, archiving and analysis of events from


various network and security devices, systems and applications
SIEMIntegrated log management and network flow collection with
advanced correlation, anomaly detection, workflow and reporting
capabilities
Flow processingLayer 4 NetFlow and Layer 7 QFlow collection
and correlation

IBM Software

Data Sheet

multi-appliance deployments can support more than one million events per second, with all data correlated in real time. For
situations where network connectivity is either unreliable or
temporarily unavailable, or in locations with low event volumes,
event collector appliances can be deployed to collect events and
forward them to an event processor or all-in-one appliance.

Configuration and vulnerability managementProactive


configuration audit, risk and compliance policy assessment,
and advanced threat simulation
Network anomaly detectionSpecialized capabilities
that complement IBM Security SiteProtector System and
IBM Security Network Intrusion Prevention System
installations
High availability and disaster recoveryBackup capabilities
that can pair secondary systems with any member of the
appliance family to help ensure continuous operations

IBM Security QRadar 1605 and 1624 Event Processor


appliances
IBM Security QRadar event processor appliances provide
scalable event collection and correlation for organizations
of all sizes. The IBM Security QRadar 1605 and 1624 Event
Processor appliances are expansion solutions that can be
deployed in conjunction with QRadar Log Manager and
QRadar SIEM console appliances. They offer turnkey collection, storage, indexing and real-time correlation of log data and
can be deployed in a distributed manner that can support some
of the largest deployments in the world.

IBM Security QRadar Log Manager


appliances
QRadar Log Manager appliances are ideal for organizations
that need simplified capabilities for log management today, with
the ability to expand capacity for event processing and upgrade
to a full SIEM solution in the future. These appliances are
designed to meet the needs of small and midsize organizations,
as well as large businesses that are geographically dispersed and
require an enterprise-class, scalable solution.

Sample IBM Security QRadar Log Manager 3105


distributed deployment
QRadar web console

The IBM Security QRadar Log Manager all-in-one appliance


is an entry-level system that utilizes on-board event collection
and correlation capabilities, and can process up to 5,000 events
per second. It can easily expand as the organization grows, with
the ability to support hundreds of thousands of events per second through conversion into a console (distributed) deployment
with the addition of separate event processor appliances.

3105

1605

Larger organizations can utilize the capabilities of the


IBM Security QRadar Log Manager console appliance with its
external event collection and correlation approach, which allows
for dedicated search processing, distributed correlation, reporting and central administration of a distributed log management
deployment. Console appliances require at least one add-on
event processor.

1501

Routers

Switches

Routers, switches and other


network devices exporting flow data

The scalable architecture of these appliances includes


distributed event processor and event collector appliances.
Add-on event processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to
20,000 events (log entries) per second per appliance. Large,

1605

IDS

Firewall

Security devices
exporting logs

QRadar Log Manager solutions can begin as a single turnkey appliance and
grow into highly distributed solutions, supporting multiple event processor and
event collector appliances when network availability conditions warrant.

IBM Software

Data Sheet

IBM Security QRadar 1501 Event Collector appliances

The QRadar SIEM appliance architecture offers an


easy-to-deploy, scalable model through the use of distributed
event and flow processor appliances. An event processor appliance (see 1605 or 1624 descriptions within the QRadar Log
Manager table) can perform real-time collection, storage,
indexing, correlation and analysis of up to 20,000 events (logs)
per second. A flow processor appliance can perform real-time
collection, storage, indexing, correlation and analysis of up
to 1,200,000 bidirectional flows per minute. Large, multiappliance deployments can support more than one million
events per second, and millions of flows per minute, with all
data correlated in real time.

IBM Security QRadar event collector appliances provide


continuous capabilities for event logging when network connectivity is unavailable. Event collector appliances simply collect
events and forward them to an event processor or all-in-one
appliance for correlation, analysis and long-term storage. Also
designed to collect events and logs in distributed locations with
relatively low event volumes (such as retail stores and satellite
offices), they provide a more economical approach than deploying event processors in such scenarios.

IBM Security QRadar SIEM appliances


QRadar SIEM appliances deliver integrated log management
and security intelligence technology for organizations of all
sizes. Available in either all-in-one or distributed deployment
configurations, they are ideal for growing organizations that
seek maximum security and compliance capabilities. These
appliances offer the ability to correlate logs, network flows,
vulnerabilities, user identities, threat intelligence and other
security telemetry. They also offer application-level packet
inspection and content capture for superior network visibility
and forensics. QRadar SIEM appliances often serve as the base
platform for large, geographically dispersed businesses that
require an enterprise-class, scalable solution.

The IBM Security QRadar SIEM 2100 All-In-One appliance


delivers a single appliance for small and midsize organizations.
It provides an integrated security solution, and its intuitive
user interface makes it easy to deploy in minutes. The QRadar
2100 All-in-One Appliance also includes an embedded version
of IBM Security QRadar QFlow Collector, which provides
Layer 7 collection of network traffic flows and deep application
visibility for advanced threat detection and forensic capabilities.
No additional event processors or flow processors can be used
to expand this system.

Security QRadar
Log Manager
Appliance features

All-in-One All-in-One All-in-One Console


2100
3105
3124
3105

Single turnkey solution

Console
3124

1501

1605

1624

Part of distributed solution


Event collection, correlation,
analysis and storage

Max. 1,000
EPS
(sustained)

Max. 5,000
EPS
(sustained)

Max. 5,000
EPS
(sustained)

Not
applicable

Not
applicable

Max.
2,500 EPS
(sustained)
collection
and
forwarding
only

Max.
20,000 EPS
(sustained)

Max.
20,000 EPS
(sustained)

Long-term data storage

1.3 TB

6.5 TB

16 TB

6.5 TB

16 TB

1.3 TB

6.5 TB

16 TB

Typical event storage capacity

1 year

3 years

3 years

Not
applicable

Not
applicable

Not
applicable

1 year

3 years

Support for high availability and


disaster recovery

IBM Software

Data Sheet

Sample IBM Security QRadar SIEM 2100


all-in-one deployment
QRadar web console

Sample IBM Security QRadar SIEM 3124


distributed deployment
QRadar web console

2100

3124

1724
Firewall
1624

1202
Routers

Switches

Routers, switches and other


network devices exporting
flow data

IDS

Servers Routers Switches

QFlow collection on
passive tap

Layer 4 NetFlow for


external flow services

Layer 7 data analysis


through SPAN or tap

IDS

Firewall

Laptop

Collection of log events from network


and security infrastructure

QRadar SIEM solutions can start small with an all-in-one solution and grow to support enterprise environments, using a centralized console and any number of distributed event and network flow collection appliances.

The IBM Security QRadar SIEM 3105 and 3124 Console


appliances utilize external event and flow processor appliances,
allowing the console to perform dedicated search processing,
offense management, reporting and central administration of
the distributed SIEM deployment. At least one add-on event
processor, flow processor, or combined event and flow processor appliance is required. Teamed with one or more QRadar
QFlow Collector appliances, the console can also receive
Layer 7 network analysis and content capture while aggregating
other network activity data, such as NetFlow, J-Flow, sFlow and
IPFIX. QRadar VFlow Collector appliances provide the same
visibility and network flow collection within VMware virtual
environments.

The IBM Security QRadar SIEM 3105 and 3124 All-in-One


appliances utilize on-board event and flow collection and
correlation capabilities, providing a single-appliance solution.
They are expandable into console configurations in which separate event and flow processor appliances are used to collect and
store data. These appliances can directly collect events from all
supported log sources, as well as NetFlow, J-Flow, sFlow and
IPFIX data from network devices. They can also utilize external
QRadar QFlow Collector and QRadar VFlow Collector
appliances for Layer 7 network analysis and content capture.

IBM Software

Data Sheet

Security QRadar SIEM


Appliance features

All-in-One All-in-One All-in-One Console


2100
3105
3124
3105

Single turnkey solution

X
X

Event collection, correlation,


analysis and storage

Max. 1,000
EPS
(sustained)

Max. 5,000
EPS
(sustained)

Max. 5,000
EPS
(sustained)

Not
applicable

Not
applicable

Not
applicable

Not
applicable

Max. 5,000
EPS
(sustained)

Support for expandable log


source (devices) data

Not
applicable

Requires
Console
conversion

Requires
Console
conversion

Requires
1605/1624
Event
Processor
appliances

Requires
1605/1624
Event
Processor
appliances

Not
applicable

Not
applicable

Not
applicable

Flow collection, correlation,


analysis and storage

Max.
50,000
bidirectional
flows/
minute

Max.
200,000
bidirectional
flows/
minute

Max.
200,000
bidirectional
flows/
minute

Not
applicable

Not
applicable

Max.
600,000
bidirectional
flows/
minute

Max. 1.2
million
bidirectional
flows/
minute

Max.
200,000
bidirectional
flows/
minute

Optional use of QFlow and


VFlow Collectors

On-board
QFlow
Collector
included

Requires
1705/1724
Flow
Processor
appliances

Requires
1705/1724
Flow
Processor
appliances

Part of distributed solution

Console
3124

1705

1724

1805

Long-term data storage

1.3 TB

6.5 TB

16 TB

6.5 TB

16 TB

6.5 TB

16 TB

6.5 TB

Typical Event storage capacity

1 year

3 years

3 years

Not
applicable

Not
applicable

Not
applicable

Not
applicable

1 year

Typical Flow storage capacity

1 year

1 year

3 years

Not
applicable

Not
applicable

1 year

3 years

1 year

Support for high availability and


disaster recovery

IBM Security QRadar 1705 and 1724 Flow Processor


appliances

flow data in a variety of formats including NetFlow, J-Flow,


sFlow, and IPFIX. They can even process Layer 7 applicationlevel data gathered by QRadar QFlow Collector appliances.

IBM Security QRadar f low processor appliances provide


scalable flow collection, correlation and storage for organizations of all sizes. These appliances are expansion appliances
deployed in conjunction with QRadar SIEM All-in-One or
QRadar SIEM Console appliances. They offer turnkey collection, storage, indexing and real-time correlation of flow data
and are designed to be deployed in a distributed manner.
QRadar flow processor appliances collect and analyze network

IBM Security QRadar 1805 Combined Event and Flow


Processor appliances
IBM Security QRadar 1805 Combined Event and Flow
Processor appliances provide event and network activity monitoring and correlation for remote or branch offices and for
large, distributed organizations seeking scalable solutions. They
are expansion appliances for use with QRadar SIEM Console
systems.

IBM Software

Data Sheet

IBM Security QFlow and VFlow Collector appliances


for Layer 7 visibility

IBM Security QRadar QFlow Collector and VFlow Collector


appliances offer a powerful solution for gathering rich network
activity data in both physical and virtual infrastructures. They
surpass traditional flow data (such as NetFlow) by using deep
packet inspection to collect more detailed and revealing
Layer 7 data. This enables application-level network activity
analysis and anomaly detection, as well as content capture for
forensic activities. This information, when correlated with event
data, enables a more advanced analysis of the overall security
posture of the network.

QRadar VFlow Collector appliances are virtual activity monitors that provide the same collection and visibility for virtual
network and server resources as QRadar QFlow Collector
appliances provide for physical resources. QRadar VFlow
Collector appliances are virtual appliances that connect to the
virtual switch within a VMware virtual host. They can support
up to four virtual interfaces and up to 10,000 bidirectional f lows
per minute. The product can also analyze port-mirrored traffic
for a physical network switch, helping bridge the gap between
the physical and virtual realms.

QRadar QFlow Collector appliances gather network traffic


passively through network taps and SPAN ports. They can
detect more than 1,000 applications such as Voice over Internet
Protocol (VoIP), social media such as Twitter and LinkedIn,
multimedia including Skype, enterprise resource planning
(ERP), and peer to peer (P2P), among many others. QFlow
Collector appliances must be paired with either a 17XX flow
processor, 1805 Combined Event and Flow Processor, or an
all-in-one SIEM appliance.

IBM Security QRadar Risk Manager


appliances
IBM Security QRadar Risk Manager appliances deliver
proactive risk management capabilities for organizations of
all sizes by extending QRadar SIEM capabilities to provide
multi-vendor configuration audit, risk/compliance policy
assessment, continuous monitoring and advanced threat
simulation. These systems are deployed as an add-on to an
existing IBM Security QRadar SIEM appliance.

There are four QRadar QFlow Collector models:


IBM Security QRadar 1301 QFlow Collector: Provides


line-rate gigabit Ethernet network performance with
multi-port flexibility for fiber-based networks; is well suited
for collecting and monitoring high rates of network traffic at
the data center and core of an enterprise
IBM Security QRadar 1310 QFlow Collector: Delivers
advanced network and application visibility and collection on
10-Gbps Ethernet networks

IBM Security QRadar 1201 QFlow Collector: Offers


midrange, multi-port collection capabilities for underutilized
gigabit Ethernet connections up to 200 Mbps
IBM Security QRadar 1202 QFlow Collector: Provides
line-rate gigabit Ethernet network performance and
multi-port flexibility for copper-based networks; is well suited
for collecting and monitoring high rates of network traffic at
the data center and core of an enterprise

QRadar Risk Manager appliances feature:


A turnkey hardware-based appliance system


Support for 50 configuration sources (any supported device);
expandable to thousands of configuration sources through
license upgrade
6.5 TB of usable on-board storage for long-term data
retention

IBM Software

Data Sheet

IBM Security QRadar Network Anomaly


Detection Appliance

QRadar high-availability appliances offer the flexibility to use


disk synchronization or leverage shared SAN/IP SAN storage,
according to the available infrastructure. Disk synchronization
is a built-in feature used to replicate data between a primary
appliance and a secondary high-availability appliance. This
simple-to-deploy solution delivers excellent performance
without the configuration challenges, high costs and ongoing
administration requirements of third-party fault tolerance
products. QRadar high-availability appliances can be deployed
on a per-appliance basis, enabling distributed QRadar deployments to add these capabilities where and when they are
needed.

The IBM Security QRadar Network Anomaly Detection


Appliance is optimized to complement and integrate with
IBM Security SiteProtector System and IBM Security Network
Intrusion Prevention System to provide greater insight into
network behavior and abnormal activities. It offers the anomaly
detection and real-time correlation capabilities of QRadar
SIEM to enhance the SiteProtector solutions numerous threat
protection techniques. Network and application vulnerability
data is also collected from vulnerability scanners and used to
prioritize threats and risks seen by the intrusion prevention
system product.

IBM Security QRadar disaster-recovery


appliances

QRadar Network Anomaly Detection is typically deployed as


an add-on to an existing SiteProtector and Network Intrusion
Prevention System installation. This appliance uses the same
hardware as IBM Security QRadar SIEM 3105. It includes
entitlement for collecting 500 events per second (upgradable
to 1,000 events per second) and 25,000 network flows per
minute (upgradable to 200,000 flows per minute).

IBM Security QRadar disaster-recovery appliances provide a


means of safeguarding collected event and flow data by mirroring it to a secondary, identical backup appliance deployment.
Disaster recovery differs from high availability in that disasterrecovery appliances do not perform continuous synchronization
between primary and backup appliances.

IBM Security QRadar high-availability


appliances

All data mirroring is unidirectional and only event and f low


data are covered. The QRadar disaster-recovery approach
requires that the production and disaster-recovery deployments
be identical in terms of topology, appliance model and event/
flow processing capacity. Each console, event or flow processor
appliance in the primary deployment must have an identical
counterpart in the disaster-recovery deployment. QRadar
disaster-recovery appliances can also be used in conjunction
with QRadar high-availability solutions to achieve optimal
system protection.

Easy-to-deploy IBM Security QRadar high-availability


appliances provide fully automated disk synchronization and
failover for high availability of data collection, correlation,
analysis and reporting capabilities. These systems help organizations store, correlate and analyze large volumes of events,
f lows and other networking and asset data without interruption
when the primary appliances are not functional for any reason.

Why IBM?
IBM operates a worldwide security research, development and
delivery organization comprising 10 security operations centers,
nine IBM Research centers, 11 software security development
labs and an Institute for Advanced Security with chapters in
the United States, Europe and Asia Pacific. IBM solutions
empower organizations to reduce their security vulnerabilities
and focus more on the success of their strategic initiatives.
These products build on the threat intelligence expertise of the
IBM X-Force research and development team to provide a
preemptive approach to security. As a trusted partner in security, IBM delivers the solutions to keep the entire enterprise
infrastructure, including the cloud, protected from the latest
security risks.

For more information


To learn more about IBM QRadar Security Intelligence
Platform appliances, contact your IBM representative or
IBM Business Partner, or visit: ibm.com/security
For more information about IBM Security QRadar SIEM
software, please see the IBM Security QRadar SIEM
data sheet.
Additionally, IBM Global Financing can help you acquire
the software capabilities that your business needs in the most
cost-effective and strategic way possible. Well partner with
credit-qualified clients to customize a financing solution to suit
your business and development goals, enable effective cash
management, and improve your total cost of ownership. Fund
your critical IT investment and propel your business forward
with IBM Global Financing. For more information, visit:
ibm.com/financing

Copyright IBM Corporation 2013


IBM Corporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
January 2013
IBM, the IBM logo, ibm.com, QRadar, and X-Force are trademarks
of International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available
on the web at Copyright and trademark information at
ibm.com/legal/copytrade.shtml

Linux is a registered trademark of Linus Torvalds in the United States,


other countries, or both.
This document is current as of the initial date of publication and may be
changed by IBM at any time. Not all offerings are available in every country
in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED
AS IS WITHOUT ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF
NON-INFRINGEMENT. IBM products are warranted according to the
terms and conditions of the agreements under which they are provided.
IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and
outside your enterprise. Improper access can result in information being
altered, destroyed or misappropriated or can result in damage to or misuse
of your systems, including to attack others. No IT system or product should
be considered completely secure and no single product or security measure
can be completely effective in preventing improper access. IBM systems and
products are designed to be part of a comprehensive security approach,
which will necessarily involve additional operational procedures, and may
require other systems, products or services to be most effective. IBM does
not warrant that systems and products are immune from the malicious or
illegal conduct of any party.
Please Recycle

WGD03019-USEN-00

You might also like