QRadar Security Intelligence Platform appliances combine typically disparate network and security management capabilities into a single, comprehensive solution. Appliance versions are offered for QRadar Log Manager, QRadar SIEM, QRadar Risk Manager, QRadar QFlow and QRadar VFlow (a virtual appliance).
The QRadar Security Intelligence Platform appliances are pre-configured, optimized systems that enable high performance and rapid deployment using state-of-the-art hardware. They do not require expensive external storage, third-party databases or ongoing database administration. Organizations use QRadar appliances to achieve maximum benefit from their security intelligence deployments.
The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event processor appliances. Add-on event processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second each. The QRadar Log Manager All-in-One Appliance utilizes on-board event collection and correlation capabilities, and is expandable with event processor appliances.
The QRadar Log Manager Console Appliance utilizes external event collection and correlation, allowing for dedicated search processing, distributed correlation, reporting and central administration of a distributed log management deployment. Organizations using a console appliance require at least one add-on event processor.
Common Features: Includes 3 TB or 6.2 TB of usable on-board storage for long-term data retention Supports 750 log sources (devices); expandable to tens of thousands of log sources Dual redundant power supplies (auto-sensing) Embedded hardware RAID 10 or 5 for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance
All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, analysis and reporting) for comprehensive log management in a single turnkey appliance Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1601/1605 Event Processors
Q1Labs.com
Console Appliance Features: Provides global view of all event activity, with federated global searching and correlation, and centralized management, analysis and reporting Does not include event processing on-board; requires deployment of 1601/1605 Event Processor Appliance(s), which can support tens of thousands of events per second (fully correlated) For more information about QRadar Log Manager software, please see the QRadar Log Manager data sheet.
Sa m p le QR a d a r 2 1 0 0 De p
QRadar Web Console
loyment
analysis reporting) for second comprehensive SIEM in a single turnkey appliance Supportsand 1,000 events per Supports up to 50,000 bi-directional flows per minute Includes on-board 50 Mbps QRadar QFlow Collector, with collection via passive tap or SPAN ports Supports 750 log sources (devices); expandable to tens of thousands of log sources Includes 1.5 TB of usable on-board storage for long-term data retention Provides one year of event and flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks 10/100/1000 BASE-T connectivity for monitoring 10/100/1000 BASE-T management Dual redundant power supplies (auto-sensing) Embedded hardware RAID 10 for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance
QFlow Collection on Passive Tap Routers Switches IDS 2100
Firewall
All-In-One
and
Console
QRadar 3100/3105 Appliances deliver QRadar SIEM for organizations of all sizes. They are ideal for growing organizations that will need additional network activity and event monitoring capacity in the future. They are also the base platform for large businesses that are geographically dispersed and require an enterprise-class scalable solution.
Q1Labs.com
The QRadar 3100/3105 All-in-One Appliance utilizes on-board event and flow collection and correlation capabilities, and is expandable with event processor, flow processor, and combined event and flow processor appliances. It can directly collect NetFlow, J-Flow, sFlow and IPFIX data, and utilize external QRadar QFlow Collectors for layer 7 network analysis and content capture. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. The QRadar 3100/3105 Console Appliance utilizes external event and flow collection and correlation, allowing for dedicated search processing, distributed correlation, offense management, reporting and central administration of a distributed SIEM deployment. The console appliance can utilize QRadar QFlow Collectors for layer 7 network analysis and content capture, and use flow processors to aggregate other network activity data, such as NetFlow, J-Flow, sFlow and IPFIX. It can also use QRadar VFlow Collectors for layer 7 analysis and content capture within VMware virtual environments. Organizations using a console appliance require at least one add-on event processor, flow processor, or combined event and flow processor appliance. The QRadar appliance architecture offers an easy-to-deploy, scalable model through the use of distributed event and flow processor appliances. Add-on processor appliances perform real-time collection, storage, indexing, correlation and analysis of up to 20,000 events (logs) per second or 600,000 bi-directional flows per minute each. Common Features: Includes 3 TB (3100 Appliance) or 6.2 TB (3105 Appliance) of usable on-board storage for long-term data retention Supports Fibre Channel for integration with storage area networks (3100 Appliance only) Option to deploy QRadar QFlow and QRadar VFlow Collectors in conjunction, for Layer 7 network activity monitoring Supports 750 log sources (devices); expandable to tens of thousands of log sources
3105 Firewall QRadar Web Console
Embedded hardware RAID 10 (3100 Appliance) or RAID 5 (3105 Appliance) for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance
1201
1201
All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single Supports up to 5,000 events per second (fully correlated); expandable to tens turnkey appliance of thousands of events per second with add-on 1601/1605 Event Processors Supports up to 200,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with add-on 1701 Flow Processors Provides one year of event and flow storage for typical deployments *
Routers
Option to deploy 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction
Console Appliance Features: Provides global view of all event and network flow activity, with federated global searching and correlation, and centralized offense management, analysis and reporting
Q1Labs.com
Expandable to tens of thousands of events per second (fully correlated) with add-on 1601/1605 Event Processors, and to millions of flows per minute (fully correlated) with add-on 1701 Flow Processors; does not include event or flow processing on-board
Requires deployment of 1601/1605 Event Processor, 1701 Flow Processor, and/or 1801/1802 Combined Event and Flow Processor Appliances in conjunction
1201
1624
All-in-One Appliance Features: Includes all capabilities (collection, storage, indexing, correlation, offense management, analysis and reporting) for comprehensive SIEM in a single turnkey appliance Supports up to 5,000 events per second (fully correlated); expandable to tens of thousands of events per second with add-on 1624 Event Processors Supports up to 200,000 bi-directional flows per minute (fully correlated); expandable
D e v ic e s Routers Switches IDS Firewall S e c u rit y Exporting Logs
to millions of flows per minute with add-on 1724 Flow Processors Provides three years of event and flow storage for typical deployments *
Q1Labs.com
Option to deploy 1624 Event Processor and/or 1724 Flow Processor Appliances in conjunction
Console Appliance Features: Provides global view of all event and network flow activity, with federated global searching and correlation, and centralized offense management, analysis and reporting Expandable to tens of thousands of events per second (fully correlated) with add-on 1624 Event Processors, and to millions of flows per minute (fully correlated) with add-on 1724 Flow Processors; does not include event or flow processing on-board Requires deployment of 1624 Event Processor and/or 1724 Flow Processor Appliances in conjunction
Risk Manager
QRadar Risk Manager extends QRadar SIEM,
Includes QRadar Risk Manager Appliance: Includes all capabilities for network risk management (automated configuration monitoring, network modeling and simulation, and intelligent vulnerability prioritization), in a turnkey appliance Supports up to 50 configuration sources (any supported network or security device); expandable to thousands of configuration sources Includes 5.5 TB of usable on-board storage for long-term data retention Dual redundant power supplies (auto-sensing) Embedded hardware RAID 5 for high availability and redundancy of OS and storage
Add-On Appliance Package Features: Complements and easily integrates with an existing QRadar SIEM deployment Includes one server, a QRadar Risk Manager Appliance (described above) Stand-Alone Appliance Package Features: Includes two servers, a QRadar Risk Manager Appliance (described above) and a QRadar SIEM Appliance QRadar SIEM Appliance includes: 3 TB of usable on-board storage for long-term data retention Provides two years of event and flow storage for typical deployments * Support for up to 1,000 events per second (fully correlated); expandable to tens of thousands of events per second with QRadar Risk Manager upgrade and add-on 1601/1605 Event Processors Support for up to 25,000 bi-directional flows per minute (fully correlated); expandable to millions of flows per minute with QRadar Risk Manager upgrade and add-on 1701 Flow Processors Support for up to 375 log sources (devices); expandable to tens of thousands of log sources with QRadar Risk Manager upgrade and add-on 1601/1605 Event Processors
Q1Labs.com
Complementary Modules
Event Processor Appliances
Event processors provide scalable event collection and correlation for organizations of all sizes. They support QRadar SIEM, QRadar Log Manager and QRadar Risk Manager deployments. QRadar 1601, 1605 and 1624 Event Processor Appliances The QRadar 1601, 1605 and 1624 Event Processors are expansion appliances that can be deployed in conjunction with QRadar Log Manager and QRadar 3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of log data and can be deployed in a distributed manner that supports the largest deployments in the world.
Common Features: Event Processors can be deployed in a distributed fashion, to support massive scaling Dual redundant power supplies (auto-sensing) Option to deploy turnkey, integrated HA appliance 1601 Features: Supports up to 10,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 3 TB of usable on-board storage for long-term data retention Provides one year of event storage for typical deployments * Supports Fibre Channel for integration with storage area networks Embedded hardware RAID 10 for high availability and redundancy of OS and storage
1605 Features: Supports up to 20,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 6.2 TB of usable on-board storage for long-term data retention Provides one year of event storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage
1624 Features: Supports up to 20,000 events per second (fully correlated) per appliance; can serve as component of distributed solution expandable to tens of thousands of events per second Includes 16 TB of usable on-board storage for very-long-term data retention Provides three years of event storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage
Q1Labs.com
QRadar 1701 and 1724 Flow Processor Appliances QRadar Flow Processors enable the collection, storage and analysis of network flow data in a variety of formats including NetFlow, J-Flow, sFlow, QFlow and VFlow. They can extract native flow information from the network infrastructure, or process layer 7 network data provided by QRadar QFlow Collectors. The QRadar 1701 and 1724 Flow Processors are expansion appliances deployed in conjunction with QRadar 3100/3105/3124 Appliances. They offer turnkey collection, storage, indexing and real-time correlation of flow data and can be deployed in a distributed manner that supports the largest deployments in the world.
Common Features: Flow Processors can be deployed in a distributed fashion, to support massive scaling Dual redundant power supplies (auto-sensing) Option to deploy turnkey, integrated HA appliance 1701 Features: Supports up to 600,000 bi-directional flows per minute (fully correlated) per appliance; can serve as component of distributed solution expandable to millions of flows per minute Includes 3 TB of usable on-board storage for long-term data retention Provides one year of flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks Embedded hardware RAID 10 for high availability and redundancy of OS and storage
1724 Features: Supports up to 1.2 million bi-directional flows per minute (fully correlated) per appliance; can serve as component of distributed solution expandable to millions of flows per minute Includes 16 TB of usable on-board storage for very-long-term data retention Provides three years of flow storage for typical deployments * Embedded hardware RAID 5 for high availability and redundancy of OS and storage
QRadar 1801 and 1802 Combined Event and Flow Processor Appliances The QRadar 1801 and 1802 Combined Event and Flow Processors provide event and network activity monitoring and processing for remote/branch offices and for large, distributed organizations seeking scalable solutions. They are expansion appliances that can be deployed in conjunction with QRadar 3100/3105/3124 and QRadar Risk Manager Appliances. These appliances offer collection and real-time correlation of event and flow data, and can be deployed in a distributed manner that supports the largest deployments in the world.
Common Features: Event and flow processing in a single appliance Provides one year of event and flow storage for typical deployments * Supports Fibre Channel for integration with storage area networks Dual redundant power supplies (auto-sensing) Embedded hardware RAID 10 for high availability and redundancy of OS and storage Option to deploy turnkey, integrated HA appliance
Q1Labs.com
1801 Features: Supports 1,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands of events per second Supports up to 50,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to millions of flows per minute Includes 1.5 TB of usable on-board storage for long-term data retention
1802 Features: Supports up to 5,000 events per second (fully correlated); can serve as component of distributed solution expandable to tens of thousands of events per second Supports up to 200,000 bi-directional flows per minute (fully correlated); can serve as component of distributed solution expandable to millions of flows per minute Includes 3 TB of usable on-board storage for long-term data retention
QRadar QFlow Collectors QRadar QFlow Collectors gather network traffic passively through network taps and SPAN ports. They can detect more than 1,000 applications such as VoIP, social media, multimedia, ERP, and peer to peer (P2P), among many others. QRadar 1101 QFlow Collector: The 1101 QFlow Collector is a cost-effective collector for lower bandwidth monitoring (less than 100 Mbps) in remote locations or for Internet connections. QRadar 1201 QFlow Collector: The 1201 QFlow Collector provides a mid range multi-port collection appliance for underutilized Gigabit Ethernet connections (under 500 Mbps). QRadar 1202 QFlow Collector: The 1202 QFlow collector appliance provides line-rate gigabit network performance and multi-port flexibility. The 1202 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise.
QRadar 1301 QFlow Collector: The 1301 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1301 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1302 QFlow Collector: The 1302 QFlow collector appliance provides line-rate gigabit network performance, multi-port flexibility and fiber connectivity. The 1302 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. QRadar 1310 QFlow Collector: The 1310 QFlow Collector delivers advanced network and application visibility and collection on 10 Gbps networks.
Q1Labs.com
QRadar VFlow Collectors QRadar VFlow Collectors are virtual activity monitors that provide the same collection and visibility for virtual network and server resources as QRadar QFlow Collec- tors provide for physical resources. QRadar VFlow Collectors are virtual appliances that connect to the virtual switch within a VMware virtual host. As with QFlow Col- lectors, the layer 7 data collected by VFlow Collectors is used for network activity monitoring as well as correlation against log activity, for superior detection of security threats. The product can also analyze port-mirrored traffic for a physical network switch, which helps bridge the gap between the physical and virtual realms. Features: Supports up to 10,000 bi-directional flows per minute (fully correlated) Supports up to 4 virtual interfaces
Organizations can freely use any combination of virtual and hardware appliances together, allowing for flexible expansion according to the needs of each business. SIEM and Log Manager virtual appliances are offered for both centralized and distributed deployments. As with hardware appliances, distributed deployments of virtual appliances enable total processing capacity well in excess of the individual virtual appliance capacities. The following QRadar virtual appliances are offered (in addition to QRadar VFlow Collectors): QRadar 3190 SIEM All-in-One QRadar 3190 SIEM Console QRadar 3190 Log Manager All-inOne QRadar 3190 Log Manager Console QRadar 1690 SIEM Event Processor QRadar 1690 Log Manager Event Processor
QRadar 1790 Flow Processor QRadar 3190 SIEM All-in-One, QRadar 3190 Log Manager All-in-One, QRadar 1690 SIEM Event Processor and QRadar 1690 Log Manager Event Processor virtual appliances support event rates of 100, 200, 500 or 1,000 EPS. QRadar 3190 SIEM All-in-One and QRadar 1790 Flow Processor virtual appliances support flow rates of 15K, 25K or 50K flows per minute.
Q1Labs.com
* Actual storage duration will vary based on event and flow size, events per second, flows per minute, compression policy, compression ratio and coalescing ratio.
Q1 Labs, an IBM Company 890 Winter Street, Suite 230 Waltham, MA 02451 USA 1.781.250.5800, info@Q1Labs.com
Copyright 2012 Q1 Labs, an IBM Company. All rights reserved. Q1 Labs, an IBM Company, the Q1 Labs, an IBM Company logo, Total Security Intelligence, and QRadar are trademarks or registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks, registered trademarks, or service marks of their respective holders. The specifications and information contained herein are subject to change without notice.
DSAPPL0312
Q1Labs.com
10