You are on page 1of 8

IBM Software

Data Sheet

IBM QRadar Security
Intelligence Platform
appliances
Comprehensive, state-of-the-art solutions providing
next-generation security intelligence

Highlights
●●   

●●   

●●   

●●   

●●   

●●   

Collect and aggregate diverse sets of
logs and event data
Provide integrated log management,
security information and event
management (SIEM), and configuration
and vulnerability management
Monitor network flow data and
Layer 7 application payloads, providing
increased visibility into network activity
Deploy quickly and easily as a centralized
all-in-one system or with a distributed
architecture using preconfigured systems
Utilize specialized configurations for
virtualized environments
Provide high availability and disaster
recovery

Deliver rapid time-to-value using
thousands of predefined rules and
out-of-the-box report templates

IBM® QRadar® Security Intelligence Platform appliances combine
typically disparate network and security management capabilities into
a single, comprehensive solution. Appliance versions are offered for
IBM Security QRadar Log Manager, IBM Security QRadar SIEM,
IBM Security QRadar Risk Manager and IBM Security QRadar Network
Anomaly Detection. For additional network visibility, IBM Security
QRadar QFlow Collector solutions and IBM Security QRadar VFlow
Collector solutions can be added to the platform’s network analysis and
content capture capabilities.
IBM QRadar Security Intelligence Platform appliances are preconfigured,
optimized systems that do not require expensive external storage, thirdparty databases or ongoing database administration. Deployment options
include dedicated, high-performance appliances; Linux-based software
packages; and virtualized appliances for VMware-based environments.
Organizations use these appliances to protect and grow with their
businesses and to achieve the maximum benefit from their security
intelligence deployments. Six categories of appliances are offered:

●●   

●●  

●●  

●●  

Log management—Collection, archiving and analysis of events from
various network and security devices, systems and applications
SIEM—Integrated log management and network flow collection with
advanced correlation, anomaly detection, workflow and reporting
capabilities
Flow processing—Layer 4 NetFlow and Layer 7 QFlow collection
and correlation

indexing and real-time correlation of log data and can be deployed in a distributed manner that can support some of the largest deployments in the world. with the ability to expand capacity for event processing and upgrade to a full SIEM solution in the future. with all data correlated in real time. 1501 Routers Switches Routers.000 events (log entries) per second per appliance.000 events per second. storage. These appliances are designed to meet the needs of small and midsize organizations. Console appliances require at least one add-on event processor. Configuration and vulnerability management—Proactive configuration audit. risk and compliance policy assessment. distributed correlation. supporting multiple event processor and event collector appliances when network availability conditions warrant. For situations where network connectivity is either unreliable or temporarily unavailable. and can process up to 5. Add-on event processor appliances perform real-time collection. scalable solution. event collector appliances can be deployed to collect events and forward them to an event processor or all-in-one appliance. reporting and central administration of a distributed log management deployment. Large. 1605 IDS Firewall Security devices exporting logs QRadar Log Manager solutions can begin as a single turnkey appliance and grow into highly distributed solutions. storage. It can easily expand as the organization grows. or in locations with low event volumes. as well as large businesses that are geographically dispersed and require an enterprise-class. Sample IBM Security QRadar Log Manager 3105 distributed deployment QRadar web console The IBM Security QRadar Log Manager all-in-one appliance is an entry-level system that utilizes on-board event collection and correlation capabilities. which allows for dedicated search processing. 2 . correlation and analysis of up to 20. 3105 1605 Larger organizations can utilize the capabilities of the IBM Security QRadar Log Manager console appliance with its external event collection and correlation approach. indexing. with the ability to support hundreds of thousands of events per second through conversion into a console (distributed) deployment with the addition of separate event processor appliances. switches and other network devices exporting flow data The scalable architecture of these appliances includes distributed event processor and event collector appliances. The IBM Security QRadar 1605 and 1624 Event Processor appliances are expansion solutions that can be deployed in conjunction with QRadar Log Manager and QRadar SIEM console appliances. and advanced threat simulation Network anomaly detection—Specialized capabilities that complement IBM Security SiteProtector™ System and IBM Security Network Intrusion Prevention System installations High availability and disaster recovery—Backup capabilities that can pair secondary systems with any member of the appliance family to help ensure continuous operations IBM Security QRadar 1605 and 1624 Event Processor appliances IBM Security QRadar event processor appliances provide scalable event collection and correlation for organizations of all sizes. IBM Security QRadar Log Manager appliances QRadar Log Manager appliances are ideal for organizations that need simplified capabilities for log management today. They offer turnkey collection.IBM Software ●●   ●●   ●●   Data Sheet multi-appliance deployments can support more than one million events per second.

IBM Software Data Sheet IBM Security QRadar 1501 Event Collector appliances The QRadar SIEM appliance architecture offers an easy-to-deploy. threat intelligence and other security telemetry. IBM Security QRadar SIEM appliances QRadar SIEM appliances deliver integrated log management and security intelligence technology for organizations of all sizes. Large.5 TB 16 TB Typical event storage capacity 1 year 3 years 3 years Not applicable Not applicable Not applicable 1 year 3 years Support for high availability and disaster recovery X X X X X X X 3 . Also designed to collect events and logs in distributed locations with relatively low event volumes (such as retail stores and satellite offices). network flows. No additional event processors or flow processors can be used to expand this system. correlation and analysis of up to 1. 5. Security QRadar Log Manager Appliance features All-in-One All-in-One All-in-One Console 2100 3105 3124 3105 Single turnkey solution X X Console 3124 1501 1605 1624 X X X X X X Part of distributed solution Event collection.000 EPS (sustained) Long-term data storage 1.000 EPS (sustained) Max.000 EPS (sustained) Max. they provide a more economical approach than deploying event processors in such scenarios.3 TB 6.5 TB 16 TB 1. These appliances offer the ability to correlate logs. storage. IBM Security QRadar event collector appliances provide continuous capabilities for event logging when network connectivity is unavailable.000 bidirectional flows per minute. 1. geographically dispersed businesses that require an enterprise-class. vulnerabilities. 20. 2. correlation and analysis of up to 20. The QRadar 2100 All-in-One Appliance also includes an embedded version of IBM Security QRadar QFlow Collector.000 events (logs) per second.000 EPS (sustained) Not applicable Not applicable Max. multiappliance deployments can support more than one million events per second. 5. indexing. A flow processor appliance can perform real-time collection.3 TB 6. which provides Layer 7 collection of network traffic flows and deep application visibility for advanced threat detection and forensic capabilities. They also offer application-level packet inspection and content capture for superior network visibility and forensics. QRadar SIEM appliances often serve as the base platform for large. and its intuitive user interface makes it easy to deploy in minutes. scalable solution. user identities. with all data correlated in real time.500 EPS (sustained) collection and forwarding only Max. It provides an integrated security solution.5 TB 16 TB 6. An event processor appliance (see 1605 or 1624 descriptions within the QRadar Log Manager table) can perform real-time collection. indexing. analysis and long-term storage. and millions of flows per minute. scalable model through the use of distributed event and flow processor appliances. Event collector appliances simply collect events and forward them to an event processor or all-in-one appliance for correlation. 20. they are ideal for growing organizations that seek maximum security and compliance capabilities. analysis and storage Max. The IBM Security QRadar SIEM 2100 All-In-One appliance delivers a single appliance for small and midsize organizations. storage.200. correlation.000 EPS (sustained) Max. Available in either all-in-one or distributed deployment configurations.

At least one add-on event processor. offense management. as well as NetFlow. allowing the console to perform dedicated search processing. sFlow and IPFIX. J-Flow. These appliances can directly collect events from all supported log sources.IBM Software Data Sheet Sample IBM Security QRadar SIEM 2100 all-in-one deployment QRadar web console Sample IBM Security QRadar SIEM 3124 distributed deployment QRadar web console 2100 3124 1724 Firewall 1624 1202 Routers Switches Routers. 4 . or combined event and flow processor appliance is required. J-Flow. such as NetFlow. switches and other network devices exporting flow data IDS Servers Routers Switches QFlow collection on passive tap Layer 4 NetFlow for external flow services Layer 7 data analysis through SPAN or tap IDS Firewall Laptop Collection of log events from network and security infrastructure QRadar SIEM solutions can start small with an all-in-one solution and grow to support enterprise environments. sFlow and IPFIX data from network devices. using a centralized console and any number of distributed event and network flow collection appliances. the console can also receive Layer 7 network analysis and content capture while aggregating other network activity data. QRadar VFlow Collector appliances provide the same visibility and network flow collection within VMware virtual environments. They are expandable into console configurations in which separate event and flow processor appliances are used to collect and store data. reporting and central administration of the distributed SIEM deployment. providing a single-appliance solution. Teamed with one or more QRadar QFlow Collector appliances. flow processor. The IBM Security QRadar SIEM 3105 and 3124 Console appliances utilize external event and flow processor appliances. They can also utilize external QRadar QFlow Collector and QRadar VFlow Collector appliances for Layer 7 network analysis and content capture. The IBM Security QRadar SIEM 3105 and 3124 All-in-One appliances utilize on-board event and flow collection and correlation capabilities.

They can even process Layer 7 applicationlevel data gathered by QRadar QFlow Collector appliances. 5.5 TB Typical Event storage capacity 1 year 3 years 3 years Not applicable Not applicable Not applicable Not applicable 1 year Typical Flow storage capacity 1 year 1 year 3 years Not applicable Not applicable 1 year 3 years 1 year Support for high availability and disaster recovery X X X X X X X X IBM Security QRadar 1705 and 1724 Flow Processor appliances flow data in a variety of formats including NetFlow. 1.000 EPS (sustained) Support for expandable log source (devices) data Not applicable Requires Console conversion Requires Console conversion Requires 1605/1624 Event Processor appliances Requires 1605/1624 Event Processor appliances Not applicable Not applicable Not applicable Flow collection. 5. correlation.000 bidirectional flows/ minute Not applicable Not applicable Max.5 TB 16 TB 6. 200. analysis and storage Max. 50.000 bidirectional flows/ minute Max. analysis and storage Max. 5. QRadar flow processor appliances collect and analyze network IBM Security QRadar 1805 Combined Event and Flow Processor appliances IBM Security QRadar 1805 Combined Event and Flow Processor appliances provide event and network activity monitoring and correlation for remote or branch offices and for large. sFlow.IBM Software Data Sheet Security QRadar SIEM Appliance features All-in-One All-in-One All-in-One Console 2100 3105 3124 3105 Single turnkey solution X X X X X X X X Event collection. They offer turnkey collection. They are expansion appliances for use with QRadar SIEM Console systems. 600.000 EPS (sustained) Max. indexing and real-time correlation of flow data and are designed to be deployed in a distributed manner.000 bidirectional flows/ minute Optional use of QFlow and VFlow Collectors On-board QFlow Collector included X X Requires 1705/1724 Flow Processor appliances Requires 1705/1724 Flow Processor appliances X X X Part of distributed solution Console 3124 1705 1724 1805 Long-term data storage 1. distributed organizations seeking scalable solutions. 200.000 EPS (sustained) Not applicable Not applicable Not applicable Not applicable Max. 5 . storage.2 million bidirectional flows/ minute Max.5 TB 16 TB 6. 200. 1. J-Flow. These appliances are expansion appliances deployed in conjunction with QRadar SIEM All-in-One or QRadar SIEM Console appliances. IBM Security QRadar f low processor appliances provide scalable flow collection. correlation.3 TB 6.000 bidirectional flows/ minute Max. correlation and storage for organizations of all sizes.000 bidirectional flows/ minute Max.000 EPS (sustained) Max.5 TB 16 TB 6. and IPFIX.

QRadar VFlow Collector appliances are virtual appliances that connect to the virtual switch within a VMware virtual host. ●●   QRadar VFlow Collector appliances are virtual activity monitors that provide the same collection and visibility for virtual network and server resources as QRadar QFlow Collector appliances provide for physical resources. They surpass traditional flow data (such as NetFlow) by using deep packet inspection to collect more detailed and revealing Layer 7 data. continuous monitoring and advanced threat simulation. as well as content capture for forensic activities. is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise IBM Security QRadar 1310 QFlow Collector: Delivers advanced network and application visibility and collection on 10-Gbps Ethernet networks IBM Security QRadar 1201 QFlow Collector: Offers midrange. among many others. multimedia including Skype. multi-port collection capabilities for underutilized gigabit Ethernet connections up to 200 Mbps IBM Security QRadar 1202 QFlow Collector: Provides line-rate gigabit Ethernet network performance and multi-port flexibility for copper-based networks. They can support up to four virtual interfaces and up to 10. social media such as Twitter and LinkedIn. helping bridge the gap between the physical and virtual realms. These systems are deployed as an add-on to an existing IBM Security QRadar SIEM appliance. enterprise resource planning (ERP). The product can also analyze port-mirrored traffic for a physical network switch.IBM Software Data Sheet IBM Security QFlow and VFlow Collector appliances for Layer 7 visibility ●●   IBM Security QRadar QFlow Collector and VFlow Collector appliances offer a powerful solution for gathering rich network activity data in both physical and virtual infrastructures. They can detect more than 1. QFlow Collector appliances must be paired with either a 17XX flow processor. 1805 Combined Event and Flow Processor. or an all-in-one SIEM appliance. QRadar QFlow Collector appliances gather network traffic passively through network taps and SPAN ports. expandable to thousands of configuration sources through license upgrade 6. IBM Security QRadar Risk Manager appliances IBM Security QRadar Risk Manager appliances deliver proactive risk management capabilities for organizations of all sizes by extending QRadar SIEM capabilities to provide multi-vendor configuration audit. enables a more advanced analysis of the overall security posture of the network. when correlated with event data. This information. and peer to peer (P2P).000 bidirectional f lows per minute. This enables application-level network activity analysis and anomaly detection.5 TB of usable on-board storage for long-term data retention . risk/compliance policy assessment. is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise QRadar Risk Manager appliances feature: ●●   ●●   ●●   6 A turnkey hardware-based appliance system Support for 50 configuration sources (any supported device). There are four QRadar QFlow Collector models: ●●   ●●   IBM Security QRadar 1301 QFlow Collector: Provides line-rate gigabit Ethernet network performance with multi-port flexibility for fiber-based networks.000 applications such as Voice over Internet Protocol (VoIP).

QRadar disaster-recovery appliances can also be used in conjunction with QRadar high-availability solutions to achieve optimal system protection. IBM Security QRadar high-availability appliances All data mirroring is unidirectional and only event and f low data are covered. The IBM Security QRadar Network Anomaly Detection Appliance is optimized to complement and integrate with IBM Security SiteProtector System and IBM Security Network Intrusion Prevention System to provide greater insight into network behavior and abnormal activities. QRadar high-availability appliances can be deployed on a per-appliance basis. 7 . These systems help organizations store. Network and application vulnerability data is also collected from vulnerability scanners and used to prioritize threats and risks seen by the intrusion prevention system product. f lows and other networking and asset data without interruption when the primary appliances are not functional for any reason. Disaster recovery differs from high availability in that disasterrecovery appliances do not perform continuous synchronization between primary and backup appliances. event or flow processor appliance in the primary deployment must have an identical counterpart in the disaster-recovery deployment. Disk synchronization is a built-in feature used to replicate data between a primary appliance and a secondary high-availability appliance. correlation.IBM Software Data Sheet IBM Security QRadar Network Anomaly Detection Appliance QRadar high-availability appliances offer the flexibility to use disk synchronization or leverage shared SAN/IP SAN storage.000 flows per minute). It offers the anomaly detection and real-time correlation capabilities of QRadar SIEM to enhance the SiteProtector solution’s numerous threat protection techniques. Easy-to-deploy IBM Security QRadar high-availability appliances provide fully automated disk synchronization and failover for high availability of data collection. enabling distributed QRadar deployments to add these capabilities where and when they are needed. according to the available infrastructure. high costs and ongoing administration requirements of third-party fault tolerance products. analysis and reporting capabilities.000 events per second) and 25. This simple-to-deploy solution delivers excellent performance without the configuration challenges. This appliance uses the same hardware as IBM Security QRadar SIEM 3105. appliance model and event/ flow processing capacity. IBM Security QRadar disaster-recovery appliances QRadar Network Anomaly Detection is typically deployed as an add-on to an existing SiteProtector and Network Intrusion Prevention System installation. The QRadar disaster-recovery approach requires that the production and disaster-recovery deployments be identical in terms of topology. IBM Security QRadar disaster-recovery appliances provide a means of safeguarding collected event and flow data by mirroring it to a secondary. Each console. correlate and analyze large volumes of events. identical backup appliance deployment.000 network flows per minute (upgradable to 200. It includes entitlement for collecting 500 events per second (upgradable to 1.

other countries. QRadar. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.com/security For more information about IBM Security QRadar SIEM software.com. including to attack others. FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT.com/financing © Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers. protected from the latest security risks. Please Recycle WGD03019-USEN-00 . For more information To learn more about IBM QRadar Security Intelligence Platform appliances. Additionally. Not all offerings are available in every country in which IBM operates. or both. and X-Force are trademarks of International Business Machines Corp. For more information. These products build on the threat intelligence expertise of the IBM X-Force® research and development team to provide a preemptive approach to security. EXPRESS OR IMPLIED. registered in many jurisdictions worldwide. please see the “IBM Security QRadar SIEM” data sheet. or visit: ibm.Why IBM? IBM operates a worldwide security research. the IBM logo. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm. nine IBM Research centers. Other product and service names might be trademarks of IBM or other companies. and improve your total cost of ownership.com/legal/copytrade. INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY. Fund your critical IT investment and propel your business forward with IBM Global Financing. destroyed or misappropriated or can result in damage to or misuse of your systems. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY. and may require other systems. visit: ibm. detection and response to improper access from within and outside your enterprise. NY 10589 Produced in the United States of America January 2013 IBM. including the cloud. enable effective cash management. IT system security involves protecting systems and information through prevention. IBM delivers the solutions to keep the entire enterprise infrastructure. products or services to be most effective. IBM solutions empower organizations to reduce their security vulnerabilities and focus more on the success of their strategic initiatives. IBM systems and products are designed to be part of a comprehensive security approach. Improper access can result in information being altered. We’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals. which will necessarily involve additional operational procedures. As a trusted partner in security.. 11 software security development labs and an Institute for Advanced Security with chapters in the United States. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. This document is current as of the initial date of publication and may be changed by IBM at any time.shtml Linux is a registered trademark of Linus Torvalds in the United States. Europe and Asia Pacific. development and delivery organization comprising 10 security operations centers. IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. contact your IBM representative or IBM Business Partner. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. ibm.