B QRadar Hardware Guide

IBM Security QRadar
Version 7.2.4
Hardware Guide
Note
Before using this information and the product that it supports, read the information in Notices on page 29.
Product information
This document applies to IBM QRadar Security Intelligence Platform V7.2.4 and subsequent releases unless
superseded by an updated version of this document.
Copyright IBM Corporation 2014, 2014.
US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Chapter 1. Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2. What's new in hardware in QRadar V7.2.4 . . . . . . . . . . . . . . . . 3
Chapter 3. QRadar appliance overview . . . . . . . . . . . . . . . . . . . . . . 5

QRadar QFlow Collector 1201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
QRadar 1400 Data Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
QRadar Event Collector 1501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
QRadar Event Processor 1605 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
QRadar Event Processor 1628 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
QRadar Flow Processor 1705 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
QRadar Flow Processor 1728. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
QRadar 1805 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
QRadar Flow Processor 1828 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
QRadar 2100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
QRadar 3105 (All-in-One). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
QRadar 3105 (Console) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
QRadar 3128 (All-in-One). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
QRadar 3128 (Console) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
QRadar Log Manager 1605 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
QRadar Log Manager 3105 (All-in-One) . . . . . . . . . . . . . . . . . . . . . . . . . . 18
QRadar Log Manager 3105 Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
QRadar Log Manager 3128 (All-in-One) . . . . . . . . . . . . . . . . . . . . . . . . . . 19
QRadar Log Manager 3128 (Console) . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
QRadar Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
QRadar Risk Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 4. Appliance Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . 23

Integrated Management Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
QRadar 2100, QRadar Event Collector 1501, and all QRadar Flow Processor Appliances . . . . . . . . . . 23
Front panel indicators and features . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Back panel indicators and features. . . . . . . . . . . . . . . . . . . . . . . . . . . 24
QRadar Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Front panel indicators and features . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Back Panel Indicators and Features . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Privacy policy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
C. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
E. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
F. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Copyright IBM Corp. 2014, 2014 iii

G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
H. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
K. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
L. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
N. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
P. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Q. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
R. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
S. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
iv QRadar Hardware Guide

About this guide
The IBM Security QRadar Hardware Installation Guide provides information
about G2 Series QRadar SIEM, IBM Security QRadar Vulnerability Manager, and
QRadar Risk Manager appliances. For information about how to install your
appliances in a rack mount, see the documentation that is shipped with your
appliance.
Thank you for ordering your appliance from IBM! It is strongly recommended that
you apply the latest maintenance to you appliance for the best results. Please visit
IBM Fix Central (http://www.ibm.com/support/fixcentral) to determine the latest
recommended patch for your product.
Intended audience
The IBM Security QRadar Hardware Installation Guide is intended for operations, data
center, or system administration personnel.
Technical documentation
To find IBM Security QRadar product documentation on the web, including all
translated documentation, access the IBM Knowledge Center (http://
www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in the QRadar
products library, see Accessing IBM Security Documentation Technical Note
(www.ibm.com/support/docview.wss?rs=0&uid=swg21614644).
Contacting customer support
For information about contacting customer support, see the Support and
Download Technical Note (http://www.ibm.com/support/
docview.wss?uid=swg21616144).
Statement of good security practices
IT system security involves protecting systems and information through

prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure
can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful comprehensive security
approach, which will necessarily involve additional operational procedures, and
may require other systems, products or services to be most effective. IBM DOES
NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Please Note:
Copyright IBM Corp. 2014, 2014 v

Use of this Program may implicate various laws or regulations. including those
related to privacy, data protection, employment, and electronic communications
and storage. IBM Security QRadar may be used only for lawful purposes and in a
lawful manner. Customer agrees to use this Program pursuant to, and assumes all
responsibility for complying with, applicable laws, regulations and policies.
Licensee represents that it will obtain or has obtained any consents, permissions, or
licenses required to enable its lawful use of IBM Security QRadar.
vi QRadar Hardware Guide

Chapter 1. Safety Instructions
Review safety guidelines to help ensure your own personal safety and protect your
system and working environment from potential damage.
This section includes safety guidelines to help ensure your own personal safety
and protect your system and working environment from potential damage.
Systems are considered to be components in a rack. Thus, the term component

refers to any system, various peripherals, or supporting hardware.
Observe the following precautions for rack stability and safety:

v System rack kits are intended to be installed in a rack by trained service
technicians. Before working on the rack, make sure that the stabilizers are
secured to the rack, extended to the floor, and the full weight of the rack rests
on the floor. Install front and side stabilizers on a single rack or front stabilizers
for joined multiple racks before working on the rack.
v Installing systems in a rack without the front and side stabilizers installed could
cause the rack to tip over, potentially resulting in bodily injury under certain
circumstances. Therefore, always install the stabilizers before installing
components in the rack. After installing system/components in a rack, never
pull more than one component out of the rack on the slide assemblies at one
time. The weight of more than one extended component could cause the rack to
tip over and may result in serious injury.
v Your system is safety-certified as a free-standing unit and as a component for
use in a rack cabinet using the customer rack kit. The installation of your system
and rack kit in any other rack cabinet has not been approved by any safety
agency. It is your responsibility to ensure that the final combination of system
and rack complies with all applicable safety standards and local electric code
requirements. IBM disclaims all liability and warranties in connection with such
combinations.
Do not move racks by yourself. Due to the height and weight of the rack, a
minimum of two people should accomplish this task.
v Always load the rack from the bottom up and load the heaviest item in the rack
first.
v Make sure that the rack is level and stable before extending a component from
the rack.
v Use caution when pressing the component rail release latches and sliding a
component into or out of a rack; the rails can pinch your fingers.
v Do not overload the AC supply branch circuit that provides power to the rack.
The total rack load should not exceed 80 percent of the branch circuit rating.
v Ensure that proper airflow is provided to components in the rack.
v Do not step on or stand on any component when servicing other components in
a rack.
Copyright IBM Corp. 2014, 2014 1

2 QRadar Hardware Guide
Chapter 2. What's new in hardware in QRadar V7.2.4
IBM Security QRadar V7.2.4 updates QFlow collector network traffic support.
QRadar QFlow Collector 1310 network traffic improvement
QRadar QFlow collector component now provides 10 Gbps QFlow collection and
processing without any lost data.
For more information, see QRadar QFlow Collector 1310 on page 7.

Chapter 3. QRadar appliance overview
Review information about IBM Security QRadar to understand hardware and
license requirements.
Review this overview of QRadar appliances, including capabilities, and license

limitations.
QRadar QFlow Collector 1201

The QRadar QFlow Collector 1201 appliance provides high capacity and scalable
Layer 7 application data collection for distributed deployments. The QRadar
QFlow Collector 1201 also supports external flow-based data sources.
View hardware information and requirements for the IBM Security QRadar QFlow
Collector 1201 in the following table:
Table 1. QRadar QFlow Collector 1201
Description Value
Network traffic 1 Gbps
Interfaces Five 10/100/1000 Base-T network monitoring interfaces
Two 10 Gbps SFP + ports
One 10/100/100 Base-T QRadar management interface
One 10/100 Base-T integrated management module interface

Memory 16 GB, 4 x 4GB 1600 MHz RDIMM
Storage 2 x 2.5 inch 600 GB 10 K rpm SAS, 600 MB total (Raid 1)
Power supply Dual Redundant 550 W AC
Dimensions 28.9 inches deep x 16.9 inches wide x 1.7 inches high
Included QRadar QFlow Collector
components
For diagrams and information about the front and back panel of this appliance, see
QRadar 2100, QRadar Event Collector 1501, and all QRadar Flow Processor
Appliances on page 23.

Layer 7 application data collection for distributed deployments. The IBM Security
QRadar QFlow Collector 1202 also supports external flow-based data sources.
Description Value

Table 2. QRadar QFlow Collector 1202 (continued)
Description Value
Interfaces Napatech Network Adapter, providing four 1 Gbps 10/100/1000
Base-T network interfaces

components
Napatech Network Adaptor

Description Value
Interfaces Napatech Network Adapter, providing four 1 Gbps 1000 Base SX
Multi-Mode Fiber network monitoring interfaces

components


Table 4. QRadar QFlow Collector 1310 (4380-Q5C)
Description Value
Note: The 10 Gbps rate is available only on (X3550) M4 appliances
and later. Network traffic is 3 Gbps on previous hardware.
Interfaces Napatech Network Adapter for fiber, providing two 10 Gbps SFP +
network monitoring interfaces

components
QRadar 1400 Data Node

The IBM Security QRadar Data Node 1400 appliance provides scalable data storage
solution for QRadar deployments. The QRadar Data Node enhances data retention
capabilities of a deployment as well as augment overall query performance.
View hardware information and requirements for the QRadar Data Node in the
following tables:
Table 5. QRadar Data Node when used with XX05 appliances
Description Value
Interfaces Two 10/100/1000 Base-T network monitoring interfaces
Chapter 3. QRadar appliance overview 7

Table 5. QRadar Data Node when used with XX05 appliances (continued)
Description Value
Memory 64 GB 8x 8 GB 1600 MHz RDIMM
Storage Storage: 9 x 3.5 inch 1 TB 7.2 K rpm NL SAS, 9 TB total, 6.2 TB usable
(Raid 5)
Included QRadar Data Node appliance
components
Table 6. QRadar Data Node when used with XX28 appliances

Description Value
Interfaces One 2-port Emulex 8Gb FC
Two 10/100/1000 Base-T network monitoring interface

Memory 128 GB, 8 x 16 GB 1866 MHz RDIMM8
Storage 40 TB or larger dedicated event storage: 12 x 3.5 inch 4 TB SAS 7.2 K
rpm, 48 TB total, 40 TB usable (Raid 6)
Included QRadar Data Node appliance
components
QRadar Event Collector 1501

The IBM Security QRadar Event Collector 1501 appliance is a dedicated event
collector. By default, a dedicated event collector collects and parses event from
various log sources and continuously forwards these events to an event processor.
You can configure the QRadar Event Collector 1501 appliance to temporarily store
events and only forward the stored events on a schedule. A dedicated event
collector does not process events and it does not include an on-board event
processor.
View hardware information and requirements for the QRadar 1501 in the following
table:
Table 7. QRadar 1501
Description Value
Events per second 15,000 EPS

Table 7. QRadar 1501 (continued)
Description Value
Interfaces Five 10/100/1000 Base-T network monitoring interfaces

Included
components Event Collector
QRadar Event Processor 1605

The IBM Security QRadar Event Processor 1605 appliance is a dedicated event
processor that you can scale your QRadar deployment to manage higher EPS rates.
The QRadar Event Processor 1605 appliance includes an on-board event collector,
event processor, and internal storage for events.
The QRadar Event Processor 1605 is a distributed event processor appliance and
requires a connection to a IBM Security QRadar 3105 or QRadar 3128 console
appliance.
View hardware information and requirements for the QRadar Event Processor 1605
in the following table:
Table 8. QRadar Event Processor 1605
Description Value
Basic license 2,500 EPS
Upgraded license 20,000 EPS

Memory Memory: 64 GB 8x 8 GB 1600 MHz RDIMM
Storage Storage: 9 x 3.5 inch 1 TB 7.2 K rpm NL SAS, 9 TB total, 6.2 TB usable
(Raid 5)

Table 8. QRadar Event Processor 1605 (continued)
Description Value
Included Event Collector
components
Event Processor
QRadar Appliances on page 26.
QRadar Event Processor 1628

The IBM Security QRadar 1628 appliance is a dedicated event processor that you
can use to scale your QRadar deployment to manage higher EPS rates. The QRadar
Event Processor 1628 appliance includes an on-board event collector, event
processor, and internal storage for events.
The QRadar Event Processor 1628 is a distributed event processor appliance and
requires a connection to a IBM Security QRadar 3128 Console appliance.
table:
Table 9. QRadar 1628 Event Processor overview
Description Value
Two 10/100/1000 Base-T network monitoring interfaces
One 10/100/100 Base-T IBM Security QRadar management interface

Storage 12 x 3.5 inch 4 TB SAS 7.2 K rpm, 48 TB total, 40 TB usable (Raid 6)
Power supply Dual Redundant 900 W AC Power Supply
components
Event Processor
For diagrams and information on the front and back panel of this appliance, see
QRadar Flow Processor 1705

The QRadar Flow Processor 1705 appliance is a flow processor that can scale your
QRadar deployment to manage higher FPM rates. The QRadar Flow Processor
1705 includes an on-board Flow processor, and internal storage for flows.

View hardware information and requirements for the QRadar Flow Processor 1705
Table 10. QRadar Flow Processor 1705
Description Value
Basic license
100,000 FPM
Upgraded license
600,000 FPM, depending on traffic types

Storage 9 x 3.5 inch 1 TB 7.2 K rpm NL SAS, 9 TB total, 6.2 TB usable (Raid 5)
Included Flow processor
components

The IBM Security QRadar Flow Processor 1728 appliance is a flow processor that
can scale your QRadar deployment to manage higher FPM rates. The QRadar Flow
Processor 1728 includes an on-board Flow processor, and internal storage for flows.
View hardware information and requirements for the QRadar 1728 Flow processor
Table 11. QRadar 1728 Flow Processor overview
Description Value
Basic license 100,000 FPM
Upgraded license 1,200,000 FPM


Table 11. QRadar 1728 Flow Processor overview (continued)
Description Value
Included Flow Processor
components
QRadar 1805
The IBM Security QRadar 1805 appliance is a combined Event Processor and Flow
Processor that can scale your QRadar deployment to manage more events and
flows. The QRadar 1805 includes an on-board Event Processor, an on-board Flow
Processor, and internal storage for events and flows.
View hardware information and requirements for the IBM Security QRadar 1805 in
the following table:
Table 12. IBM Security QRadar 1805 overview
Description Value
1,000 EPS
Upgraded license 200,000 FPM
5,000 EPS

Included Event processor
components
Flow processor

The IBM Security QRadar 1828 appliance is a combined Event Processor and Flow
Processor that you can scale your QRadar deployment to manage more event and
flows. The QRadar 1828 includes an on-board Event Processor, an on-board Flow
Processor, and internal storage for events and flows.
View hardware information and requirements for the QRadar 1828 Flow processor

Table 13. QRadar 1828 Flow Processor overview
Description Value
Basic license 25,000 FPM,
1000 EPS
15,000 EPS

Included Flow Processor
components
QRadar 2100
The IBM Security QRadar 2100 appliance is an all-in-one system that combines
Network Behavioral Anomaly Detection (NBAD) and Security Information and
Event Management (SIEM) to accurately identify and appropriately prioritize
threats that occur on your network.
View hardware information and requirements for the IBM Security QRadar 2100 in
Table 14. IBM Security QRadar 2100 overview
Description Value
1000 EPS
Upgraded license
50,000 FPM
Interfaces Three 10/100/1000 Base-T network monitoring interfaces

Storage 6 x 2.5 inch 500 GB 7.2K rpm SATA, 3 TB total, 1.5 TB usable (Raid 10)

Table 14. IBM Security QRadar 2100 overview (continued)
Description Value
components
Event Processor
Single QRadar QFlow Collector
Additional QRadar QFlow Collectors are sold separately.
QRadar 3105 (All-in-One)

The IBM Security QRadar 3105 (All-in-One) appliance is an all-in-one QRadar
system that can profile network behavior and identify network security threats.
table:
Table 15. QRadar 3105 overview
Description Value
1000 EPS
5,000 EPS
Network objects 1000
Log sources 750

components
Event Processor for processing events and flows
Internal storage for events and flows

The QRadar 3105 (All-in-One) appliance requires external QRadar QFlow
Collectors for layer 7 network activity monitoring.
QRadar 3105 (Console)

Understand and expand the capacity of the IBM Security QRadar 3105
(All-in-One).
You can expand the capacity of the QRadar 3105 (All-in-One) beyond license-based
upgrade options by upgrading to the QRadar 3105 (Console) appliance and adding
one or more of the following appliances:
v QRadar Event Processor 1605 on page 9
v QRadar Flow Processor 1705 on page 10
v QRadar 1805 on page 12
The QRadar 3105 (Console) appliance you can use to manage a distributed
deployment of Event Processors and Flow Processors to profile network behavior
and identify network security threats.
QRadar 3128 (All-in-One)

The IBM Security QRadar 3128 (All-in-One) appliance is an all-in-one QRadar
system that can profile network behavior and identify network security threats.
View hardware information and requirements for the QRadar 3128 (All-in-One) in
Table 16. QRadar 3128 (All-in-One)
Description Value
1000 EPS
15,000 EPS
Network objects Up to 1,000, depending on the license
Log sources 750 (add more devices with a licensing option)


Table 16. QRadar 3128 (All-in-One) (continued)
Description Value
components
Event Processor for processing events and flows
Internal storage for events and flows
The QRadar 3128 (All-in-One) requires external QRadar QFlow Collectors for layer
7 network activity monitoring.
QRadar 3128 (Console)

Understand expansion options for the IBM Security QRadar
You can expand the capacity of the QRadar3128 (All-in-One) appliance beyond
license-based upgrade options by upgrading to the QRadar 3128 (Console)
appliance and adding one or more of the following appliances:
v QRadar Event Processor 1628 on page 10
The QRadar 3128 (Console) appliance you can use to manage a distributed
deployment of Event Processors and Flow Processors to profile network behavior
and identify network security threats.
QRadar Log Manager 1605

The IBM Security QRadar Log Manager 1605 appliance is a distributed Event
Processor appliance and requires a connection to a QRadar Log Manager 3128
Console appliance.
The QRadar Log Manager 1605 is a distributed Event Processor appliance and
requires a connection to a QRadar Log Manager 3105 appliance.
View hardware information and requirements for the QRadar Log Manager 1605 in
Table 17. QRadar Log Manager 1605
Description Value

Table 17. QRadar Log Manager 1605 (continued)
Description Value

components
Event Processor

The IBM Security QRadar Log Manager 1628 appliance is a dedicated Event
Processor that you can use to scale your QRadar Log Manager deployment to
manage higher Event Per Second (EPS) rates. The QRadar Log Manager 1628
appliance includes an on-board Event Collector, Event Processor, and internal
storage for events.
The QRadar Log Manager 1628 is a distributed Event Processor appliance and
requires a connection to a QRadar Log Manager 3105 appliance.
Table 18. QRadar Log Manager 1628
Description Value


Table 18. QRadar Log Manager 1628 (continued)
Description Value
components
Event Processor

The IBM Security QRadar Log Manager 2100 appliance is an all-in-one system that
can manage and store events from various network devices.
View hardware information and requirements for the IBM Security QRadar Log
Manager 2100 in the following table:
Table 19. IBM Security QRadar Log Manager 2100 overview
Description Value
Basic license 1000 EPS
Log sources 750
Interfaces Three 10/100/1000 Base-T network monitoring interfaces

Storage 6 x 2.5 inch 500 GB 7.2K rpm SATA, 3 TB total, 1.5 TB usable (Raid 10)
components
Event Processor
IBM Security QRadar Log Manager 2100 includes external flow collection.
Additional QRadar QFlow Collectors are sold separately.
QRadar Log Manager 3105 (All-in-One)

The IBM Security QRadar Log Manager 3105 (All-in-One) appliance is an all-in-one
system that you can use to manage and store events from various network devices.

Table 20. QRadar Log Manager 3105 overview
Description Value
1000 EPS
5,000 EPS

components
Event Processor for processing events
Internal storage for events
You can upgrade your license to migrate your QRadar Log Manager 3105
(all-in-one) to QRadar 3105 (all-in-one). For more information, see the Migrating
QRadar Log Manager to QRadar SIEM Technical Note.
QRadar Log Manager 3105 Console

You can expand the capacity of the QRadar Log Manager (all-in-one) appliance
beyond license-based upgrade options by upgrading to the QRadar Log Manager
3105 (Console) appliance. You must also add one or more QRadar Log Manager
1605 or QRadar Log Manager1628 appliances.
The QRadar Log Manager 3105 (Console) appliance manages a distributed

deployment of Event Processors to collect and process events. You can upgrade
your license from QRadar Log Manager 3105 to QRadar 3105
QRadar Log Manager 3128 (All-in-One)

The IBM Security QRadar Log Manager 3128 (All-in-One) appliance is an all-in-one
system that you can use to manage and store events from various network devices.
View hardware information and requirements for the QRadar Log Manager 3128
(All-in-One) in the following table:
Table 21. QRadar Log Manager 3128 (All-in-One)
Description Value

Table 21. QRadar Log Manager 3128 (All-in-One) (continued)
Description Value
Network objects Up to 1,000, depending on the license
Log sources 750 (add more devices with a licensing option)

components
Event Processor
Internal storage for events
(all-in-one) appliance to QRadar 3128 (all-in-one). For more information about
migrating QRadar Log Manager to QRadar SIEM, see the Migrating QRadar Log
Manager to QRadar SIEM Technical Note.
QRadar Log Manager 3128 (Console)

The IBM Security QRadar Log Manager 3128 (Console) appliance manages a
distributed deployment of Event Processors to collect and process events. Expand
and upgrade the QRadar Log Manager 3128 (Console).
You can expand the capacity of the QRadar Log Manager 3128 (all-in-one)
appliance beyond license-based upgrade options by upgrading to the QRadar Log
Manager 3128 (Console) appliance and adding one or more of the following
appliances:
v QRadar Log Manager 1605 on page 16
v QRadar Log Manager 1628 on page 17
(Console) appliance to QRadar Log Manager 3128 (Console). For more information,
see the Migrating QRadar Log Manager to QRadar SIEM Technical Note .
The QRadar Log Manager 3128 (Console) appliance manages a distributed

deployment of Event Processors to collect and process events.

QRadar Vulnerability Manager

The IBM Security QRadar Vulnerability Manager appliance scans and reports on
network vulnerabilities. QRadar Vulnerability Manager provides a vulnerability
management workflow that is fully integrated with QRadar SIEM and is available
as a software option, appliance, and virtual appliance.
QRadar Vulnerability Manager provides the following capabilities:

v Scans inside and outside your network, network infrastructure, servers, and end
points for bad configurations, weak settings, unpatched products, and other key
weaknesses.
v Uses network usage, threat environment, security configuration information,
virtual patch, and patch availability to bring real context to vulnerability
management, which drives efficient remediation processes
v Integrates all vulnerability information from external systems to provide a single
view.
v Full integration with the QRadar asset profile database to provide intelligent
event-driven scans.
v Unlimited QRadar Vulnerability Manager discovery scans
v Use of hosted scanner for DMZ scanning
The QRadar Vulnerability Manager appliance supports:

Table 22. QRadar Vulnerability Manager overview
Description Value
Basic license 255 assets
Upgraded license 32,768

Included QRadar Vulnerability Manager
components

QRadar Risk Manager
The IBM Security QRadar appliance delivers a fully integrated risk management,
vulnerability prioritization, and automated configuration solution that is integrated
into the IBM Security QRadar platform. QRadar Log Manager enables tightly
integrated features in QRadar SIEM that enhance incident management, log and
network activity searches, threat visualization, and reports.
View hardware information and requirements for the QRadar Risk Manager in the
following table:
Table 23. QRadar Risk Manager in the following table
Description Value
One 10/100/100 Base-T QRadar SIEM management interface

Included QRadar Risk Manager
components

Chapter 4. Appliance Diagrams
View the diagrams and descriptions for the back and front panels of your
appliance. These diagrams are representations of an IBM Security QRadar
appliance. Your system might vary, depending on the version of appliance you
purchased.
Integrated Management Module

On the back panel of each appliance type, the serial connector and Ethernet
connectors can be managed using the Integrated Management Module (IMM). You
can configure the IMM to share an Ethernet port with the IBM Security QRadar
management interface; however, you can configure the IMM in dedicated mode to
reduce the risk of losing the IMM connection when the appliance is restarted. To
configure the IMM, you must access the System BIOS settings by pressing the F1
key when the IBM splash screen is displayed. For further instructions on how to
configure the IMM, see the Integrated Management Module User's Guide that is
located on the CD that was shipped with your appliance.
QRadar 2100, QRadar Event Collector 1501, and all QRadar Flow
Processor Appliances
Review the information about the front and back panel features for appliances to
confirm proper connectivity and functionality.
v QRadar 2100 on page 13 (4380-Q1C).
v QRadar QFlow Collector 1202 on page 5 (4380-Q3C).
v QRadar Event Collector 1501 on page 8, QRadar QFlow Collector 1201 on
page 5 (4380-Q2C).
v QRadar Log Manager 2100 on page 18 (4380-Q1C).
Front panel indicators and features

Review IBM Security QRadar appliance front panel indicators and features to
confirm that your appliances are functioning properly.
The following figure shows the front panel indicators and features of the QRadar
Core Appliances 4380-QxC.

Figure 1. Front panel indicators and features of the QRadar Core Appliances 4380-QxC.
The following table describes the front panel features.

Table 24. Front Panel Features of QRadar Core Appliances (4380-QxC)
Features Description
Hard Disk Drive Activity LED Indicates when the hard disk drive is active.
This light is green. When this LED flashes,
the hard disk is in use.
Hard Disk Drive Status LEDs Indicates the status of the drive. This light is
amber, and indicates the following statuses:
video connector Connect a VGA monitor to this connector.
The video connectors on the front and rear
of the server can be used simultaneously.
Drive Bays Hard disk bays are numbered 0 through 7
starting at the upper left drive bay.
Back panel indicators and features

Review the IBM Security QRadar back panel indicators and features to confirm
that your appliances are functioning properly.
The following figure shows the back panel features of the QRadar Core Appliances
4380 (4380-QxC).
Figure 2. Back panel features of the QRadar Core Appliances 4380 (4380-QxC)
The following table describes the back panel features.

Table 25. QRadar Core Appliances 4380 (4380-QxC) back panel indicators and features
Slot 1, PCI Express or PCI-X Insert a low-profile PCI Express or PCI-X
adapter into this slot. You can purchase an
optional PCI Express or PCI-X riser card
assembly with bracket if you want to install
a PCI adapter in this slot.
Slot 2, PCI Express or PCI-X
Insert a half-length, full-height PCI Express
or PCI-X adapter into this slot. Standard
models of the server come with one PIC
Express riser-card assembly that is installed
in this slot. You can purchase an optional
PCI-X riser-card assemble with bracket if
you want to install a PCI-X adapter in this
slot.
If your appliance is shipped with an

uninstalled Napatech Network Adapter, you
can install the adapter in Slot 2. For more
information about how to install a Napatech
Network Adapter, see the Installing a
Napatech Network Adapter Technical Note .
USB Connectors Connect a USB device, such as a USB mouse
and keyboard to any of these connectors.
Two more USB connectors are available on
the front panel.
Power Supplies Supports two power supplies.
Power Cord Connectors Connect the power cord to this connector.
serial connector Connect a 9-pin serial device to this
connector. The serial port is shared with the
integrated management module (IMM). The
IMM can take control of the shared serial
port to perform text console redirection and
to redirect serial traffic, using Serial over
LAN (SOL).
Ethernet Connectors Use either of these connectors to connect the
server to a network. When you use the
Ethernet 1 connector, the network can be
shared with the IMM through a single
network cable.
System Management Ethernet Connector Use this connector to connect your
management interface.
NMI button
Use the NMI button to troubleshoot
software and device driver errors when you
use certain operating systems.
v Use this button only if directed to do so
by qualified support personnel.
Press this button to force a Non-Maskable

Interrupt (NMI) to the microprocessor. Use a
pen or the end of a straightened paper clip
to press the button.
Chapter 4. Appliance Diagrams 25

QRadar Appliances
Review the information about the front and back panel features for appliances to
confirm proper connectivity and functionality.
v QRadar 1400 Data Node on page 7 (4380-Q1E).
v QRadar Event Processor 1605 on page 9 (4380-Q1E).
v QRadar Event Processor 1628 on page 10 (4380-Q2E).
v QRadar Flow Processor 1705 on page 10 (4380-Q1E).
v QRadar Flow Processor 1728 on page 11 (4380-Q2E).
v QRadar 3105 (All-in-One) on page 14 (4380-Q1E).
v QRadar 3105 (Console) on page 15 (4380-Q1E).
v QRadar 3128 (All-in-One) on page 15 (4380-Q2E).
v QRadar 3128 (Console) on page 16 (4380-Q2E).
v QRadar Log Manager 1605 on page 16 (4380-Q1E).
v QRadar Log Manager 1628 on page 17 (4380-Q2E).
v QRadar Log Manager 3105 (All-in-One) on page 18 (4380-Q1E).
v QRadar Log Manager 3105 Console on page 19 (4380-Q1E).
v QRadar Log Manager 3128 (All-in-One) on page 19 (4380-Q2E).
v QRadar Log Manager 3128 (Console) on page 20 (4380-Q2E).
v QRadar Vulnerability Manager on page 21 (4380-Q1E).
v QRadar Risk Manager on page 22 (4380-Q1E).
Front panel indicators and features

The front panel contains indicators and features.
The following figure shows the front panel indicators and features of QRadar and
all IBM Security QRadar Core Appliances 4380-QxE.
Figure 3. Front panel indicators and features
The following table describes the front panel features.

Table 26. Front Panel Features of IBM Security QRadar Core Appliances (4380-QxE)
Hard Disk Drive Activity LED Indicates when the hard disk drive is active.
This light is green. When this LED is
flashing, the hard disk is in use.

Table 26. Front Panel Features of IBM Security QRadar Core Appliances
(4380-QxE) (continued)
Hard Disk Drive Status LEDs Indicates the status of the drive. This light is
amber, and indicates the following statuses:
Drive Bays Hard disk bays are numbered 0 through 7
starting at the upper left drive bay.
video connector Connect a monitor to this connector. The
video connectors on the front and rear of the
server can be used simultaneously.
and keyboard to any of these connectors.
Two more USB connectors are available on
the back panel.
Power Control Button Press this button to manually turn on and
off the server, or to work the server from a
reduced-power state.
Power Supply LED Indicated the status of the power supply.
This light is green and indicates the
following statuses:
Locator LED Use this blue LED to visually locate the
server among other servers in the rack. You
can use the IBM Systems Director to light
this LED remotely. This LED is controlled by
the IMM.
System Error LED When this amber LED is lit, a system error
occurred. This LED is controlled by the
IMM.
Back Panel Indicators and Features

Back panel diagrams for IBM Security QRadar appliances.
The following figure shows the back panel features of the QRadar Core Appliances
4380-QxE.
Figure 4. Back panel features of the QRadar Core Appliances 4380-QxE
The following table describes the back panel features.
Chapter 4. Appliance Diagrams 27

Table 27. Back Panel Features of the QRadar Core Appliances (4380-QxE)
Power Supplies Supports two power supplies.
Power Cord Connectors Connect the power cord to this connector.
or keyboard, to either of these connectors.
Ethernet Connectors Use any of these connectors to connect the
server to a network. When you use the
Ethernet 1 connector, the network can be
shared with the IMM through a single
network cable.
serial connector Connect a 9-pin serial device to this
connector. The serial port is shared with the
integrated management module (IMM). The
IMM can take control of the shared serial
port to perform text console redirection and
to redirect serial traffic, using Serial over
LAN (SOL).
NMI button
Use the NMI button to troubleshoot
software and device driver errors when you
use certain operating systems.
v Use this button only if directed to do so
by qualified support personnel.
Press this button to force a Non-Maskable

Interrupt (NMI) to the microprocessor. Use a
pen or the end of a straightened paper clip
to press the button.
System Management Ethernet Connector Use this connector to connect your
management interface.
video connector Connect a VGA monitor to this connector.
The video connectors on the front and rear
of the server can be used simultaneously.

Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information,

contact the IBM Intellectual Property Department in your country or send
inquiries, in writing, to:
Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
170 Tracer Lane,
Waltham MA 02451, USA
Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol ( or ), these symbols

indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is available on
the Web at Copyright and trademark information (www.ibm.com/legal/
copytrade.shtml).
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks
of others.
Privacy policy considerations

IBM Software products, including software as a service solutions, (Software
Offerings) may use cookies or other technologies to collect product usage
information, to help improve the end user experience, to tailor interactions with
the end user or for other purposes. In many cases no personally identifiable
information is collected by the Software Offerings. Some of our Software Offerings
can help enable you to collect personally identifiable information. If this Software
Offering uses cookies to collect personally identifiable information, specific
information about this offerings use of cookies is set forth below.
Depending upon the configurations deployed, this Software Offering may use
session cookies that collect each users session id for purposes of session
management and authentication. These cookies can be disabled, but disabling them
will also eliminate the functionality they enable.
If the configurations deployed for this Software Offering provide you as customer
the ability to collect personally identifiable information from end users via cookies
and other technologies, you should seek your own legal advice about any laws
applicable to such data collection, including any requirements for notice and
consent.
For more information about the use of various technologies, including cookies, for
these purposes, See IBMs Privacy Policy at http://www.ibm.com/privacy and
IBMs Online Privacy Statement at http://www.ibm.com/privacy/details the
section entitled Cookies, Web Beacons and Other Technologies and the IBM
Software Products and Software-as-a-Service Privacy Statement at
http://www.ibm.com/software/info/product-privacy.
Notices 31
Glossary
This glossary provides terms and definitions for derived by the examination of packet
the [product name] software and products. payload and then used to identify a
specific application.
The following cross-references are used in this
ARP See Address Resolution Protocol.
glossary:
v See refers you from a nonpreferred term to the ARP Redirect
preferred term or from an abbreviation to the An ARP method for notifying the host if a
spelled-out form. problem exists on a network.
v See also refers you to a related or contrasting ASN See autonomous system number.
term.
asset A manageable object that is either
deployed or intended to be deployed in
For other terms and definitions, see the IBM
an operational environment.
Terminology website (opens in new window).
autonomous system number (ASN)
A B C D on page 34 E on page 34 F In TCP/IP, a number that is assigned to
on page 34 G on page 35 H on page 35 I an autonomous system by the same
on page 35 K on page 36 L on page 36 M central authority that assigns IP
on page 36 N on page 36 O on page 37 P addresses. The autonomous system
on page 37 Q on page 37 R on page 37 S number makes it possible for automated
on page 38 T on page 38 V on page 39 W routing algorithms to distinguish
on page 39 autonomous systems.
A B
accumulator behavior
A register in which one operand of an The observable effects of an operation or
operation can be stored and subsequently event, including its results.
replaced by the result of that operation.
bonded interface
active system See link aggregation.
In a high-availability (HA) cluster, the
burst A sudden sharp increase in the rate of
system that has all of its services running.
incoming events or flows such that the
Address Resolution Protocol (ARP) licensed flow or event rate limit is
A protocol that dynamically maps an IP exceeded.
address to a network adapter address in a
local area network.
C
administrative share
A network resource that is hidden from CIDR See Classless Inter-Domain Routing.
users without administrative privileges. Classless Inter-Domain Routing (CIDR)
Administrative shares provide A method for adding class C Internet
administrators with access to all resources Protocol (IP) addresses. The addresses are
on a network system. given to Internet Service Providers (ISPs)
anomaly for use by their customers. CIDR
A deviation from the expected behavior of addresses reduce the size of routing tables
the network. and make more IP addresses available
within organizations.
application signature
A unique set of characteristics that are client A software program or computer that
requests services from a server.

cluster virtual IP address DNS See Domain Name System.
An IP address that is shared between the
Domain Name System (DNS)
primary or secondary host and the HA
The distributed database system that
cluster.
maps domain names to IP addresses.
coalescing interval
DSM See Device Support Module.
The interval at which events are bundled.
Event bundling occurs in 10 second duplicate flow
intervals and begins with the first event Multiple instances of the same data
that does not match any currently transmission received from different flow
coalescing events. Within the coalescing sources.
interval, the first three matching events
Dynamic Host Configuration Protocol (DHCP)
are bundled and sent to the event
A communications protocol that is used to
processor.
centrally manage configuration
Common Vulnerability Scoring System (CVSS) information. For example, DHCP
A scoring system by which the severity of automatically assigns IP addresses to
a vulnerability is measured. computers in a network.
console
A display station from which an operator E
can control and observe the system
operation. encryption
In computer security, the process of
content capture transforming data into an unintelligible
A process that captures a configurable form in such a way that the original data
amount of payload and then stores the either cannot be obtained or can be
data in a flow log. obtained only by using a decryption
credential process.
A set of information that grants a user or endpoint
process certain access rights. The address of an API or service in an
credibility environment. An API exposes an endpoint
A numeric rating between 0-10 that is and at the same time invokes the
used to determine the integrity of an endpoints of other services.
event or an offense. Credibility increases external scanning appliance
as multiple sources report the same event A machine that is connected to the
or offense. network to gather vulnerability
CVSS See Common Vulnerability Scoring information about assets in the network.
System.
F
D false positive
database leaf object A test result classed as positive (indicating
A terminal object or node in a database that the site is vulnerable to attack), that
hierarchy. the user decides is in fact negative (not a
vulnerability).
datapoint
A calculated value of a metric at a point flow A single transmission of data passing over
in time. a link during a conversation.
Device Support Module (DSM) flow log

A configuration file that parses received A collection of flow records.
events from multiple log sources and flow sources
coverts them to a standard taxonomy The origin from which flow is captured. A
format that can be displayed as output. flow source is classified as internal when
DHCP See Dynamic Host Configuration Protocol. flow comes from hardware installed on a

managed host or it is classified as external host context
when the flow is sent to a flow collector. A service that monitors components to
ensure that each component is operating
forwarding destination
as expected.
One or more vendor systems that receive
raw and normalized data from log
sources and flow sources. I
FQDN ICMP See Internet Control Message Protocol.
See fully qualified domain name.
identity
FQNN A collection of attributes from a data
See fully qualified network name. source that represent a person,
fully qualified domain name (FQDN) organization, place, or item.
In Internet communications, the name of IDS See intrusion detection system.
a host system that includes all of the
subnames of the domain name. An Internet Control Message Protocol (ICMP)
example of a fully qualified domain name An Internet protocol that is used by a
is rchland.vnet.ibm.com. gateway to communicate with a source
host, for example, to report an error in a
fully qualified network name (FQNN) datagram.
In a network hierarchy, the name of an
object that includes all of the Internet Protocol (IP)
departments. An example of a fully A protocol that routes data through a
qualified network name is network or interconnected networks. This
CompanyA.Department.Marketing. protocol acts as an intermediary between
the higher protocol layers and the
physical network. See also Transmission
G Control Protocol.
gateway Internet service provider (ISP)
A device or program used to connect An organization that provides access to
networks or systems with different the Internet.
network architectures.
intrusion detection system (IDS)
Software that detects attempts or
H successful attacks on monitored resources
that are part of a network or host system.
HA See high availability.
intrusion prevention system (IPS)
HA cluster A system that attempts to deny
A high-availability configuration potentially malicious activity. The denial
consisting of a primary server and one mechanisms could involve filtering,
secondary server. tracking, or setting rate limits.
Hash-Based Message Authentication Code IP See Internet Protocol.
(HMAC)
A cryptographic code that uses a cryptic IP multicast
hash function and a secret key. Transmission of an Internet Protocol (IP)
datagram to a set of systems that form a
high availability (HA) single multicast group.
Pertaining to a clustered system that is
reconfigured when node or daemon IPS See intrusion prevention system.
failures occur so that workloads can be ISP See Internet service provider.
redistributed to the remaining nodes in
the cluster.
HMAC
See Hash-Based Message Authentication
Code.
Glossary 35
log source
K Either the security equipment or the
key file network equipment from which an event
In computer security, a file that contains log originates.
public keys, private keys, trusted roots, log source extension
and certificates. An XML file that includes all of the
regular expression patterns required to
L identify and categorize events from the
event payload.
L2L See Local To Local.
L2R See Local To Remote. M
LAN See local area network. magistrate
LDAP See Lightweight Directory Access An internal component that analyzes
Protocol. network traffic and security events
against defined custom rules.
leaf In a tree, an entry or node that has no
children. magnitude
A measure of the relative importance of a
Lightweight Directory Access Protocol (LDAP) particular offense. Magnitude is a
An open protocol that uses TCP/IP to weighted value calculated from relevance,
provide access to directories that support severity, and credibility.
an X.500 model and that does not incur
the resource requirements of the more
complex X.500 Directory Access Protocol N
(DAP). For example, LDAP can be used to
NAT See network address translation.
locate people, organizations, and other
resources in an Internet or intranet NetFlow
directory. A Cisco network protocol that monitors
network traffic flow data. NetFlow data
link aggregation
includes the client and server information,
The grouping of physical network
which ports are used, and the number of
interface cards, such as cables or ports,
bytes and packets that flow through the
into a single logical network interface.
switches and routers connected to a
Link aggregation is used to increase
network. The data is sent to NetFlow
bandwidth and network availability.
collectors where data analysis takes place.
live scan
network address translation (NAT)
A vulnerability scan that generates report
In a firewall, the conversion of secure
data from the scan results based on the
Internet Protocol (IP) addresses to
session name.
external registered addresses. This enables
local area network (LAN) communications with external networks
A network that connects several devices but masks the IP addresses that are used
in a limited area (such as a single inside the firewall.
building or campus) and that can be
network hierarchy
connected to a larger network.
A type of container that is a hierarchical
Local To Local (L2L) collection of network objects.
Pertaining to the internal traffic from one
network layer
local network to another local network.
In OSI architecture, the layer that
Local To Remote (L2R) provides services to establish a path
Pertaining to the internal traffic from one between open systems with a predictable
local network to another remote network. quality of service.
network object
A component of a network hierarchy.

network weight protocol
The numeric value applied to each A set of rules controlling the
network that signifies the importance of communication and transfer of data
the network. The network weight is between two or more devices or systems
defined by the user. in a communication network.
O Q
offense QID Map
A message sent or an event generated in A taxonomy that identifies each unique
response to a monitored condition. For event and maps the events to low-level
example, an offense will provide and high-level categories to determine
information on whether a policy has been how an event should be correlated and
breached or the network is under attack. organized.
offsite source
A device that is away from the primary R
site that forwards normalized data to an
event collector. R2L See Remote To Local.
offsite target R2R See Remote To Remote.

A device that is away from the primary recon See reconnaissance.
site that receives event or data flow from
an event collector. reconnaissance (recon)
A method by which information
Open Source Vulnerability Database (OSVDB) pertaining to the identity of network
Created by the network security resources is gathered. Network scanning
community for the network security and other techniques are used to compile
community, an open source database that a list of network resource events which
provides technical information on are then assigned a severity level.
network security vulnerabilities.
reference map
open systems interconnection (OSI) A data record of direct mapping of a key
The interconnection of open systems in to a value, for example, a user name to a
accordance with standards of the global ID.
International Organization for
Standardization (ISO) for the exchange of reference map of maps
information. A data record of two keys mapped to
many values. For example, the mapping
OSI See open systems interconnection. of the total bytes of an application to a
OSVDB source IP.
See Open Source Vulnerability Database. reference map of sets
A data record of a key mapped to many
P values. For example, the mapping of a list
of privileged users to a host.
parsing order
reference set
A log source definition in which the user
A list of single elements that are derived
can define the order of importance for log
from events or flows on a network. For
sources that share a common IP address
example, a list of IP addresses or a list of
or host name.
user names.
payload data
reference table
Application data contained in an IP flow,
A table where the data record maps keys
excluding header and administrative
that have an assigned type to other keys,
information.
which are then mapped to a single value.
primary HA host
refresh timer
The main computer that is connected to
An internal device that is triggered
the HA cluster.
Glossary 37
manually or automatically at timed SNMP
intervals that updates the current network See Simple Network Management
activity data. Protocol.
relevance SOAP A lightweight, XML-based protocol for
A measure of relative impact of an event, exchanging information in a
category, or offense on the network. decentralized, distributed environment.
SOAP can be used to query and return
Remote To Local (R2L)
information and invoke services across
The external traffic from a remote
the Internet.
network to a local network.
standby system
Remote To Remote (R2R)
A system that automatically becomes
The external traffic from a remote
active when the active system fails. If disk
network to another remote network.
replication is enabled, replicates data from
report In query management, the formatted data the active system.
that results from running a query and
subnet
applying a form to it.
See subnetwork.
report interval
subnet mask
A configurable time interval at the end of
For internet subnetworking, a 32-bit mask
which the event processor must send all
used to identify the subnetwork address
captured event and flow data to the
bits in the host portion of an IP address.
console.
subnetwork (subnet)
routing rule
A network that is divided into smaller
A condition that when its criteria are
independent subgroups, which still are
satisfied by event data, a collection of
interconnected.
conditions and consequent routing are
performed. sub-search
A function that allows a search query to
rule A set of conditional statements that
be performed within a set of completed
enable computer systems to identify
search results.
relationships and run automated
responses accordingly. superflow
A single flow that is comprised of
multiple flows with similar properties in
S order to increase processing capacity by
scanner reducing storage constraints.
An automated security program that system view
searches for software vulnerabilities A visual representation of both primary
within web applications. and managed hosts that compose a
secondary HA host system.
The standby computer that is connected
to the HA cluster. The secondary HA host T
assumes responsibility of the primary HA
host if the primary HA host fails. TCP See Transmission Control Protocol.
severity Transmission Control Protocol (TCP)
A measure of the relative threat that a A communication protocol used in the
source poses on a destination. Internet and in any network that follows
the Internet Engineering Task Force (IETF)
Simple Network Management Protocol (SNMP)
standards for internetwork protocol. TCP
A set of protocols for monitoring systems
provides a reliable host-to-host protocol in
and devices in complex networks.
packet-switched communication networks
Information about managed devices is
and in interconnected systems of such
defined and stored in a Management
networks. See also Internet Protocol.
Information Base (MIB).

truststore file
A key database file that contains the
public keys for a trusted entity.
V
violation
An act that bypasses or contravenes
corporate policy.
vulnerability
A security exposure in an operating
system, system software, or application
software component.
W
whois server
A server that is used to retrieve
information about a registered Internet
resources, such as domain names and IP
address allocations.
Glossary 39
Index
A descriptions (continued)
QRadar 2100 13
G
about this guide v QRadar 2100 Light 14 glossary 33
appliance descriptions 5 QRadar 3105 (Base) 14
appliance diagrams 23 QRadar 3105 (Console) 15
QRadar 3124 (Base) 15, 19 P
QRadar 3124 (Console) 16 panel features and indicators 23
D QRadar Log Manager 1605 16
descriptions QRadar Log Manager 1628 17
Integrated Management Module
QFlow 1201 5
23 QRadar Log Manager 2100 18
QRadar Log Manager 2100 Light 18
Q
QRadar Log Manager 3105 (Base) 18 QRadar Risk Manager 22
QFlow 1202 5
QFlow 1301 6 QRadar Log Manager 3124
QFlow 1310 7 (Console) 20
QRadar 1400 Data node 7 QRadar Vulnerability Manager 21 S
QRadar 1501 8 diagrams safety instructions 1
QRadar 1605 9 QFlow appliance back panel 24
QRadar 1628 10 QFlow appliance front panel 23
QRadar 1705 11
QRadar 1728 11
QRadar 2100 back panel 24
QRadar 2100 front panel 23
W
QRadar appliance back panel 27 what's new, hardware 3
QRadar 1805 12
QRadar 1828 12 QRadar appliance front panel 26

B QRadar Hardware Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

B QRadar Hardware Guide

Hochgeladen von

Copyright:

Verfügbare Formate

IBM Security QRadar

Chapter 1. Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. What's new in hardware in QRadar V7.2.4 . . . . . . . . . . . . . . . . 3

Chapter 3. QRadar appliance overview . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 4. Appliance Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . 23

Copyright IBM Corp. 2014, 2014 iii

iv QRadar Hardware Guide

Contacting customer support

Statement of good security practices

IT system security involves protecting systems and information through

Copyright IBM Corp. 2014, 2014 v

vi QRadar Hardware Guide

Systems are considered to be components in a rack. Thus, the term component

Observe the following precautions for rack stability and safety:

Copyright IBM Corp. 2014, 2014 1

QRadar QFlow Collector 1310 network traffic improvement

For more information, see QRadar QFlow Collector 1310 on page 7.

Copyright IBM Corp. 2014, 2014 3

Review this overview of QRadar appliances, including capabilities, and license

QRadar QFlow Collector 1201

Two 10 Gbps SFP + ports

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

QRadar QFlow Collector 1202

Copyright IBM Corp. 2014, 2014 5

Two 10 Gbps SFP + ports

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

QRadar QFlow Collector 1301

Two 10 Gbps SFP + ports

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

6 QRadar Hardware Guide

QRadar QFlow Collector 1310

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

QRadar 1400 Data Node

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

Two 10 Gbps SFP + ports

Chapter 3. QRadar appliance overview 7

Table 6. QRadar Data Node when used with XX28 appliances

Two 10/100/1000 Base-T network monitoring interface

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

Two 10 Gbps SFP + ports

QRadar Event Collector 1501

8 QRadar Hardware Guide

Two 10 Gbps SFP + ports

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

QRadar Event Processor 1605

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

Two 10 Gbps SFP + ports

Chapter 3. QRadar appliance overview 9

QRadar Event Processor 1628

Two 10/100/1000 Base-T network monitoring interfaces

One 10/100/100 Base-T IBM Security QRadar management interface

One 10/100 Base-T integrated management module interface

Two 10 Gbps SFP + ports

QRadar Flow Processor 1705

10 QRadar Hardware Guide