IBM Installation and Configuration Guide - IBM QRadar Network Insights Version 7.3.2
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
IBM QRadar Network Insights Version 7.3.2 Installation and Configuration Guide IBM
Note
Before you use this information and the product that it supports, read the information in “Notices” on
page 33.
Product information
This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unless
superseded by an updated version of this document.
© Copyright International Business Machines Corporation 2017, 2019.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Contents
Introduction to installing QRadar Network Insights................................................ v
Chapter 1. Real-time threat investigations with QRadar Network Insights...............1
What's new in QRadar Network Insights V7.3.2......................................................................................... 1
What's new in QRadar Network Insights V7.3.1......................................................................................... 2
Chapter 2. QRadar Network Insights appliances.....................................................3
QRadar Network Insights 1901...................................................................................................................3
QRadar Network Insights 1901-C............................................................................................................... 5
QRadar Network Insights 1910-C............................................................................................................... 6
QRadar Network Insights 1920...................................................................................................................8
QRadar Network Insights 1920-C.............................................................................................................10
Chapter 3. Upgrading QRadar Network Insights....................................................13
Chapter 4. Installing QRadar Network Insights .................................................... 15
Chapter 5. Flow inspection...................................................................................17
Flow inspection levels............................................................................................................................... 17
Performance impacts.................................................................................................................................18
Supported protocols and document types................................................................................................18
Chapter 6. Appliance configuration...................................................................... 21
Configuring the size of the raw payload data capture.............................................................................. 21
Configuring the flow inspection level........................................................................................................ 22
Configuring QFlow Collector format.......................................................................................................... 23
Configuring DTLS communications protocol.............................................................................................24
Installing the QRadar Network Insights content extension..................................................................... 25
Chapter 7. Stacking QRadar Network Insights appliances.....................................27
Appliance cabling.......................................................................................................................................27
Creating a stack......................................................................................................................................... 29
Modifying an existing stack........................................................................................................................30
Removing stacked appliances................................................................................................................... 31
Notices................................................................................................................33
Trademarks................................................................................................................................................ 34
Terms and conditions for product documentation................................................................................... 34
IBM Online Privacy Statement.................................................................................................................. 35
General Data Protection Regulation..........................................................................................................35
iii
iv
Introduction to installing QRadar Network Insights
This guide contains information about analyzing network data in real-time by using IBM QRadar Network
Insights.
Intended audience
Investigators extract information from the network traffic and focus on security incidents, and threat
indicators.
Technical documentation
To find IBM QRadar product documentation on the web, including all translated documentation, access
the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in the QRadar products library, see
Accessing IBM Security Documentation Technical Note (www.ibm.com/support/docview.wss?
rs=0&uid=swg21614644).
Contacting customer support
For information about contacting customer support, see the Support and Download Technical Note
(http://www.ibm.com/support/docview.wss?uid=swg21616144).
Statement of good security practices
IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in
information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of
your systems, including for use in attacks on others. No IT system or product should be considered
completely secure and no single product, service or security measure can be completely effective in
preventing improper use or access. IBM systems, products and services are designed to be part of a
lawful comprehensive security approach, which will necessarily involve additional operational
procedures, and may require other systems, products or services to be most effective. IBM DOES NOT
WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR
ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Please Note:
Use of this Program may implicate various laws or regulations, including those related to privacy, data
protection, employment, and electronic communications and storage. IBM QRadar may be used only for
lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumes
all responsibility for complying with, applicable laws, regulations and policies. Licensee represents that it
will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBM
QRadar.
© Copyright IBM Corp. 2017, 2019 v
vi IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 1. Real-time threat investigations with
QRadar Network Insights
IBM QRadar Network Insights is a network threat analytics solution that provides visibility into deep
application-level content to better detect insider threats, data exfiltration, and malware activity, and
provides real-time analysis of network data and an advanced level of threat detection and analysis.
Integration with IBM QRadar Incident Forensics
QRadar Network Insights provides QRadar with deep visibility into application activities, extracts artifacts,
and identifies assets, applications, and users that participate in network communications. It is tightly
integrated with IBM QRadar Incident Forensics for post incident investigations and threat hunting
activities.
QRadar Incident Forensics and IBM QRadar Network Packet Capture captures, reconstructs, and replays
the entire conversation, but QRadar Network Insights provides the incident detection, and informs you
whether suspect items or topics of interest were discussed at any time during the conversation.
Suspect content can originate from a wide variety of sources, such as malware, non-standard ports, regex,
or Yara rules. For more information about suspect content, see Advanced inspection level attributes in the
QRadar Network Insights User Guide.
What's new in QRadar Network Insights V7.3.2
IBM QRadar Network Insights V7.3.2 includes the following new features and enhancements to help you
administer your IBM QRadar Network Insights appliances.
QRadar on Cloud support
QRadar Network Insights is now supported in IBM QRadar on Cloud deployments.
You can pair your QRadar Network Insights appliance with a QRadar on Cloud data gateway and send
flows into your QRadar on Cloud deployment.
To learn more about working with QRadar on Cloud data gateways, see the IBM QRadar on Cloud
Getting Started Guide.
Configuration improvements for stacked and stand-alone appliances
In IBM QRadar Network Insights, it is easier for you to manage the QRadar Network Insights stand-alone
and stacked appliances in your deployment. Now, you can easily add or reallocate processing capabilities
across your deployments by creating new stacks, and adding or removing devices from stacks.
With the new QRadar Network Insights configuration management, you can easily make the following
changes:
• Edit a stack directly from the Deployment Actions menu.
• Configure the flow inspection level for an individual QRadar Network Insights appliance.
• Set the maximum amount of capture data that each appliance includes in the flow report.
• Remove a stack and reconfigure each managed host as a stand-alone appliance.
• In a stacked configuration, specify which QRadar Network Insights appliance is the primary host.
Learn more about configuring appliances...
Learn more about stacking appliances...
© Copyright IBM Corp. 2017, 2019 1More control over the appliance inspection level
In V7.3.1, every QRadar Network Insights appliance in the deployment used the same global-set flow
inspection level.
Now, in V7.3.2, you can configure the flow inspection level for individual appliances or stacks. In a
stacked configuration, each stack can have a different inspection level, but all appliances within a stack
must have the same inspection level.
Learn more about configuring the flow inspection level...
Support for raw payload capture
Now you can use IBM QRadar Network Insights to extract raw payload data.
For example, you can extract data from the beginning of the packet payload, and then use regex
expressions or custom properties to look for patterns. For QFlow users that are migrating to QRadar
Network Insights, this capability enables the same raw payload analysis that you used in the past while
also giving you QRadar Network Insights network analysis and data extraction capabilities.
On initial installation, IBM QRadar Network Insights is configured to capture a maximum of 64 bytes of
raw payload data. To stop capturing payload data, set the Maximum Raw Payload Size to 0. You can
increase the size to extract more data from the payload, but larger sizes result in higher network traffic
and can negatively impact the performance of your QRadar deployment.
Learn more about configuring the raw payload capture size...
What's new in QRadar Network Insights V7.3.1
IBM QRadar Network Insights V7.3.1 simplifies the configuration, deployment, and stacking of IBM
QRadar Network Insights appliances.
Stack appliances by using the user interface
QRadar Network Insights V7.3.1 makes it easier to configure up to four appliances in a stack to distribute
data across multiple CPUs and Napatech cards.
Stacking appliances helps you increase your data throughput at higher inspection levels.
Learn more about stacking appliances...
2 IBM QRadar Network Insights: Installation and Configuration GuideChapter 2. QRadar Network Insights appliances
The IBM QRadar Network Insights appliance is a managed host that you attach to the QRadar console.
QRadar Network Insights appliances connect to network TAPs, SPAN, or mirror ports to access full packet
data for real-time analysis. All QRadar Network Insights appliances provide detailed analysis of network
flows to extend the threat detection capabilities of QRadar.
This Installation Guide includes hardware specifications for the latest QRadar Network Insights
appliances. To view hardware specifications for older QRadar Network Insights appliances, see the IBM
QRadar Hardware Guide.
Table 1: QRadar Network Insights appliances
QRadar Network Insights appliances Appliance ID
QRadar Network Insights 1901 6300
QRadar Network Insights 1910 6400
QRadar Network Insights 1920 6200
Appliance stacking
You can stack the QRadar Network Insights 1920 appliances (type 6200) to distribute network packet
data across multiple Napatech cards. By distributing the data processing and analysis across multiple
appliances, stacking can help you handle higher data volumes and improve flow throughput performance
at the highest inspection levels.
For more information about stacking appliances, see Chapter 7, “Stacking QRadar Network Insights
appliances,” on page 27.
QRadar Network Insights 1901
The IBM QRadar Network Insights 1901 (MTM 4412-F4Y) appliance provides detailed analysis of network
flows to extend the threat detection capabilities of IBM QRadar.
With four 1G capture ports on a Napatech card, the QRadar Network Insights 1901 appliance provides the
same capabilities as the QRadar Network Insights 1920 appliance but on a lower-price hardware platform
that is designed for 1 Gbps network connectivity.
The QRadar Network Insights 1901 appliance has the following hardware specifications:
Table 2: QRadar Network Insights 1901 overview
Hardware Description
Dimensions 28.9 inches deep x 17.1 inches wide x 1.7 inches high
Power Dual redundant 750 Watt AC power supply
Storage 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
The storage is labeled as [1] in the appliance diagram.
Memory 64 GB (4 x 16 GB DDR4 2400MHz)
© Copyright IBM Corp. 2017, 2019 3Table 2: QRadar Network Insights 1901 overview (continued)
Hardware Description
Network capture 2 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
transceivers
2 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
Use these transceivers with the network packet capture card, labeled as [4] in the
appliance diagram.
Network 2 x 10 G Short Range SFP
management
The transceivers may have one of the following part numbers:
transceivers
• Avago AFBR-709SMZ-IB8
• Finisar FTLX8571D3BCL-BN
• BNT BN-CKM-SP-SR
Use these transceivers with the management ports, labeled as [5] in the appliance
diagram.
System performance of QRadar Network Insights appliances varies depending on the exact configuration
and tuning of the system components. It is influenced not only by hardware, but also factors such as the
search, extraction criteria, and the amount of network data. For more information, see Performance
impacts in the IBM QRadar Network Insights Installation Guide.
Figure 1: Back panel of the QRadar Network Insights 1901 appliance
4 IBM QRadar Network Insights: Installation and Configuration GuideTable 3: Legend for use with the QRadar Network Insights 1901 image
Label Description
1 QRadar Firmware Storage
2 IMM Port (1GbE TX)
3 Management ports (1 GbE TX)
4 Network Packet Capture (SFP)
5 Management ports (10 GbE SFP+)
Note: Only the Network Packet Capture card [4] can be used for capturing network packet data.
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://
www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/
com.lenovo.sysx.8871.doc/t_removing_system_battery.html)
For more information about the QRadar Network Insights 1901, including front and back panel diagrams,
see IBM System X3550 M5 (https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-
type-8869).
QRadar Network Insights 1901-C
The IBM QRadar Network Insights 1901-C (MTM 4654-F6Y) appliance provides detailed analysis of
network flows to extend the threat detection capabilities of IBM QRadar.
With four 1G capture ports on a Napatech card, the QRadar Network Insights 1901-C appliance provides
the same capabilities as the QRadar Network Insights 1920 appliance but on a lower-price hardware
platform that is designed for 1 Gbps network connectivity.
Table 4: QRadar Network Insights 1901-C overview
Description Value
Physical dimensions 31.1 inches deep x 17.1 inches wide x 1.7 inches high
Unit weight 48.5 lbs
CPU 2 x Xeon Gold 5118 12C 2.3 GHz 16 MB Cache 3.20 GHz 105 W
Memory 64 GB, 4 x 16 GB
Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
Network interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)
and 4 x LR (LC Long range fiber) transceivers
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ management interfaces
Network Capture 4 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
Transceivers
4 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
Network 2 x 10 G SR LC Transceivers (Avago AFBR-709SMZ-IB8 or Finisar
Management FTLX8571D3BCL-BN or BNT BN-CKM-SP-SR)
Transceivers
QRadar Network Insights appliances 5Table 4: QRadar Network Insights 1901-C overview (continued)
Description Value
Traffic rate 1 Gbps
Power supply Dual redundant 750 W AC
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 2: QRadar Network Insights 1901-C
Table 5: Legend for use with the QRadar Network Insights 1901-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network packet capture (SFP)
Ports are numbered 0, 1, 2, 3, from left to right.
QRadar Network Insights 1910-C
The IBM QRadar Network Insights 1910-C (MTM 4654-Q9C) appliance offers 1 Gbps and 10 Gbps
connectivity in a smaller, lower-cost appliance for deployments that require 10 Gbps connectivity but
don't require the same level of processing or performance that is found in the more powerful 1920
appliance.
Table 6: QRadar Network Insights 1910-C overview
Description Value
Physical dimensions 31.3 inches deep x 17.1 inches wide x 1.7 inches high
Unit weight 48.5 lbs
CPU 2 x Xeon Gold 5118 12C 2.3 GHz 16 MB Cache 3.20 GHz 105 W
6 IBM QRadar Network Insights: Installation and Configuration GuideTable 6: QRadar Network Insights 1910-C overview (continued)
Description Value
Memory 64 GB, 4 x 16 GB
Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
Network interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)
and 4 x LR (LC Long range fiber) transceivers
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ management interfaces
Network Capture 4 x 10 G SR LC Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)
Transceivers
4 x 10 G LR LC Transceivers (Avago AFCT-739SMZ-IB2)
Network 2 x 10 G SR LC Transceivers (Avago AFBR-709SMZ-IB8 or Finisar
Management FTLX8571D3BCL-BN or BNT BN-CKM-SP-SR)
Transceivers
Traffic rate 10 Gbps
Power supply Dual redundant 750 W AC
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 3: QRadar Network Insights 1910-C
Table 7: Legend for use with the QRadar Network Insights 1910-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network Packet Capture (SFP/SFP+)
Ports are numbered 0, 1, 2, 3, from left to right.
QRadar Network Insights appliances 7QRadar Network Insights 1920
The IBM QRadar Network Insights 1920 (MTM 4412-F3F) appliance provides detailed analysis of network
flows to extend the threat detection capabilities of IBM QRadar.
The appliance has two Napatech cards, each with four ports. By default, the four ports on the first
network capture card are configured for inbound traffic from the network tap. If the appliance is included
in a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cabling
stacked appliances, see the IBM QRadar Network Insights Installation Guide.
The second Napatech card is cabled internally for load balancing and cannot not be used. If you use these
ports when you cable the appliance, you do not get any data.
The following table shows the hardware information and requirements for the IBM QRadar Network
Insights 1920 (MTM 4412-F3F) appliance:
Table 8: QRadar Network Insights 1920 overview
Description Value
Dimensions 29.7 inches deep x 17.5 inches wide (19 inches with EIA) x 3.4 inches high
Power Dual redundant 900 Watt AC power supply
Storage 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
The storage is labeled as [1] in the appliance diagram.
Memory 128 GB (8 x16 GB DDR4 2400MHz)
Network capture 2x 10Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)
transceivers
2x 1G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
2x 1G SX LC Transceivers (Avago AFBR-5715PZ)
Use these transceivers with the network packet capture card, labeled as [2] in the
appliance diagram.
Network 2x 10G Short Range SFP
management
The transceivers may have one of the following part numbers:
transceivers
• Avago AFBR-709SMZ-IB8
• Finisar FTLX8571D3BCL-BN
• BNT BN-CKM-SP-SR
Use these transceivers with the management ports, labeled as [4] in the appliance
diagram.
System performance of QRadar Network Insights appliances varies depending on the exact configuration
and tuning of the system components. It is influenced not only by hardware, but also factors such as the
search, extraction criteria, and the amount of network data. For more information, see Performance
impacts in the IBM QRadar Network Insights Installation Guide.
8 IBM QRadar Network Insights: Installation and Configuration GuideFigure 4: Back panel of the QRadar Network Insights 1920 appliance
Table 9: Legend for use with the QRadar Network Insights 1920 image
Label Description
1 QRadar Firmware Storage
2 Network Packet Capture (SFP/SFP+)
3 IMM Port (1GbE TX)
4 Management ports (10 GbE SFP+)
5 Cabled internally. Do not use these ports.
6 Management ports (1 GbE TX)
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://
publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/
t_removing_system_battery.html)
For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/
systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/
systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).
QRadar Network Insights appliances 9For more information, you can also see System x3650 M5 (https://lenovopress.com/lp0068-lenovo-
system-x3650-m5-machine-type-8871.html).
QRadar Network Insights 1920-C
The IBM QRadar Network Insights 1920-C (MTM 4654-F4F) appliance provides detailed analysis of
network flows to extend the threat detection capabilities of IBM QRadar.
The appliance has two Napatech cards, each with four ports. By default, the four ports on the first
network capture card are configured for inbound traffic from the network tap. If the appliance is included
in a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cabling
stacked appliances, see the IBM QRadar Network Insights Installation Guide.
The second Napatech card is cabled internally for load balancing and cannot not be used. If you use these
ports when you cable the appliance, you do not get any data.
The following table shows the hardware information and requirements for the IBM QRadar Network
Insights 1920-C (MTM 4654-F4F) appliance.
Table 10: QRadar Network Insights 1920-C
Description Value
Physical dimensions 29.0 inches deep x 17.1 inches wide x 3.4 inches high
Unit weight 73 lbs
CPU 2 x Xeon Gold 6132 14C 2.6 GHz 19 MB Cache 3.70 GHz 140 W
Memory 128 GB, 8 x 16 GB
Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
Network interfaces 4 x 10 Gb SFP+ network capture interfaces (Left-Side), including 2 x SR (LC short
range fiber), 2 x SX (LC short range fiber), and 2 x TX (RJ-45 copper) transceivers
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ management interfaces
Network capture 2 x 10 Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ or
transceivers AFBR-709SMZ)
2 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
2 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
Use these transceivers with the network packet capture card, labeled as [2] in the
appliance diagram.
Network 2 x 10 G Short Range SFP
management
The transceivers may have one of the following part numbers:
transceivers
• Avago AFBR-709SMZ-IB8
• Finisar FTLX8571D3BCL-BN
• BNT BN-CKM-SP-SR
Use these transceivers with the management ports, labeled as [4] in the appliance
diagram.
Traffic rate 10 Gbps
10 IBM QRadar Network Insights: Installation and Configuration GuideTable 10: QRadar Network Insights 1920-C (continued)
Description Value
Power supply Dual redundant 750 W AC
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 5: QRadar Network Insights 1920-C
Table 11: Legend for use with the QRadar Network Insights 1920-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network Packet Capture (SFP/SFP+)
Ports are numbered 3, 2, 1, 0, from left to right.
6 Do not use these ports
QRadar Network Insights appliances 1112 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 3. Upgrading QRadar Network Insights
You must upgrade all of your IBM QRadar products in your deployment to the same version.
Restriction: Resizing logical volumes by using a logical volume manager (LVM) is not supported.
Procedure
1. Download the .sfs file from IBM Fix Central (www.ibm.com/support/
fixcentral).
2. Use SSH to log in to your system as the root user.
3. Copy the patch file to the /tmp directory or to another location that has sufficient disk space.
4. To create the /media/updates directory, type the following command:
mkdir -p /media/updates
5. Change to the directory where you copied the patch file.
6. To mount the patch file to the /media/updates directory, type the following command:
mount -o loop -t squashfs .sfs /media/updates/
7. To run the upgrade installer, type the following command:
/media/updates/installer
The first time that you run the patch installer script, there might be a delay before the first patch
installer menu is displayed.
8. Provide answers to the pre-patch questions based on your deployment.
9. Use the upgrade installer to upgrade all hosts in your deployment.
Note: If you do not select Patch All, you must upgrade systems in the following order:
• QRadar Console
• QRadar Incident Forensics
If your SSH session is disconnected while the upgrade is in progress, the upgrade continues. When
you reopen your SSH session and rerun the installer, the installation resumes.
10. After the upgrade is complete, type the following command to unmount the software update:
umount /media/updates
© Copyright IBM Corp. 2017, 2019 1314 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 4. Installing QRadar Network Insights
IBM QRadar Network Insights is already installed when you purchase a QRadar Network Insights
appliance. However, you might need to reinstall the software if, for example, you have a hardware failure.
Before you begin
Before you install QRadar Network Insights, ensure that the following requirements are met:
• The appliance hardware is installed.
• A keyboard and monitor are connected by using the VGA connection.
• The activation key is available.
About this task
Install the QRadar Console on one appliance, and the QRadar Network Insights managed host on another
appliance.
Restriction: Software versions for all appliances in a deployment must be the same version and fix level.
Deployments that use different versions of software are not supported.
Resizing logical volumes by using a logical volume manager (LVM) is not supported.
You install QRadar Network Insights using the QRadar ISO. QRadar Network Insights requires only a
connection to the QRadar console. You can deploy QRadar Network Insights separately from the IBM
QRadar Incident Forensics Processor deployment.
Procedure
1. For installations on your own hardware, copy the QRadar ISO to the root directory.
a) Create the /media/dvd directory by typing the following command:
mkdir /media/dvd
b) Mount the QRadar ISO by using the following command:
mount -o loop /media/dvd
2. Use the setup script to start the installation.
a) Change the working directory by typing the command:
cd /media/dvd
b) Start the setup script by typing the command:
setup.sh
3. Follow the instructions in the installation wizard.
On the Select the Appliance ID page, choose the IBM QRadar Network Insights component to install.
4. Apply your license key.
a) Log in to QRadar:
https://IP_Address_QRadar
The default user name is admin. The password is the password of the root user account.
b) Click the login.
c) On the navigation menu ( ), click Admin.
d) In the navigation pane, click System Configuration.
e) Click the System and License Management icon.
f) From the Display list, select Licenses, and upload you license key.
© Copyright IBM Corp. 2017, 2019 15g) Select the unallocated license and click Allocate System to License.
h) From the list of licenses, select and license, and click Allocate License to System.
For a QRadar Network Insights deployment, only the 6200 managed host requires a license. The
QRadar console does not need a QRadar Network Insights license.
What to do next
Configure your QRadar Network Insights appliance. For more information, see Chapter 6, “Appliance
configuration,” on page 21.
16 IBM QRadar Network Insights: Installation and Configuration GuideChapter 5. Flow inspection
Flows provide QRadar with visibility into network activity. QRadar Network Insights analyzes the network
activity, and correlates flow data with event data to detect threats that cannot be identified by using logs
alone, thereby revealing previously hidden threats and malicious behaviors.
Flow inspection levels
The flow inspection level determines how much data is analyzed and extracted from the network flows.
By default, the flow inspection level is a global setting that is configured in the System Settings on the
Admin tab. It applies to all appliances in your deployment. You can override the global setting by
configuring a custom flow inspection level for each appliance. In a stacked configuration, each stack can
have a different inspection level, but all appliances within a stack must have the same inspection level.
Basic inspection level
Basic flows is the lowest level of inspection. Basic flows are detected by 5-tuple, and the number of bytes
and packets that are flowing in each direction are counted. This kind of information is similar to what you
get out of a router or network switch that does not perform deep packet inspection. This level supports
the highest bandwidth, but generates the least amount of flow information.
The attributes that QRadar Network Insights generates using the basic flows inspection level are: 5-tuple
values, a flow ID, packet and octet counts in each direction, and flow start and end times.
For more information about the content fields that are extracted with the Basic inspection level, see the
QRadar Network Insights User Guide.
Enriched inspection level
With the enriched inspection level, each flow is identified and inspected by one of the protocol or domain
inspectors, and many kinds of attributes can be generated from that inspection.
The following list describes the attributes that QRadar Network Insights generates by using the Enriched
flow inspection level are:
• HTTP metadata values - including categorization of URLs
• Application ID and action
• File information (name, size, hash)
• Originating and recipient user names
• Limited suspect content values
For more information about the content fields that are extracted with the Enriched inspection level, see
the QRadar Network Insights User Guide.
Advanced inspection level
Advanced is the default setting and the highest level of inspection. It adds to the flow attributes extracted
at the Enriched inspection level through comprehensive analysis of the application content. Additional
suspect content can also be detected through this content analysis. This analysis can yield more suspect
content values that result from the inspection of the file contents.
The following list describes the attributes that QRadar Network Insights generates by using the Advanced
flow inspection level:
• Personal information
• Confidential data
© Copyright IBM Corp. 2017, 2019 17• Embedded scripts
• Redirects
• Configurable content-based suspect content
For more information about the types of suspect content that are identified at the Advanced inspection
level, see the QRadar Network Insights User Guide.
Performance impacts
Flow inspection levels are cumulative, and each level collects more data than the level before it. You must
configure the flow inspection level to suit the flow rate that you want to achieve. System performance
varies based on the exact configuration and tuning of the system components. It is influenced not only by
hardware, but also factors such as the search, extraction criteria, and the amount of network data.
Table 12: Flow inspection level performance for QRadar Network Insights appliances
Flow Inspection 1901 appliances 1910 appliance 1920 appliances
Level
Basic ~ 4 Gbps ~ 10 Gbps ~ 10 Gbps
Enriched ~ 3 Gbps ~ 3 Gbps ~ 6 Gbps
Advanced ~ 1.2 Gbps ~ 1.2 Gbps ~ 2.5 Gbps
Does not support Does not support You can achieve up to 10
stacking. stacking. Gbps by stacking multiple
appliances.
Scaling performance with the 1920 appliances
To achieve higher flow rates, you can stack the QRadar Network Insights 1920 appliances (type 6200) to
distribute data processing across multiple Napatech cards and CPUs.
In a stacked configuration, the performance scales linearly according to the number of appliances in the
stack. For example, a stack with two appliances can achieve up to 2x the performance. You can have up to
four appliances in a stack.
For more information, see Chapter 7, “Stacking QRadar Network Insights appliances,” on page 27.
Supported protocols and document types
As network traffic data is processed and protocols are identified, the data is further inspected by the
appropriate protocol and domain inspectors.
Protocol inspectors
Protocol inspectors can identify protocols such as HTTP, POP3, FTP, and telnet. You can also exclude
protocol inspectors. When the inspectors are excluded, any network traffic data that is associated with
the inspector is still ingested, but the traffic is identified and indexed only on a generic level.
Any protocol that is not identifiable by a protocol inspector is categorized as Unknown.
The following list describes the supported protocols that QRadar Network Insights can process:
• AIM
• DHCP
• DNS
18 IBM QRadar Network Insights: Installation and Configuration Guide• Exchange
• FTP
• HTTP
• iCAP
• IMAP
• IRC
• Jabber
• Myspace
• MySQL
• NFS
• NetBIOS
• Oracle
• POP3
• SIP
• SMB V2 / V3
• SMTP
• SPDY
• SSH
• Telnet
• TLS (SSL)
• Yahoo Messenger
With exception of SIP (Session Initiation Protocol) traffic, by default, all inspectors are turned on and you
can see traffic from all protocols. The SIP call setup protocol, which operates at the application layer, is
turned off by default.
Domain inspectors
When network traffic data is identified by the HTTP protocol inspector, additional analysis is done by the
domain inspector. For domain inspectors to be active, the HTTP protocol inspector must also be active.
The following list describes the supported domains (websites) as well as the supported languages for
each domain:
• AOL (Accessible, Basic, Standard) (EN)
• Charter (EN)
• Comcast (Zimbra) (EN)
• Facebook (Mobile, Desktop) (AR,CN,DE,EN,ES,FR,RU)
• Gmail (Classic, Standard) (AR,CN,DE,EN,ES,FR,RU)
• Hotmail (AR,CN,DE,EN,ES,FR,RU)
• LinkedIn (DE,EN,ES,FR,RU)
• MailCom (CN,EN,ES,FR,RU)
• MailRu (RU)
• Maktoob (AR,EN)
• Myspace (EN)
• QQMail (EN,CN)
• Twitter (EN)
• YAHOO Mail (Standard, Classic) (EN)
Flow inspection 19• YAHOO Note (EN)
• YouTube (AR,CN,DE,EN,ES,FR,RU)
You can also exclude domain inspectors. When you exclude domain inspectors, any HTTP network traffic
data that is associated with the inspector is still ingested, but the traffic is identified and indexed only at
the HTTP level.
Supported document formats
The following list describes the supported document formats that QRadar Network Insights can process:
• HyperText Markup Language
• XML and derived formats
• Microsoft Office document formats
• OpenDocument Format
• Portable Document Format
• Electronic Publication Format
• Rich Text Format
• Compression and packaging formats
• Text formats
• Audio formats
• Image formats
• Video formats
• Java™ class files and archives
• mbox format
Application detection
Application detection is used when no other inspectors can detect an application, session, or protocol.
Application detection inspects the first 64 bytes of a packet for a signature and attempts to identify the
application from the signature and port.
The following list shows examples of applications, sessions, or protocols that can be identified with the
application detection processes:
• BitTorrent
• Blubster
• CitrixICA
• Google Talk
• Gnucleuslan
• Gnutella
• GSS-SPNEGO
• NTLMMSSP
• OpenNap
• PeerEnabler
• Piolet
• UpdateDaemon
• VNC
20 IBM QRadar Network Insights: Installation and Configuration GuideChapter 6. Appliance configuration
After your IBM QRadar Network Insights appliance is installed and attached to the QRadar Console as a
managed host, you must configure the appliance before you can use it for investigating threats on your
network.
After the appliance is configured, it reads the raw packets from the network tap or span port and then
generates IPFIX packets. The IPFIX packets are sent to flow processes in the deployment.
For more information about installing IBM QRadar, see the IBM QRadar Installation Guide.
For more information about adding a managed host to your deployment, see Managed hosts in the IBM
QRadar Administration Guide.
Configuring the size of the raw payload data capture
You can use IBM QRadar Network Insights to extract raw payload data. The Maximum Raw Payload Size
for each appliance is inherited from the QRadar Network Insights global settings.
About this task
On initial installation, IBM QRadar Network Insights is configured to capture a maximum of 64 bytes of
raw payload data. To stop capturing payload data, set the Maximum Raw Payload Size to 0.
When you change the global setting, the new value is inherited by all QRadar Network Insights appliances
that are configured to use the global setting. This includes new appliances that you add after the setting is
changed.
You can override the global settings by configuring custom Maximum Raw Payload Size settings for
individual QRadar Network Insights appliances. After an appliance is configured to use a custom setting, it
is not affected by changes to the global setting. To revert an appliance back to using the global setting,
you must edit the host connection and set the Maximum Raw Payload Size to Global.
Note: You can increase the raw payload size up to 32 768 bytes, but larger payloads can impact
performance. Adjust the byte size in small increments, and monitor the disk capacity to ensure that it
does not fill up quickly.
Procedure
1. Log in to QRadar as an administrator.
2. To configure the global settings, follow these steps:
a) On the Admin tab, click System Settings.
b) Click QRadar Network Insights Settings.
c) In the Maximum Raw Payload Size, select the maximum amount of data that you want to capture.
To turn payload data capture off, set the Maximum Raw Payload Size to 0.
Appliances that use a custom Maximum Raw Payload Size setting are not affected by changes to
the global setting. You must configure the customized appliances individually.
d) Click Save.
3. To configure the settings for individual QRadar Network Insights appliances, follow these steps:
a) On the Admin tab, click System and License Management.
b) Select the appliance that you want to modify, and click Deployment actions > Edit Host
Connection.
c) Set the flow collector and the flow source connection and click Save.
d) Specify the Maximum Raw Payload Size for the appliance.
© Copyright IBM Corp. 2017, 2019 21Appliances that are configured to use a custom Maximum Raw Payload Size are not affected by
future changes to the global setting.
e) Click Next and then click Save.
4. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration.
Warning: When you deploy the full configuration, QRadar services restart. During this time,
events and flows are not collected, and offenses are not generated.
5. Refresh your web browser.
What to do next
Deploy the changes.
Configuring the flow inspection level
The flow inspection level determines how much data is analyzed and extracted from the network flows.
Each Flow Inspection Level setting provides deeper visibility and extracts more content than the
preceding levels.
About this task
The following table explains the difference between each inspection level:
Table 13: Flow inspection levels
Flow Inspection Level Description
Basic Lowest level of inspection. Flows are detected by 5-tuple, and the
number of bytes and packets that are flowing in each direction are
counted.
Enriched Each flow is identified and inspected by one of the protocol or domain
inspectors, and many kinds of attributes can be generated from that
inspection.
Advanced The default setting. The highest level of inspection.
Flows are subjected to more rigorous content extraction processes,
including scanning and inspecting the content of the files that it finds.
By default, the Flow Inspection Level for each appliance is inherited from the global setting that is
defined in the System Settings on the Admin page. When you change the global setting, the new value is
inherited by all QRadar Network Insights appliances that are configured to use the global setting. This
includes new appliances that you add after the setting is changed.
You can override the global setting by configuring custom settings for individual QRadar Network Insights
appliances.
In a stacked configuration, each stack can have a different flow inspection level, but all appliances within
a stack must have the same inspection level.
Procedure
1. Log in to QRadar as an administrator.
2. To configure the global setting, follow these steps:
a) On the Admin tab, click System Settings.
b) Click QRadar Network Insights Settings.
c) From the Flow Inspection Level, select the flow rate.
22 IBM QRadar Network Insights: Installation and Configuration Guided) Click Save.
3. To configure the settings for individual QRadar Network Insights appliances, follow these steps:
a) On the Admin tab, click System and License Management.
b) Select the appliance that you want to modify, and click Deployment actions > Edit Host
Connection.
c) Set the flow collector and the flow source connection and click Save.
d) Specify the Flow Inspection Level for the appliance.
e) Click Next and then click Save.
4. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration.
Warning: When you deploy the full configuration, QRadar services restart. During this time,
events and flows are not collected, and offenses are not generated.
5. Refresh your web browser.
What to do next
Deploy the QRadar Network Insights Processor.
Configuring QFlow Collector format
You can choose the format that your QRadar QFlow Collectors use to export data to the QFlow processor:
TLV (type-length-value) or Payload.
The TLV format stores the content metadata properties in the flow record, and can be searched without
extra configuration in QRadar.
The payload format stores the content metadata properties in the payload field of the flow record. To run
searches on the data, you must use custom properties to extract the data from the payload.
Before you begin
Before you configure the QRadar QFlow Collector format, ensure that you complete the following tasks:
__ • Install a QRadar Console with a QRadar Network Insights appliance attached as a managed host.
__ • Perform a full deployment after you attach the IBM QRadar Network Insights appliance as a managed
host.
Important: Content extension v1.3.0 introduced support for TLV fields, which supersedes earlier content
extensions that were based on custom properties. If you are using content extension v1.3.0 or later, you
must set the QFlow format setting to TLV; otherwise the rules in the content pack don't work.
Procedure
1. Log in to QRadar: https://QRadar_IP_Address
The default user name is admin. The password is the password of the root user account.
2. On the navigation menu ( ), click Admin.
3. In the navigation pane, click System Settings.
4. Click the QFlow Settings menu, and choose the QFlow format.
Appliance configuration 23Table 14: QFlow format options
QFlow format Description
TLV Default QFlow format setting.
Choose TLV (type-length-value) for new installations, or for upgrades
that don't have a QRadar Network Insights appliance as part of their
deployment.
QRadar Network Insights V7.3.0 or later supports only TLV for content
flows.
Payload Choose Payload if you don't have QRadar Network Insights in your
environment.
5. Click Save.
6. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm your changes.
Warning: When you deploy the full configuration, QRadar services are restarted. During this
time, events and flows are not collected, and offenses are not generated.
7. Refresh your web browser.
Configuring DTLS communications protocol
To prevent eavesdropping and tampering, you can set up Datagram Transport Layer Security (DTLS) on a
QRadar Network Insights managed host.
Configuring DTLS is optional, and is not required for QRadar Network Insights to work.
Before you begin
Ensure that your deployment has a QRadar Network Insights (appliance type 6200) managed host that is
attached. For more information about how to add a managed host, see the IBM QRadar Administration
Guide.
About this task
You can have more than one QRadar Network Insights appliance that points to a single DTLS port, but
configuring multiple DTLS ports is not supported.
If, after you configure the DTLS communications protocol, you change the QRadar Flow Collector or flow
source of any QRadar Network Insights managed hosts in your deployment, you must deploy the changes.
Procedure
1. To configure a flow source, complete these steps:
a) Log in to the QRadar Console as an administrator.
b) Click the Admin tab.
c) In the Flows section, click Flow Sources.
d) Click the Add icon.
e) In the Flow Source Name field, type a descriptive name.
f) In the Target Flow Collector field, select a flow collector or accept the value provided.
g) In the Flow Source Type list, select Netflow v.1/v.5/v.7/v.9/IPFIX.
h) In the Monitoring Port field, select a port or accept the value provided.
i) In the Linking Protocol list, select DTLS.
j) Click Save.
24 IBM QRadar Network Insights: Installation and Configuration Guide2. To configure DTLS communication, complete these steps:
a) On the Admin tab, in the System Configuration section, click System and License Management.
b) Select the managed host, and on the Deployment Actions menu, click Edit Host Connection.
c) On the Modify QRadar Network Insights Connection page, select the QRadar Flow Collector and
flow source.
d) Click Save.
e) Specify whether to configure the QRadar Network Insights appliance as a stand-alone or stacked
appliance.
f) Click Next, and then click Save.
g) Close the System and License Management page.
h) On the Admin tab menu bar, click the Deploy Changes icon.
Installing the QRadar Network Insights content extension
QRadar Network Insights content extensions include extra content, such as rules, reports, searches, and
custom properties, that can be used to provide in-depth analysis, alerts, and reports in QRadar Network
Insights deployments.
Before you begin
Download the QRadar Network Insights v7.3.0 content extension to your local computer from the IBM
Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/
5faf57a09236654323cbc4db41bd74f4).
Procedure
1. Log in to the QRadar Console as an administrator.
2. On the navigation menu ( ), click Admin.
3. Click Extension Management.
4. To upload an extension and install it immediately, follow these steps:
a) Click Add and select the extension to upload.
b) To install the extension immediately, select the Install immediately check box, and then click Add.
5. To preview the contents of an extension before you install it, follow these steps:
a) Select the extension from the list, and click More Details.
The content items are compared to content items that are already in the deployment. If the content
items exist, you can choose to overwrite them or to keep the existing data.
b) Select Replace existing items. This setting ensures that existing custom properties are updated
when the extension is installed.
c) Click Install.
d) Review the installation summary, and click OK.
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with
the digital signature. Hover the mouse over the triangle for more information. Extensions that are
unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility
issues in your deployment.
Appliance configuration 2526 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 7. Stacking QRadar Network Insights
appliances
With QRadar Network Insights stacking, you can distribute network packet data across multiple Napatech
cards. By distributing the data processing and analysis across multiple appliances, stacking can help you
handle higher data volumes and improve flow throughput performance at the highest inspection levels.
If any of the appliances in the stack experience a failure and becomes unavailable, the entire stack is
impacted. For example, if the first appliance in a stack has a hardware failure, the data is not received by
the rest of the stacked appliances.
Appliance cabling
You can stack the QRadar Network Insights 1920 appliances (type 6200) only. Each stack can have a
maximum of four appliances, but you can have more than one stack in a deployment. You cannot stack
the QRadar Network Insights 1901 appliance.
Each QRadar Network Insights 1920 appliance is configured with 2 Napatech cards. The port
configuration on the first Napatech card changes, depending on whether the appliance is part of a
standalone configuration or a stacked configuration.
Standalone configuration
In a standalone configuration, the four ports on the first Napatech card are configured to accept
inbound traffic from the network tap.
The second Napatech card is a load balancer that is configured internally. Do not use the ports on this
card; if you use them, you do not get any data.
Stacked configuration
In a stacked configuration, the four ports on the first Napatech card are reconfigured, two ports for
inbound traffic and two ports for outbound traffic. The ports are configured as linked pairs, so the data
that comes in on port 0 goes out on port 2, and the data that comes in on port 1 goes out on port 3.
Similar to a standalone configuration, the second Napatech card cannot be used in a stacked
configuration.
Single incoming TAP line
When your deployment has incoming data on one network tap only, the stacked appliances must be
cabled like this:
© Copyright IBM Corp. 2017, 2019 27Figure 6: Cabling for stacked 1920 appliances with single network TAP
Dual incoming TAP lines
When your deployment has incoming data on two network taps, the stacked appliances must be cabled
like this:
28 IBM QRadar Network Insights: Installation and Configuration GuideFigure 7: Cabling for stacked 1920 appliances with dual network TAP
Creating a stack
You can stack QRadar Network Insights 1920 appliances (type 6200) to scale performance at higher
inspection levels by load balancing the network packet data across multiple appliances.
Before you begin
Ensure that all appliances that you want to include in the stack are racked and cabled. For more
information about how to cable the appliances for use in a stacked configuration, see “Appliance cabling”
on page 27.
Ensure that the appliance and the QRadar Console used to manage it are at the same QRadar version and
fix pack level.
About this task
By default, the Flow Inspection Level for each appliance is inherited from the global settings that are
defined in the System Settings on the Admin page. You can override the global setting by configuring the
flow inspection level for each appliance. In a stacked configuration, each stack can have a different
inspection level, but all appliances within a stack must have the same inspection level.
The Maximum Raw Payload Size is also inherited from the global system settings, but you can change it
for individual appliances. The default size of the payload is 64 bytes, and the maximum size is 32 768
bytes. Large payloads can impact performance. You should adjust the byte size in small increments, and
monitor the disk capacity to ensure that it does not fill up quickly.
Stacking QRadar Network Insights appliances 29Procedure
1. If required, add the QRadar Network Insights appliance to your deployment as a managed host.
a) On the navigation menu ( ), click Admin.
b) In the System Configuration section, click System and License Management.
c) In the Display list, select Systems.
d) On the Deployment Actions menu, click Add Host.
e) Configure the settings for the managed host by providing the fixed IP address and the root
password for the appliance.
f) Click Add.
The managed host is added and the new configuration is ready to deploy.
g) On the Admin tab, click Advanced > Deploy Full Configuration.
QRadar V7.3.1 and later continues to collect events when you deploy the full configuration. In
earlier versions of QRadar, event collection stops while the new configuration is deployed.
2. To configure the managed host as part of a QRadar Network Insights stack, edit the host connection
information.
a) On the Admin tab, click System and License Management.
b) In the Display list, select Systems.
c) Select the QRadar Network Insights managed host, and on the Deployment Actions menu, click
Edit Host Connection.
d) On the Modify QRadar Network Insights Connection page, select the QRadar Flow Collector and
the NetFlow source.
By default, the flow collector is the IP address of the QRadar Console.
e) Click Save.
The console recognizes that the managed host is a 6200 appliance that can be configured as part of
a stack.
f) In the Host Action field, select Create new stack and type a descriptive name.
g) Change the Flow Inspection Level and the Maximum Raw Payload Size.
h) Select Next.
The Configure QNI Ports window shows that the ports are now reconfigured from four inbound
ports to two ports for inbound traffic and two ports for outbound traffic.
i) Click Save.
The System and License Management window now shows the new QRadar Network Insights stack
with one QRadar Network Insights appliance.
What to do next
You must deploy the changes for the new configuration to take effect.
Modifying an existing stack
You can edit an existing stack to add or remove QRadar Network Insights appliances, set the primary host
in the stack, and set the flow inspection level and the raw payload size for all appliances in the stack.
Before you begin
Before you add an appliance to a stack, ensure that the appliance is deployed into your QRadar
environment. For more information about cabling appliances for use in a stacked configuration, see
“Appliance cabling” on page 27.
30 IBM QRadar Network Insights: Installation and Configuration GuideYou can also read
