Professional Documents
Culture Documents
Network Insights
Network Insights
Version 7.3.2
IBM
Note
Before you use this information and the product that it supports, read the information in “Notices” on
page 33.
Product information
This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unless
superseded by an updated version of this document.
© Copyright International Business Machines Corporation 2017, 2019.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Contents
Notices................................................................................................................33
Trademarks................................................................................................................................................ 34
Terms and conditions for product documentation................................................................................... 34
IBM Online Privacy Statement.................................................................................................................. 35
General Data Protection Regulation..........................................................................................................35
iii
iv
Introduction to installing QRadar Network Insights
This guide contains information about analyzing network data in real-time by using IBM QRadar Network
Insights.
Intended audience
Investigators extract information from the network traffic and focus on security incidents, and threat
indicators.
Technical documentation
To find IBM QRadar product documentation on the web, including all translated documentation, access
the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in the QRadar products library, see
Accessing IBM Security Documentation Technical Note (www.ibm.com/support/docview.wss?
rs=0&uid=swg21614644).
To learn more about working with QRadar on Cloud data gateways, see the IBM QRadar on Cloud
Getting Started Guide.
Appliance stacking
You can stack the QRadar Network Insights 1920 appliances (type 6200) to distribute network packet
data across multiple Napatech cards. By distributing the data processing and analysis across multiple
appliances, stacking can help you handle higher data volumes and improve flow throughput performance
at the highest inspection levels.
For more information about stacking appliances, see Chapter 7, “Stacking QRadar Network Insights
appliances,” on page 27.
System performance of QRadar Network Insights appliances varies depending on the exact configuration
and tuning of the system components. It is influenced not only by hardware, but also factors such as the
search, extraction criteria, and the amount of network data. For more information, see Performance
impacts in the IBM QRadar Network Insights Installation Guide.
Note: Only the Network Packet Capture card [4] can be used for capturing network packet data.
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://
www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/
com.lenovo.sysx.8871.doc/t_removing_system_battery.html)
For more information about the QRadar Network Insights 1901, including front and back panel diagrams,
see IBM System X3550 M5 (https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-
type-8869).
Table 5: Legend for use with the QRadar Network Insights 1901-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network packet capture (SFP)
Ports are numbered 0, 1, 2, 3, from left to right.
Table 7: Legend for use with the QRadar Network Insights 1910-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network Packet Capture (SFP/SFP+)
Ports are numbered 0, 1, 2, 3, from left to right.
System performance of QRadar Network Insights appliances varies depending on the exact configuration
and tuning of the system components. It is influenced not only by hardware, but also factors such as the
search, extraction criteria, and the amount of network data. For more information, see Performance
impacts in the IBM QRadar Network Insights Installation Guide.
Table 9: Legend for use with the QRadar Network Insights 1920 image
Label Description
1 QRadar Firmware Storage
2 Network Packet Capture (SFP/SFP+)
3 IMM Port (1GbE TX)
4 Management ports (10 GbE SFP+)
5 Cabled internally. Do not use these ports.
6 Management ports (1 GbE TX)
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://
publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/
t_removing_system_battery.html)
For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/
systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/
systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).
Table 11: Legend for use with the QRadar Network Insights 1920-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network Packet Capture (SFP/SFP+)
Ports are numbered 3, 2, 1, 0, from left to right.
Procedure
1. Download the <QRadar_patchupdate>.sfs file from IBM Fix Central (www.ibm.com/support/
fixcentral).
2. Use SSH to log in to your system as the root user.
3. Copy the patch file to the /tmp directory or to another location that has sufficient disk space.
4. To create the /media/updates directory, type the following command:
mkdir -p /media/updates
5. Change to the directory where you copied the patch file.
6. To mount the patch file to the /media/updates directory, type the following command:
mount -o loop -t squashfs <QRadar_patchupdate>.sfs /media/updates/
7. To run the upgrade installer, type the following command:
/media/updates/installer
The first time that you run the patch installer script, there might be a delay before the first patch
installer menu is displayed.
8. Provide answers to the pre-patch questions based on your deployment.
9. Use the upgrade installer to upgrade all hosts in your deployment.
Note: If you do not select Patch All, you must upgrade systems in the following order:
• QRadar Console
• QRadar Incident Forensics
If your SSH session is disconnected while the upgrade is in progress, the upgrade continues. When
you reopen your SSH session and rerun the installer, the installation resumes.
10. After the upgrade is complete, type the following command to unmount the software update:
umount /media/updates
Procedure
1. For installations on your own hardware, copy the QRadar ISO to the root directory.
a) Create the /media/dvd directory by typing the following command:
mkdir /media/dvd
b) Mount the QRadar ISO by using the following command:
mount -o loop <QRadar.iso>/media/dvd
2. Use the setup script to start the installation.
a) Change the working directory by typing the command:
cd /media/dvd
b) Start the setup script by typing the command:
setup.sh
3. Follow the instructions in the installation wizard.
On the Select the Appliance ID page, choose the IBM QRadar Network Insights component to install.
4. Apply your license key.
a) Log in to QRadar:
https://IP_Address_QRadar
The default user name is admin. The password is the password of the root user account.
b) Click the login.
What to do next
Configure your QRadar Network Insights appliance. For more information, see Chapter 6, “Appliance
configuration,” on page 21.
Performance impacts
Flow inspection levels are cumulative, and each level collects more data than the level before it. You must
configure the flow inspection level to suit the flow rate that you want to achieve. System performance
varies based on the exact configuration and tuning of the system components. It is influenced not only by
hardware, but also factors such as the search, extraction criteria, and the amount of network data.
Table 12: Flow inspection level performance for QRadar Network Insights appliances
Flow Inspection 1901 appliances 1910 appliance 1920 appliances
Level
Basic ~ 4 Gbps ~ 10 Gbps ~ 10 Gbps
Enriched ~ 3 Gbps ~ 3 Gbps ~ 6 Gbps
Advanced ~ 1.2 Gbps ~ 1.2 Gbps ~ 2.5 Gbps
Does not support Does not support You can achieve up to 10
stacking. stacking. Gbps by stacking multiple
appliances.
Protocol inspectors
Protocol inspectors can identify protocols such as HTTP, POP3, FTP, and telnet. You can also exclude
protocol inspectors. When the inspectors are excluded, any network traffic data that is associated with
the inspector is still ingested, but the traffic is identified and indexed only on a generic level.
Any protocol that is not identifiable by a protocol inspector is categorized as Unknown.
The following list describes the supported protocols that QRadar Network Insights can process:
• AIM
• DHCP
• DNS
Domain inspectors
When network traffic data is identified by the HTTP protocol inspector, additional analysis is done by the
domain inspector. For domain inspectors to be active, the HTTP protocol inspector must also be active.
The following list describes the supported domains (websites) as well as the supported languages for
each domain:
• AOL (Accessible, Basic, Standard) (EN)
• Charter (EN)
• Comcast (Zimbra) (EN)
• Facebook (Mobile, Desktop) (AR,CN,DE,EN,ES,FR,RU)
• Gmail (Classic, Standard) (AR,CN,DE,EN,ES,FR,RU)
• Hotmail (AR,CN,DE,EN,ES,FR,RU)
• LinkedIn (DE,EN,ES,FR,RU)
• MailCom (CN,EN,ES,FR,RU)
• MailRu (RU)
• Maktoob (AR,EN)
• Myspace (EN)
• QQMail (EN,CN)
• Twitter (EN)
• YAHOO Mail (Standard, Classic) (EN)
Flow inspection 19
• YAHOO Note (EN)
• YouTube (AR,CN,DE,EN,ES,FR,RU)
You can also exclude domain inspectors. When you exclude domain inspectors, any HTTP network traffic
data that is associated with the inspector is still ingested, but the traffic is identified and indexed only at
the HTTP level.
Application detection
Application detection is used when no other inspectors can detect an application, session, or protocol.
Application detection inspects the first 64 bytes of a packet for a signature and attempts to identify the
application from the signature and port.
The following list shows examples of applications, sessions, or protocols that can be identified with the
application detection processes:
• BitTorrent
• Blubster
• CitrixICA
• Google Talk
• Gnucleuslan
• Gnutella
• GSS-SPNEGO
• NTLMMSSP
• OpenNap
• PeerEnabler
• Piolet
• UpdateDaemon
• VNC
Procedure
1. Log in to QRadar as an administrator.
2. To configure the global settings, follow these steps:
a) On the Admin tab, click System Settings.
b) Click QRadar Network Insights Settings.
c) In the Maximum Raw Payload Size, select the maximum amount of data that you want to capture.
To turn payload data capture off, set the Maximum Raw Payload Size to 0.
Appliances that use a custom Maximum Raw Payload Size setting are not affected by changes to
the global setting. You must configure the customized appliances individually.
d) Click Save.
3. To configure the settings for individual QRadar Network Insights appliances, follow these steps:
a) On the Admin tab, click System and License Management.
b) Select the appliance that you want to modify, and click Deployment actions > Edit Host
Connection.
c) Set the flow collector and the flow source connection and click Save.
d) Specify the Maximum Raw Payload Size for the appliance.
Warning: When you deploy the full configuration, QRadar services restart. During this time,
events and flows are not collected, and offenses are not generated.
5. Refresh your web browser.
What to do next
Deploy the changes.
By default, the Flow Inspection Level for each appliance is inherited from the global setting that is
defined in the System Settings on the Admin page. When you change the global setting, the new value is
inherited by all QRadar Network Insights appliances that are configured to use the global setting. This
includes new appliances that you add after the setting is changed.
You can override the global setting by configuring custom settings for individual QRadar Network Insights
appliances.
In a stacked configuration, each stack can have a different flow inspection level, but all appliances within
a stack must have the same inspection level.
Procedure
1. Log in to QRadar as an administrator.
2. To configure the global setting, follow these steps:
a) On the Admin tab, click System Settings.
b) Click QRadar Network Insights Settings.
c) From the Flow Inspection Level, select the flow rate.
Warning: When you deploy the full configuration, QRadar services restart. During this time,
events and flows are not collected, and offenses are not generated.
5. Refresh your web browser.
What to do next
Deploy the QRadar Network Insights Processor.
Procedure
1. Log in to QRadar: https://QRadar_IP_Address
The default user name is admin. The password is the password of the root user account.
2. On the navigation menu ( ), click Admin.
3. In the navigation pane, click System Settings.
4. Click the QFlow Settings menu, and choose the QFlow format.
Appliance configuration 23
Table 14: QFlow format options
QFlow format Description
TLV Default QFlow format setting.
Choose TLV (type-length-value) for new installations, or for upgrades
that don't have a QRadar Network Insights appliance as part of their
deployment.
QRadar Network Insights V7.3.0 or later supports only TLV for content
flows.
Payload Choose Payload if you don't have QRadar Network Insights in your
environment.
5. Click Save.
6. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm your changes.
Warning: When you deploy the full configuration, QRadar services are restarted. During this
time, events and flows are not collected, and offenses are not generated.
7. Refresh your web browser.
Procedure
1. To configure a flow source, complete these steps:
a) Log in to the QRadar Console as an administrator.
b) Click the Admin tab.
c) In the Flows section, click Flow Sources.
d) Click the Add icon.
e) In the Flow Source Name field, type a descriptive name.
f) In the Target Flow Collector field, select a flow collector or accept the value provided.
g) In the Flow Source Type list, select Netflow v.1/v.5/v.7/v.9/IPFIX.
h) In the Monitoring Port field, select a port or accept the value provided.
i) In the Linking Protocol list, select DTLS.
j) Click Save.
Procedure
1. Log in to the QRadar Console as an administrator.
2. On the navigation menu ( ), click Admin.
3. Click Extension Management.
4. To upload an extension and install it immediately, follow these steps:
a) Click Add and select the extension to upload.
b) To install the extension immediately, select the Install immediately check box, and then click Add.
5. To preview the contents of an extension before you install it, follow these steps:
a) Select the extension from the list, and click More Details.
The content items are compared to content items that are already in the deployment. If the content
items exist, you can choose to overwrite them or to keep the existing data.
b) Select Replace existing items. This setting ensures that existing custom properties are updated
when the extension is installed.
c) Click Install.
d) Review the installation summary, and click OK.
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with
the digital signature. Hover the mouse over the triangle for more information. Extensions that are
unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility
issues in your deployment.
Appliance configuration 25
26 IBM QRadar Network Insights: Installation and Configuration Guide
Chapter 7. Stacking QRadar Network Insights
appliances
With QRadar Network Insights stacking, you can distribute network packet data across multiple Napatech
cards. By distributing the data processing and analysis across multiple appliances, stacking can help you
handle higher data volumes and improve flow throughput performance at the highest inspection levels.
If any of the appliances in the stack experience a failure and becomes unavailable, the entire stack is
impacted. For example, if the first appliance in a stack has a hardware failure, the data is not received by
the rest of the stacked appliances.
Appliance cabling
You can stack the QRadar Network Insights 1920 appliances (type 6200) only. Each stack can have a
maximum of four appliances, but you can have more than one stack in a deployment. You cannot stack
the QRadar Network Insights 1901 appliance.
Each QRadar Network Insights 1920 appliance is configured with 2 Napatech cards. The port
configuration on the first Napatech card changes, depending on whether the appliance is part of a
standalone configuration or a stacked configuration.
Standalone configuration
In a standalone configuration, the four ports on the first Napatech card are configured to accept
inbound traffic from the network tap.
The second Napatech card is a load balancer that is configured internally. Do not use the ports on this
card; if you use them, you do not get any data.
Stacked configuration
In a stacked configuration, the four ports on the first Napatech card are reconfigured, two ports for
inbound traffic and two ports for outbound traffic. The ports are configured as linked pairs, so the data
that comes in on port 0 goes out on port 2, and the data that comes in on port 1 goes out on port 3.
Similar to a standalone configuration, the second Napatech card cannot be used in a stacked
configuration.
Creating a stack
You can stack QRadar Network Insights 1920 appliances (type 6200) to scale performance at higher
inspection levels by load balancing the network packet data across multiple appliances.
What to do next
You must deploy the changes for the new configuration to take effect.
Procedure
1. On the Admin tab, click System and License Management.
2. In the Display list, select Systems.
3. In the host table, select that stack that you want to configure, and click Deployment Actions > Edit
Stack.
4. To set custom settings for the Flow Inspection Level level and the Maximum Raw Payload Size, click
Change in the appropriate section.
5. To modify the number of hosts in the stack or to set the primary host, in the Hosts in Stack section,
click Change.
6. Click Save.
What to do next
You must deploy the changes for the new configuration to take effect.
Procedure
1. On the Admin tab, click System and License Management.
2. In the Display list, select Systems.
3. To remove a single appliance from a stack, follow these steps.
a) In the host table, select that stack that you want to configure.
b) Click Deployment Actions > Edit Stack.
c) In the Hosts in Stack section, click Change.
d) Click the minus (-) symbol next to the appliance that you want to remove, and then click Save.
4. To remove the entire stack, follow these steps.
a) In the host table, select that stack that you want to remove.
b) Click Deployment Actions > Unstack.
What to do next
You must deploy the changes for the new configuration to take effect.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual
Property Department in your country or send inquiries, in writing, to:
Such information may be available, subject to appropriate terms and conditions, including in some cases,
payment of a fee.
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Applicability
These terms and conditions are in addition to any terms of use for the IBM website.
Personal use
You may reproduce these publications for your personal, noncommercial use provided that all proprietary
notices are preserved. You may not distribute, display or make derivative work of these publications, or
any portion thereof, without the express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your enterprise provided that
all proprietary notices are preserved. You may not make derivative works of these publications, or
reproduce, distribute or display these publications or any portion thereof outside your enterprise, without
the express consent of IBM.
Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either
express or implied, to the publications or any information, data, software or other intellectual property
contained therein.
34 Notices
IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of
the publications is detrimental to its interest or, as determined by IBM, the above instructions are not
being properly followed.
You may not download, export or re-export this information except in full compliance with all applicable
laws and regulations, including all United States export laws and regulations.
IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS ARE
PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT,
AND FITNESS FOR A PARTICULAR PURPOSE.
Notices 35
36 IBM QRadar Network Insights: Installation and Configuration Guide
IBM®