QRadar Network Insights installations on Amazon Web Services
- Review the minimum system requirements.
Ensure that the instance that you plan to install can support the flow inspection level that you want to achieve.
- Install the QRadar
components by using the IBM
QRadar SIEM
.ami image on AWS Marketplace.
You must install a QRadar Console and a QRadar Network Insights managed host. Other managed hosts, such as flow processors, are optional. For information about how to install QRadar components on AWS, see Configuring a QRadar 7.5.0 UP4 virtual appliance on Amazon Web Services.
- Add the QRadar Network Insights managed host to the QRadar Console.
- Configure the flow sources.
- Configure a traffic mirroring session.
- Verify that the deployment is receiving flow data.
Deployment architecture
System requirements for QRadar Network Insights installations on Amazon Web Services
Requirement | Value |
---|---|
Processor |
8 cores (minimum) Tip: To see the number of cores that are included in each instance type, in the AWS
Launch an instance window, click Compare instance types.
Click the gear () icon to include the
Cores column in the table.
|
Memory |
64 GB (minimum) |
Storage |
QRadar Network Insights requires two EBS
General Purpose SSD volumes:
The 122 GiB volume for the OS and software is configured automatically by the QRadar .ami. You must manually configure the additional 250 GiB volume for data. Warning: It is not possible to increase storage after installation.
|
Networking |
QRadar Network Insights requires a minimum
of two NIC interfaces:
|
Security Groups |
The management interface must have an assigned security group that includes rules to allow SSH, NetFlow, and messaging connections between the QRadar Network Insights host and the QRadar Console and any flow collectors or processors that might be installed. The monitoring interface must have an assigned security group that allows VXLAN traffic (UDP port 4789) from the mirror source. The Network ACL (VPC) level also must allow VXLAN traffic. |
To view the system requirements for other IBM QRadar virtual appliances, see System requirements for virtual appliances in the IBM QRadar Installation Guide.
Examples of QRadar Network Insights appliance specifications
You must ensure that the instance type and configuration of the QRadar Network Insights instance can support the flow inspection level that you want to achieve.
CPUs | Memory (GiB) | Maximum monitoring interfaces | Flow inspection level performance |
---|---|---|---|
8 cores | 64 | 1 |
Basic: 1 Gbps Enriched: 800 Mbps Advanced: 300 Mbps |
20 cores | 160 | 2 |
Basic: 2 Gbps Enriched: 1.8 Gbps Advanced: 750 Mbps * Performance is aggregate across all monitoring interfaces. |
Traffic mirroring
Traffic mirroring sends network traffic from an Amazon EC2 instance (source) to a IBM QRadar Network Insights instance (target) for content inspection and monitoring.
You use the Amazon Web Services (AWS) Management Console to attach an elastic IP address to your QRadar Network Insights instance. Then, you create a traffic mirroring session and define the filters that determine which traffic to forward to the QRadar Network Insights instance.
Before you can configure traffic mirroring, you must have a QRadar Network Insights instance with a monitoring interface that is attached to it.
- Identify the Interface ID of the Amazon EC2 instance that forwards the mirrored traffic. You use this ID when you create the mirror session.
- Assign an Elastic IP address to the Amazon EC2 instance that forwards the mirrored traffic.
- Create a mirror target to specify which instance receives the mirrored traffic.
- Create a mirror filter to specify what traffic gets sent to the target instance.When you configure the traffic mirroring rules, you can use the following parameters to mirror all inbound traffic. To reduce the overhead of traffic mirroring, you can change the parameters to mirror only certain types of traffic. For example, you can mirror only TCP protocols or traffic for a specific source or destination.
Parameter Value Rule action Accept Protocol All protocols Source CIDR block 0.0.0.0/0 Destination CIDR block 0.0.0.0/0 - Create a mirror session to start mirroring traffic between the source and target instances.
For more information about AWS traffic mirroring and how to set it up, see What is traffic mirroring? in the Amazon Web Services documentation portal.
Verifying that the QRadar Network Insights host is receiving flow data
Before you begin
You must configure a traffic mirroring session to forward traffic to the monitoring interface.
Procedure
Troubleshooting QRadar Network Insights on Amazon Web Services
- Unable to connect to a managed host due to unprotected private key file
-
You receive the following warning when you try to connect to a managed host by using a private key file.
WARNING: UNPROTECTED PRIVATE KEY FILE!
You might receive this message when the .pem key file is publicly readable. To resolve this problem, change the permissions on your .pem key file to 600 by typing this command:
chmod 600 <key_file>
- Connection refused when trying to connect to the QRadar Network Insights host
-
When you try to connect to your disconnected QRadar Network Insights host by using a private key, you receive this message:
Connection Refused
The security profile that is attached to the QRadar Network Insights managed host instance does not allow incoming SSH connections from the source IP address.
To resolve this problem, add an incoming rule to the security profile that is attached to the QRadar Network Insights instance. Configure the rule to allow SSH connections from the source IP address.
For more information, see Security profiles on the AWS Documentation portal.
- A public IP address is not assigned to the QRadar Network Insights instance
-
This problem might occur under the following conditions:
- The instance was not configured to have a public IP address assigned automatically when it is launched.
- Multiple network interfaces are attached to the instance and it was restarted.
To resolve this issue, associate an Elastic IP to the management interface. Alternatively, you can use SSH from either the QRadar Console or another instance on the same subnet to connect to the private IP address of the QRadar Network Insights instance.
- QRadar Network Insights does not see extra NIC card
-
You added an extra network interface card (NIC) to the QRadar Network Insights instance, but it is not recognized. More configuration is required for the operating system on the QRadar Network Insights instance to recognize the new network interface.
For more information, see Adding another traffic monitoring interface to the QRadar Network Insights instance.
- Unable to connect to the QRadar Network Insights managed host by using SSH from the QRadar Console
-
When a QRadar Network Insights host is managed by a console, the iptables rules are updated to restrict direct SSH access. You must connect to the managed host by first connecting to the QRadar Console. Since AWS instances do not have a console connection option, there is no way to connect to the managed host if the QRadar Console is unable to use SSH to log in.
To resolve this problem, use SSH to connect to the QRadar Console. Then, use SSH from the QRadar Console to the managed hosts management interface (eth0) as root user.
If the QRadar Console can't connect to the managed host, you should re-create the QRadar Network Insights instance.
To avoid locking yourself out of QRadar, configure the firewall on the managed host to allow SSH connections from trusted sources. For more information, see the Managing IPtables firewall ports Technical Note on the IBM Support website.
- Monitored traffic doesn't show up on the Network Activity tab
- Monitored traffic does not show up on the Network Activity tab, but the
tcpdump
command indicates that the monitoring interface is receiving it. - Mirrored traffic is not received by multiple mirror targets
-
Traffic mirroring can send individual packets to only a single target interface. To split traffic between targets, you must set up multiple mirror sessions. The mirror filters for each session must be specific enough to ensure that the traffic is mirrored to only a single target interface.
To see an example of how to split traffic between targets, see Example: Mirror inbound TCP and UDP traffic to two different appliances on the AWS Documentation portal.
- The QRadar Network Insights monitoring interface does not receive mirrored traffic
- By default, AWS enables filtering based on source and destination checks on the network
interfaces.
Disabling the source and destination checks allows an instance to handle network traffic that isn't destined for the instance. For example, instances that run services such as network address translation, routing, or a firewall should disable the source and destination check attributes.
To disable the source and destination check attributes, follow these steps:- In the left navigation pane of the AWS Dashboard, click Network interfaces.
- Right-click on the instance and click Change Source/Dest Check.
- Click Disabled and click Change.
- Repeat the steps for each network interface.
For more information, review Elastic Network interface (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) on the AWS Documentation portal.
- Mirrored traffic is incomplete
-
The following traffic types cannot be mirrored:
- ARP
- DHCP
- Instance metadata service
- NTP
- Windows activation
For more information, see the following pages on the AWS Documentation Portal.- What is Traffic Mirroring? (https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html)
- Traffic Mirroring quotas and considerations (https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-considerations.html)
- QRadar Network Insights instance fails the AWS system status check
-
Jumbo frames can sometimes cause the QRadar Network Insights instance to restart, resulting in an AWS system status check failure.
To resolve this problem, set the Maximum Transmission Unit (MTU) for the monitoring interface to 9001.- To change the MTU temporarily, type this command:
sudo ip link set dev eth<#> mtu 9001
- To set the MTU permanently, edit the
/etc/sysconfig/network-scripts/ifcfg-eth<#> script for the interface, and
edit the MTU line to
MTU=9001
.
For more information, see Network maximum transmission unit (MTU) for your EC2 instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html) on the AWS Documentation portal.
- To change the MTU temporarily, type this command: