QRadar Network Insights installations on Amazon Web Services

You can send your Amazon Web Services (AWS) network traffic to IBM QRadar Network Insights for content inspection and monitoring.
To deploy QRadar Network Insights on Amazon Web Services (AWS), follow this procedure:
  1. Review the minimum system requirements.

    Ensure that the instance that you plan to install can support the flow inspection level that you want to achieve.

  2. Install the QRadar components by using the IBM QRadar SIEM .ami image on AWS Marketplace.

    You must install a QRadar Console and a QRadar Network Insights managed host. Other managed hosts, such as flow processors, are optional. For information about how to install QRadar components on AWS, see Configuring a QRadar 7.5.0 UP4 virtual appliance on Amazon Web Services.

  3. Add the QRadar Network Insights managed host to the QRadar Console.
  4. Configure the flow sources.
  5. Configure a traffic mirroring session.
  6. Verify that the deployment is receiving flow data.

Deployment architecture

The following image shows the traffic flow in a deployment that includes two QRadar Network Insights mirror targets. One QRadar Network Insights instance is used as a flow source for a Flow Processor, while the other instance sends network traffic directly to the QRadar Console.
Figure 1. Example of a QRadar Network Insights deployment on Amazon Web Services

Graphic that shows the mirrored traffic flow in a deployment that has a QRadar Console with one Flow Processor and two QRadar Network Insights hosts attached.

System requirements for QRadar Network Insights installations on Amazon Web Services

To prepare for the IBM QRadar Network Insights installation, ensure that your virtual appliance meets these minimum system requirements.
Requirement Value
Processor

8 cores (minimum)

Tip: To see the number of cores that are included in each instance type, in the AWS Launch an instance window, click Compare instance types. Click the gear () icon to include the Cores column in the table.
Memory

64 GB (minimum)

Storage
QRadar Network Insights requires two EBS General Purpose SSD volumes:
  • 1 x 122 GiB (OS and Software)
  • 1 x 250 GiB (Data)

The 122 GiB volume for the OS and software is configured automatically by the QRadar .ami. You must manually configure the additional 250 GiB volume for data.

Warning: It is not possible to increase storage after installation.
Networking
QRadar Network Insights requires a minimum of two NIC interfaces:
  • One management interface
  • One monitoring interface

    For larger compute-optimized instance types, you can add more monitoring interfaces.

    The Maximum Transmission Unit (MTU) for the monitoring interface must be set to 9001.

Security Groups

The management interface must have an assigned security group that includes rules to allow SSH, NetFlow, and messaging connections between the QRadar Network Insights host and the QRadar Console and any flow collectors or processors that might be installed.

The monitoring interface must have an assigned security group that allows VXLAN traffic (UDP port 4789) from the mirror source. The Network ACL (VPC) level also must allow VXLAN traffic.

To view the system requirements for other IBM QRadar virtual appliances, see System requirements for virtual appliances in the IBM QRadar Installation Guide.

Examples of QRadar Network Insights appliance specifications

You must ensure that the instance type and configuration of the QRadar Network Insights instance can support the flow inspection level that you want to achieve.

The following table shows examples of hardware configurations and the performance impact that it can have at various inspection levels. You can use this information as a guideline when you size your virtual appliance.
Note: System performance and data throughput depend on many factors, including the volume and type of files that are observed in the network traffic. Individual performance improvements are not guaranteed.
Table 1. Examples of QRadar Network Insights virtual appliance configurations
CPUs Memory (GiB) Maximum monitoring interfaces Flow inspection level performance
8 cores 64 1

Basic: 1 Gbps

Enriched: 800 Mbps

Advanced: 300 Mbps

20 cores 160 2

Basic: 2 Gbps

Enriched: 1.8 Gbps

Advanced: 750 Mbps

* Performance is aggregate across all monitoring interfaces.

Traffic mirroring

Traffic mirroring sends network traffic from an Amazon EC2 instance (source) to a IBM QRadar Network Insights instance (target) for content inspection and monitoring.

You use the Amazon Web Services (AWS) Management Console to attach an elastic IP address to your QRadar Network Insights instance. Then, you create a traffic mirroring session and define the filters that determine which traffic to forward to the QRadar Network Insights instance.

Before you can configure traffic mirroring, you must have a QRadar Network Insights instance with a monitoring interface that is attached to it.

To configure traffic mirroring, follow this general procedure.
  1. Identify the Interface ID of the Amazon EC2 instance that forwards the mirrored traffic. You use this ID when you create the mirror session.
  2. Assign an Elastic IP address to the Amazon EC2 instance that forwards the mirrored traffic.
  3. Create a mirror target to specify which instance receives the mirrored traffic.
  4. Create a mirror filter to specify what traffic gets sent to the target instance.
    When you configure the traffic mirroring rules, you can use the following parameters to mirror all inbound traffic. To reduce the overhead of traffic mirroring, you can change the parameters to mirror only certain types of traffic. For example, you can mirror only TCP protocols or traffic for a specific source or destination.
    Parameter Value
    Rule action Accept
    Protocol All protocols
    Source CIDR block 0.0.0.0/0
    Destination CIDR block 0.0.0.0/0
  5. Create a mirror session to start mirroring traffic between the source and target instances.

For more information about AWS traffic mirroring and how to set it up, see What is traffic mirroring? in the Amazon Web Services documentation portal.

Verifying that the QRadar Network Insights host is receiving flow data

After the traffic mirror session is configured, you can verify that the IBM QRadar Network Insights managed host is receiving flow data.

Before you begin

You must configure a QRadar Console and a QRadar Network Insights managed host in your Amazon Web Services (AWS) environment.

You must configure a traffic mirroring session to forward traffic to the monitoring interface.

Procedure

  1. Use SSH to log in to the target QRadar Network Insights instance.
  2. To verify that the traffic is reaching the QRadar Network Insights instance, type this command:
    tcpdump -i <eth1>

    where <eth1> is the Interface Name of the mirror target.

  3. Alternatively, you can configure Amazon CloudWatch Logs.
    Amazon CloudWatch Logs collect data about the flow logs that are sent to the QRadar Network Insights monitoring interface. The flow log data is useful when you want to verify that QRadar Network Insights is receiving mirrored traffic.

    For more information, see What is Amazon CloudWatch? in the AWS documentation portal.

Troubleshooting QRadar Network Insights on Amazon Web Services

Use this information to help you troubleshoot your IBM QRadar Network Insights on Amazon Web Services (AWS) deployment.
Unable to connect to a managed host due to unprotected private key file

You receive the following warning when you try to connect to a managed host by using a private key file.

WARNING: UNPROTECTED PRIVATE KEY FILE!

You might receive this message when the .pem key file is publicly readable. To resolve this problem, change the permissions on your .pem key file to 600 by typing this command:

chmod 600 <key_file>
Connection refused when trying to connect to the QRadar Network Insights host
When you try to connect to your disconnected QRadar Network Insights host by using a private key, you receive this message:
Connection Refused

The security profile that is attached to the QRadar Network Insights managed host instance does not allow incoming SSH connections from the source IP address.

To resolve this problem, add an incoming rule to the security profile that is attached to the QRadar Network Insights instance. Configure the rule to allow SSH connections from the source IP address.

For more information, see Security profiles on the AWS Documentation portal.

A public IP address is not assigned to the QRadar Network Insights instance
This problem might occur under the following conditions:
  • The instance was not configured to have a public IP address assigned automatically when it is launched.
  • Multiple network interfaces are attached to the instance and it was restarted.

To resolve this issue, associate an Elastic IP to the management interface. Alternatively, you can use SSH from either the QRadar Console or another instance on the same subnet to connect to the private IP address of the QRadar Network Insights instance.

QRadar Network Insights does not see extra NIC card

You added an extra network interface card (NIC) to the QRadar Network Insights instance, but it is not recognized. More configuration is required for the operating system on the QRadar Network Insights instance to recognize the new network interface.

For more information, see Adding another traffic monitoring interface to the QRadar Network Insights instance.

Unable to connect to the QRadar Network Insights managed host by using SSH from the QRadar Console

When a QRadar Network Insights host is managed by a console, the iptables rules are updated to restrict direct SSH access. You must connect to the managed host by first connecting to the QRadar Console. Since AWS instances do not have a console connection option, there is no way to connect to the managed host if the QRadar Console is unable to use SSH to log in.

To resolve this problem, use SSH to connect to the QRadar Console. Then, use SSH from the QRadar Console to the managed hosts management interface (eth0) as root user.

If the QRadar Console can't connect to the managed host, you should re-create the QRadar Network Insights instance.

To avoid locking yourself out of QRadar, configure the firewall on the managed host to allow SSH connections from trusted sources. For more information, see the Managing IPtables firewall ports Technical Note on the IBM Support website.

Monitored traffic doesn't show up on the Network Activity tab
Monitored traffic does not show up on the Network Activity tab, but the tcpdump command indicates that the monitoring interface is receiving it.

When you add a QRadar Network Insights host, a flow source is created but it is disabled by default.

To resolve this problem, verify that the flow source for the network interface exists for both the QRadar Network Insights appliance and the monitoring instance. Ensure that there are no changes to be deployed. If the flow source does not exist, create it and enable it.

For more information, see Adding a flow source and Enabling a flow source.

Mirrored traffic is not received by multiple mirror targets

Traffic mirroring can send individual packets to only a single target interface. To split traffic between targets, you must set up multiple mirror sessions. The mirror filters for each session must be specific enough to ensure that the traffic is mirrored to only a single target interface.

To see an example of how to split traffic between targets, see Example: Mirror inbound TCP and UDP traffic to two different appliances on the AWS Documentation portal.

The QRadar Network Insights monitoring interface does not receive mirrored traffic
By default, AWS enables filtering based on source and destination checks on the network interfaces.

Disabling the source and destination checks allows an instance to handle network traffic that isn't destined for the instance. For example, instances that run services such as network address translation, routing, or a firewall should disable the source and destination check attributes.

To disable the source and destination check attributes, follow these steps:
  1. In the left navigation pane of the AWS Dashboard, click Network interfaces.
  2. Right-click on the instance and click Change Source/Dest Check.
  3. Click Disabled and click Change.
  4. Repeat the steps for each network interface.

For more information, review Elastic Network interface (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) on the AWS Documentation portal.

Mirrored traffic is incomplete

The following traffic types cannot be mirrored:

  • ARP
  • DHCP
  • Instance metadata service
  • NTP
  • Windows activation
For more information, see the following pages on the AWS Documentation Portal.

QRadar Network Insights instance fails the AWS system status check

Jumbo frames can sometimes cause the QRadar Network Insights instance to restart, resulting in an AWS system status check failure.

To resolve this problem, set the Maximum Transmission Unit (MTU) for the monitoring interface to 9001.
  • To change the MTU temporarily, type this command:
    sudo ip link set dev eth<#> mtu 9001 
  • To set the MTU permanently, edit the /etc/sysconfig/network-scripts/ifcfg-eth<#> script for the interface, and edit the MTU line to MTU=9001.

For more information, see Network maximum transmission unit (MTU) for your EC2 instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html) on the AWS Documentation portal.