IBM Support

QRadar: Encryption impact and considerations

Troubleshooting


Problem

What is the impact of enabling or disabling encryption between components?

This article covers:

  • Performance impacts as a result of enabling encryption
  • Encrypting some components and not the full deployment
  • Issues if encryption is disabled

Resolving The Problem

Performance impacts as a result of enabling encryption
Because all components and services communicate through a tunnel on port 22, there is no loss in performance between the encrypted components.
Encryption tunnels all connections by using port 22 between QRadar appliances. Encryption can be done at the managed host level, but most users who enable encryption based on their networks and where appliances are located. Because of what might be in-between appliances in the deployment, users might require the extra security that encrypting all communications provides. Encryption allows port forwarding all data on a tunnel by using port TCP 22.

Enabling encryption on some appliances but not the whole deployment
You can enable encryption on a managed host when you add the appliance to the deployment. There are cases where you want to ensure that the connections are tunneled on port 22 (SSH) to prevent eavesdropping on other ports. For example, appliances in remote networks can have encryption enabled on them, however some administrators might choose to have appliances in their core data center unencrypted. You must make this decision based on your security posture and if you want more secure communications and to prevent targeted snooping of specific communications.

Issues if encryption is disabled
If you do not have strict firewalls blocking data transfer between hosts, it is not an issue.
If you are in a network where the firewalls are restrictive or your team doesn't manage the firewalls themselves, then you might need to open your firewall per the QRadar port usage guide before disabling encryption.  If you do not manage the firewalls and you disable encryption, then you might block data requests between QRadar services or components.
Check with your Network administrator whether the required ports are open before disabling encryption. For more information on what ports need to be open before disabling encryption, refer to the QRadar port usage guide to ensure you are not blocking communication to QRadar services or components.

Conclusion
In most cases, the decision to encrypt or not encrypt comes down to ease of use, your firewall configuration, and your organization's security policy.
 

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 October 2022

UID

ibm10876136