IBM Support

QRadar: What are SSH tunnels?

Question & Answer


Question

What are Secure Shell (SSH) tunnels and how does QRadar use them?

Answer

SSH tunneling, or port forwarding, is a secure method for communication and transporting data by using the SSH protocol.
This feature is enabled by default so that all communications are encrypted. With port forwarding, SSH works as a tunnel to transport the data. This feature removes the necessity of opening different ports on the network since the only port that is required is port 22.

Some examples of the benefits of SSH tunnels are:

  • Security: The communication is encrypted and the only port that must be open is port 22 (SSH).
  • Ease: SSH tunnels resolve communication issues on networks that don't allow bidirectional communication by enabling Remote Tunnel Initiation.

    The following image is an overview of how SSH tunnels work:
    SSH Tunnel overview

An SSH tunnel can be set up in two modes: Local Port Forwarding and Reverse Port Forwarding.

Local Port Forwarding

This mode allows the host that originates the tunnel to securely communicate with the remote host. QRadar uses Local Port Forwarding to securely communicate the Console with a managed host or a managed host with another managed host.

The following image illustrates local port forwarding in QRadar:
Local Port Forwarding


Reverse Port Forwarding

This mode allows the remote host to securely communicate with the host that originates the tunnel. QRadar uses Remote Port Forwarding to securely communicate a managed host with the Console or a managed host with another managed host.

The following image illustrates remote port forwarding in QRadar:
Remote Port Forwarding

Administrators that want to customize the SSH tunnels for hosts in the deployment can review the following settings in System and License Management for individual managed hosts:
  1. Encryption compression: Compresses the data that is transferred in the tunnel.
  2. Remote tunnel initiation: The tunnel is started on the remote host and connects to the local host. This method is used when a connection is not bidirectional.
Administrators that want to disable SSH tunnels can see QRadar: How to disable or enable SSH tunnels.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
31 May 2023

UID

ibm16995459

Page Feedback