What is the NSM Global management appliance? Is this just a server running the Network Security Manager software?
Apologies for the delay.
Yes in this instance, the NSM Global management appliance is just a server running the Network Security Manager software.
The NSM Global management appliance manages 4x McAfee NS9200 IPS devices located in 2 separate Data Centres locations (referred to as DC 1 and DC2).
The logs from the 4x McAfee NS9200 devices then feeds to a Q-Radar SIEM solution.
The NSM Global Appliance and the Q-Radar SIEM solution are located in DC1.
We have plans to deploy a further 2x McAfee NS9200 devices in a remote Data Centre (referred to as DC3).
My questions are:
1. Is the existing NSM Global Appliance located in DC1 capable of managing the 2x McAfee NS9200 devices we plan to deploy in DC3?
2. What are the bandwidth requirements/restrictions considerations to allow the comms between DC1 and D3?
That is - the logs from the 2x McAfee NS9200 devices located in DC3 to be collected and process by the NSM Global Appliance located in DC1.
3. Will the NSM Global Appliance located in DC1 be capable of feeding the logs received from the 2x McAfee NS9200 IPS devices located in DC3 into the Q-Radar SIEM?
4. Finally is there any other thing I need to consider?
The Network Security Platform Installation Guide, available from support.mcafee.com, should provide you with the information you require. It states that if your server meets the minimum specifications for the Version of NSM you run you can connect up to 40 sensors. If you plan to run more sensors you need a higher specification server.
So you should be fine to add another 2 sensors to your environment. It does not matter where the sensors are physically located as long as the connections to the manager server can handle the traffic generated.
The bandwidth requirements are documented in the Sensor product guide, they state "The NS9200 Sensor is a 2RU unit providing an aggregate throughput of 20 Gbps." but what the actually produce is dependent on how many ports you use and your network traffic.
If your SIEM solution can collect data from DC1 and DC2 with out issue I see no reason why it would have an issue with DC3, I'm not familiar with this software though so that's just a guess. It may depend on the amount of logs you're generating.