StealthWatch provides for system administrators a platform that examines the current status of network traffic and can report/alert on anomalous behavior. Billed as a Network Behavior Analysis and Response platform, the product can also use this correlated network traffic analysis to enforce corporate defined policies based on the detected behavior (by interacting with 3rd party switches and firewalls to implement port blocks or rules). Captured traffic is gathered by appliances (more below), with over 90 statistics analyzed to build a behavior baseline for host activities. The platform then applies over 130 specific analysis algorithms against the captured traffic and generates a "Concern Index" for the network activity; a score that can then be used by administrators in the definition of mitigation actions or responses.

StealthWatch examines current network traffic by tapping into NetFlow or sFlow data from existing compatible switches or routers, or by collecting raw traffic data directly from a switch TAP, SPAN, or Mirror. As such, the hardware-based platform does not require additional software or agents to perform its activities.

Key components of the StealthWatch platform include:

- The StealthWatch Management Console, the central control point of the platform that provides the GUI interface for administrators and the ability to manage all other StealthWatch gear. The SMC boasts the vendor's "Point-Of-View" UI technology, that enables each individual admin to view appropriate information based on their organizational role; including traffic trends, top talkers, router information, worm tracking, policy violations, etc.

The SMC is primarily accessed via a Java-based client application (downloaded the first time the user accesses the system). Each of the individual collectors (more below) also expose a limited-functionality Web-based interface.

- The NC appliance, which is deployed off of a SPAN/Mirror/TAP of a switch and provides the ability to capture raw network traffic for baselining and analysis. The NC is typically used in environments or areas where NetFlow or sFlow data is either not available or desired, and features the ability to verify if packet payload matches the port being used (i.e., ensuring that port 80 traffic is HTTP, for example), O/S fingerprinting of hosts, and more. Three versions of the NC appliance are available, ranging from the 2 port NC M45 with support for 45 Mb/sec traffic flows, to the NC G1 with support for 1 Gb/sec traffic and up to 5 monitor ports.

The NC (or Xe, see below) also provide the necessary communications to 3rd party infrastructure to implement the mitigation actions defined by the administrator.

- The Xe 1000/2000 appliances, with support for NetFlow or sFlow data collection (separate appliances are available for each Flow type). The NetFlow 1000 supports up to 20,000 flows per second from up to 100 flow sources; while the NetFlow 2000 supports up to 40,000 flows per second from up to 1,000 flow sources. Meanwhile, the sFlow 1000 supports up to 25,000 samples per second from up to 250 sources; while the sFlow 2000 supports up to 55,000 samples per second from up to 1,000 sources.

Other complementary components of the platform include the IDentity-1000 appliance, with the ability to associate network traffic with actual user-names for analysis or forensics; and the Flow Replicator, which aggregates NetFlow, sFlow, syslog, and SNMP data from multiple sources and delivers it in a single data stream to an analysis/response appliance.

New in the forthcoming release of the product (due April, 2009) is the FlowSensor VE component, which runs on VMware ESX Server (3.5) and provides monitoring specifically for virtual platforms, including the collection of metrics from individual VM instances and their applications. FlowSensor VE converts the information collected from all the VMs of the machine it is running on into a proprietary version of NetFlow v9 for forwarding to an Xe appliance.

Other expected improvements include new reports supporting virtual environments and reporting enhancements in general; and support for Qualys integration (Qualys vulnerability scans can be run as the result of any alarm).

StealthWatch is available now; entry-level system pricing starts at $49,995. The new version is expected in April 2009, with FlowSensor VE beginning at $1,500.

Visit the Lancope Web site for further information.

product submission by DPW Staff

E-Mail this page to a colleague
send info about StealthWatch

Suggest a link
for the StealthWatch fact sheet