StealthWatch provides for system administrators a platform that examines the current status of network traffic and can report/alert on anomalous behavior. Billed as a Network Behavior Analysis and Response platform, the product can also use this correlated network traffic analysis to enforce corporate defined policies based on the detected behavior (by interacting with 3rd party switches and firewalls to implement port blocks or rules). Captured traffic is gathered by appliances (more below), with over 90 statistics analyzed to build a behavior baseline for host activities. The platform then applies over 130 specific analysis algorithms against the captured traffic and generates a "Concern Index" for the network activity; a score that can then be used by administrators in the definition of mitigation actions or responses.

StealthWatch examines current network traffic by tapping into NetFlow or sFlow data from existing compatible switches or routers, or by collecting raw traffic data directly from a switch TAP, SPAN, or Mirror. As such, the hardware-based platform does not require additional software or agents to perform its activities.

Key components of the StealthWatch platform include:

- The StealthWatch Management Console, the central control point of the platform that provides the GUI interface for administrators and the ability to manage all other StealthWatch gear. The SMC boasts the vendor's "Point-Of-View" UI technology, that enables each individual admin to view appropriate information based on their organizational role; including traffic trends, top talkers, router information, worm tracking, policy violations, etc.

The SMC is primarily accessed via a Java-based client application (downloaded the first time the user accesses the system). Each of the individual collectors (more below) also expose a limited-functionality Web-based interface.

- The NC appliance, which is deployed off of a SPAN/Mirror/TAP of a switch and provides the ability to capture raw network traffic for baselining and analysis. The NC is typically used in environments or areas where NetFlow or sFlow data is either not available or desired, and features the ability to verify if packet payload matches the port being used (i.e., ensuring that port 80 traffic is HTTP, for example), O/S fingerprinting of hosts, and more. Three versions of the NC appliance are available, ranging from the 2 port NC M45 with support for 45 Mb/sec traffic flows, to the NC G1 with support for 1 Gb/sec traffic and up to 5 monitor ports.

The NC (or Xe, see below) also provide the necessary communications to 3rd party infrastructure to implement the mitigation actions defined by the administrator.

- The Xe 1000/2000 appliances, with support for NetFlow or sFlow data collection (separate appliances are available for each Flow type). The NetFlow 1000 supports up to 20,000 flows per second from up to 100 flow sources; while the NetFlow 2000 supports up to 40,000 flows per second from up to 1,000 flow sources. Meanwhile, the sFlow 1000 supports up to 25,000 samples per second from up to 250 sources; while the sFlow 2000 supports up to 55,000 samples per second from up to 1,000 sources.

Other complementary components of the platform include the IDentity-1000 appliance, with the ability to associate network traffic with actual user-names for analysis or forensics; and the Flow Replicator, which aggregates NetFlow, sFlow, syslog, and SNMP data from multiple sources and delivers it in a single data stream to an analysis/response appliance.

Other platform features include QoS reporting and trending; a SOAP-compliant API facilitating the integration of StealthWatch features with 3rd party platforms, including access to host, flow, and probe data; the Behavioral Baselining Engine and Visual Tolerance Editor, which allows for the customization of alarm variances in relation to a continuously derived baseline; and the ability to associate external devices with their country of origin for data filtering.

New features in the latest StealthWatch release include IPv6 monitoring; the unification of flow data with application layer details (for application visibility); security enhancements including enhanced bot detection and packet capture search, and the ability to define alert notifications and data access by roll; a remotely accessible Web user interface (user access and activity is tracked); support for zone configurations and host information queries in the SOAP API; and new dashboard views.

StealthWatch is available now; entry-level system pricing starts at $49,995. Visit the Lancope Web site for further information.

product submission by DPW Staff

E-Mail this page to a colleague
send info about StealthWatch

Suggest a link
for the StealthWatch fact sheet