Lancope’s newest flow-based security, network and application monitoring appliance features increased performance. The StealthWatch FlowCollector 4000 has a monitoring capacity of 120,000 flows per second (FPS) per collector to scale for very large enterprise networks.
The FlowCollector 4000, which will be available in August as part of the StealthWatch 6.1 release, enables the StealthWatch System to increase its maximum monitoring capacity to 3 million FPS and offers extensible storage capacity up to 4 TBytes for network forensics, capacity planning and compliance.
StealthWatch gathers and analyzes Netflow traffic data from Cisco routers and switches, as well as sFLow and jFlow information from other network vendors. Its primary focus is on security, rapidly processing massive amounts of network data to detect anomalous activity, but it also can be leveraged for network performance monitoring.
"We’re selling into more network performance scenarios," says Lancope CTO Adam Powers, "but our bread and butter remains the security use of flows. It’s what differentiates us."
There has been increasing technology and marketing crossover, as network performance monitoring vendors have leveraged global network visibility, total packet capture and sophisticated analysis for security. Lancope’s 6.0 release focused on application layer analysis, an essential component for both security and performance monitoring in contemporary enterprise environments. It also introduced a number of performance statistics and insight into the performance impact of security incidents.
The FlowCollector 4000 also allows Lancope to offer flow support for the high-end Cisco Catalyst 6500 Series Switch and the 3000 and 4000 Series switches.
In addition to introducing the FlowCollector 4000, StealthWatch is adding firewall flow data to combine telemetry from perimeter security devices with internal network devices for more comprehensive analysis of network and application security issues. Lancope will start with Network Secure Event Logging (NSEL) flow data from Cisco 5500 Series Adaptive Security Appliance (ASA) series, and add flows from other firewalls and network security devices, such as intrusion detection systems/intrusion prevention systems (IDS/IPS), as they become available. Powers believes that other vendors will follow Cisco’s example with flow support within the next year.
"By feeding ASA data into the StealthWatch anomaly detection and behavioral analysis subsystem, we get information about which access list was hit by a particular flow, what was denied and allowed or rejected," says Adams. Combining network and firewall flow data, StealthWatch can match flows and map traffic on a hop-by-hop basis among routers and ASA appliances, showing, for example, how far a packet made its way into a network, at which point it was dropped and which Access Control List (ACL) dropped it. This level of visibility helps enterprises when security policy fails and/or where legitimate traffic may be impeded.
See more on this topic by subscribing to Network Computing Pro Reports Strategy: Malware War (subscription required).