Lancope's StealthWatch System 5

The ability to scan for strange behavior sets this combo apart from other intrusion detection systems.

September 9, 2005

6 Min Read
Network Computing logo


• Doesn't need signatures to detect attacks• Dashboard lets you know what's happening immediately• Management console consolidates views from many devices• Full packet capture for detailed analysis and anomaly detection



• Requires advanced network protocol knowledge• Additional training required to learn comprehensive features and settings

• Additional appliances needed to collect netflow and sflow data

StealthWatch System 5.0, starts at $9,995. Lancope, (888) 419-1462, (770) 225-6500.

I installed the SWA in the Institute of Food and Agricultural Services (IFAS) server room next door to the University of Florida Real-World Labs® to test how it would handle traffic in a production environment. Initial setup through a simple menu system was complete after configuring the IP for the management port, SWA host and domain name, DNS servers and trusted hosts allowed to manage the SWA.Unlike an IPS that requires inline placement to prevent attacks, the SWA must be connected to a network tap, switch monitor port or hub. I configured an HP ProCurve 4108 switch with a monitor port and connected it to one of the SWA monitoring ports. The appliance immediately began to capture data and create host profiles for all traffic seen on the monitoring port.

The SWA's Web interface is restricted to the IPs configured during initial setup (defined as trusted hosts) and by the built-in user database. When I connected to the interface, I was greeted by the status screen, or dashboard, which provided a detailed summary of network activity, including host information, traffic flow graphs, alarms and Zone Index counts. You decide how much detail is displayed.

Menu items on the left side of the dashboard provide access to status screens, host information, reports and configuration settings. Each menu item expands into submenus for in-depth information and configuration options. There's also detailed context-sensitive help and an excellent glossary--I referred to both regularly. The configurable status screens provide more information than most experienced analysts will need.

How It Works

SteathWatch Management Console

Click to Enlarge

When a packet is seen by the SWA, it is assigned to a network flow that keeps track of the IPs for the client, the server and the service port. The SWA tracks information about each host, including whether it is a client or server. It then draws a baseline based on the host's behavior so it can spot anomalies, including new services, major spikes in bandwidth or increased communications with many hosts. Unlike Cisco's Netflow, SWA captures the entire packet, which makes OS identification and full packet analysis possible.

In the Zone

Lancope based StealthWatch's design on the assumption that hosts in a network have commonalities. Hosts that are mail servers, for instance, would be grouped into a virtual security zone. The same goes for FTP servers, Web servers and even hosts that don't act as servers. Each group has a zone with its own policies and baselines, which makes it less time consuming to manage a large number of hosts.

To test out zone usefulness, I created a zone for the entire subnet containing all of the IFAS servers. Next, I created separate zones for the Microsoft Exchange servers, IIS Web servers, file servers and Active Directory domain controllers. The zone policies define whether hosts can act as clients or servers for particular services. They also determine how many alerts will trigger an alarm, based on bandwidth usage, attacks or policy violations.

I modified the Service Profile policy for the Microsoft Exchange server zone to limit services only to SMTP, LDAP, POP3S and IMAP4. After logging into the FTP server on one of those servers, the SWA generated an alarm about the server being "out of profile" because it was hosting a service not permitted by the policy I had just defined.Info Overload

Initial setup of the SMC was identical to the SWA. The SMC's management interface requires that the Sun Java Runtime Environment be installed. I connected to the SMC's IP with Internet Explorer and pressed the Start button to begin the download of the Java program components. Lancope did a great job with the Java interface--it's faster than any Java interface I've used.

The SMC lets you manage up to 25 SWAs, providing a full overview of your organization's security status. The console comes with a Dell 24-inch widescreen flat-panel display that makes it easy to view all the vital statistics and spot patterns when analyzing large amounts of data.

The SMC network status screen provides a wealth of information about probes, alerts and alarms. Probes--UDP or TCP packets sent to a host to elicit a response--occur constantly and are logged. Alerts result from threatening trend discovered by probes. Alarms are generated after the baseline thresholds for the number of alerts are exceeded or policy violations have occurred.

The key values shown on the SMC's status screens are the Concern Index and Target Index. The Concern Index addresses hosts behaving badly, and the Target Index displays data concerning a host that is the target of probes or anomalous behavior. The Concern Index increases as a host generates probes and alerts. As soon as the Concern or Target Index reaches the baseline threshold, an alarm is generated so the analysts know that something needs immediate attention.So how valuable are these indexes? I tested them by running multiple nmap scans against all the hosts in the IFAS Servers zone and received several alarms on the dash, including the hosts used for scanning, which received a high Concern value. Additionally, all the scanned hosts received high Target values. From the interface, I could immediately see which host was attacking and which hosts were being attacked.

A signature-based IDS could have detected this as well, but identifying the aberrant behavior is the SWA's forte. For more discreet activity, the SWA evaluates based on host and zone service profiles. If the activity is anomalous to those profiles, the SWA will classify it as a probe, which could later turn into an alert or alarm.

Both the SteathWatch G1x and Management Console appliances contain so many features that Lancope provides training at an additional cost. I reviewed the training materials and highly recommend the class. For companies with tight security budgets, the StealWatch System is a solid choice to supplement or even replace your current intrusion-detection and intrusion-prevention systems.

John H. Sawyer is a network security engineer at the University of Florida. He is a GIAC certified firewall analyst and incident handler. Write to him at [email protected].

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights