Home > Security News > Review: Lancope StealthWatch 5.5 offers more than IDS
Security News:
EMAIL THIS LICENSING & REPRINTS

Review: Lancope StealthWatch 5.5 offers more than IDS

By Sandra Kay Miller, Contributing Writer
14 Dec 2006 | Information Security magazine

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

INTRUSION DETECTION
StealthWatch 5.5 from Lancope
Price: StealthWatch starts at $9,995; IDentity-1000 starts at $19,795

Lancope StealthWatch 5.5 is much more than an anomaly-based IDS; it delivers a holistic view of your network -- and its users -- so you can monitor traffic in real-time and respond to three-alarm events, such as zero-day attacks, compliance violations and corporate espionage.

In addition to the standard configuration -- including a management console and Xe collector for NetFlow from Cisco Systems, and Juniper Networks' switches and routers -- we also tested the optional IDentity-1000, which provides automated user identification through directory services, such as RADIUS and Active Directory.

Configuration/Management: B
Using the Quick Start Checklist, terrific documentation and simple configuration menu, we were able to get the collector monitoring flow off our Cisco router within minutes. The Web-based console presents a rich display of multiple dashboards with information about connections, inbound and outbound traffic and protocols.

The management console was easy to install, but this is no simple product. Configuring StealthWatch to take advantage of all the advanced features, such as network planning and traffic engineering, requires extensive knowledge of networking protocols and infrastructure.

The IDentity-1000 is much more complex, requiring many more initial decisions and considerable time. The major configuration options are RADIUS or the Unified IDentity Manager, which includes LDAP, Active Directory and UNIX. Through the command-line interface, we configured the management and data ports and completed basic administration.

Policy Control: A
StealthWatch's highly flexible policy control allows you to assign similar devices, services, applications and protocols to a virtual zone. For example, traffic from mail servers has a separate zone from application servers, each zone with its baseline, threshold and policies. So while heavy traffic on a VoIP segment is normal, similar volume in another zone might indicate worm activity.

The IDentity-1000 also delivers exceptional security policy settings for authentication, authorization and accounting through an intuitive tabbed menu. We quickly added profiles defining numerous attributes, including those specific to vendor devices, and added access policies, assigning both conditions and actions.

Effectiveness: A
We're impressed with StealthWatch's security and network analysis, its ability to pick out anomalous events without using signatures, and the automated user tracking through the IDentity-1000, allowing us to trace offending connections to individual users.

The IDentity-1000 also allowed us to track down syn floods and audit policy-prohibited traffic. Our policies reflected secured groups, such as a development team and regulated environments. We unleashed malware through several vectors. StealthWatch detected and reported all of our events.

Reporting: A
The dashboards provide an almost overwhelming amount of useful real-time data and historical analysis. There is extensive reporting for network operations, identity tracking and external events.

StealthWatch allowed us to create customized views and delegate operations. Being able to feed group-specific information to network operations, the security team, or the legal department, will save time and headaches.

Verdict
StealthWatch goes far beyond traditional intrusion detection, with powerful network-monitoring features. The optional IDentity-1000 is an essential addition.

Testing methodology
We tested the StealthWatch Management Console paired with an Xe500 NetFlow collector gathering flow from Cisco routers, as well as the optional IDentity-1000 appliance configured as a proxy for a RADIUS server.

This article originally appeared in the December 2006 edition of Information Security magazine.

Sound Off! -   Be the first to post a message to Sound Off!


Tags: Network Intrusion Detection (IDS)VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts