Review: Lancope StealthWatch 5.5 offers more than IDS

By Sandra Kay Miller, Contributing Writer 14 Dec 2006 | Information Security magazine

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

INTRUSION DETECTION
StealthWatch 5.5 from Lancope
Price: StealthWatch starts at $9,995; IDentity-1000 starts at $19,795

Lancope StealthWatch 5.5 is much more than an anomaly-based IDS; it delivers a holistic view of your network -- and its users -- so you can monitor traffic in real-time and respond to three-alarm events, such as zero-day attacks, compliance violations and corporate espionage.

In addition to the standard configuration -- including a management console and Xe collector for NetFlow from Cisco Systems, and Juniper Networks' switches and routers -- we also tested the optional IDentity-1000, which provides automated user identification through directory services, such as RADIUS and Active Directory.

Configuration/Management: B
Using the Quick Start Checklist, terrific documentation and simple configuration menu, we were able to get the collector monitoring flow off our Cisco router within minutes. The Web-based console presents a rich display of multiple dashboards with information about connections, inbound and outbound traffic and protocols.

The management console was easy to install, but this is no simple product. Configuring StealthWatch to take advantage of all the advanced features, such as network planning and traffic engineering, requires extensive knowledge of networking protocols and infrastructure.

The IDentity-1000 is much more complex, requiring many more initial decisions and considerable time. The major configuration options are RADIUS or the Unified IDentity Manager, which includes LDAP, Active Directory and UNIX. Through the command-line interface, we configured the management and data ports and completed basic administration.

Policy Control: A
StealthWatch's highly flexible policy control allows you to assign similar devices, services, applications and protocols to a virtual zone. For example, traffic from mail servers has a separate zone from application servers, each zone with its baseline, threshold and policies. So while heavy traffic on a VoIP segment is normal, similar volume in another zone might indicate worm activity.

The IDentity-1000 also delivers exceptional security policy settings for authentication, authorization and accounting through an intuitive tabbed menu. We quickly added profiles defining numerous attributes, including those specific to vendor devices, and added access policies, assigning both conditions and actions.

Effectiveness: A
We're impressed with StealthWatch's security and network analysis, its ability to pick out anomalous events without using signatures, and the automated user tracking through the IDentity-1000, allowing us to trace offending connections to individual users.

The IDentity-1000 also allowed us to track down syn floods and audit policy-prohibited traffic. Our policies reflected secured groups, such as a development team and regulated environments. We unleashed malware through several vectors. StealthWatch detected and reported all of our events.

Reporting: A
The dashboards provide an almost overwhelming amount of useful real-time data and historical analysis. There is extensive reporting for network operations, identity tracking and external events.

StealthWatch allowed us to create customized views and delegate operations. Being able to feed group-specific information to network operations, the security team, or the legal department, will save time and headaches.

Verdict
StealthWatch goes far beyond traditional intrusion detection, with powerful network-monitoring features. The optional IDentity-1000 is an essential addition.

Testing methodology
We tested the StealthWatch Management Console paired with an Xe500 NetFlow collector gathering flow from Cisco routers, as well as the optional IDentity-1000 appliance configured as a proxy for a RADIUS server.

This article originally appeared in the December 2006 edition of Information Security magazine.

Tags: Network Intrusion Detection (IDS),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary