designetwork(EN)

IT technical memo of networking

Lancope-STEALTHWATCH Installing evaluation licence

Because Cisco's acquisition of Lancope, I tried to introduce and test the Lancope STEALTHWATCH. Rough flow will receive the VM deploy an account in order to get the evaluation version (Evaluation) license from Lancope.
That I exchanged e-mail with the direction of the US customer support for was interesting personal best, but can not publish unfortunately for using company e-mail ...

NaaS / NaaE

Cisco will use the entire network security sensors, as a defense system

  • NaaS (Network as a Sensor)
  • NaaE (Network as an Enforcer)

It has put forward the idea of.

The technical elements that operate the Flexible NetFlow on the Catalyst switch, but the idea of ​​monitoring all communication. Thus, Kety a threat that can not be detected at the entrance measures and exit measures, are attempts to prevent. See this article for the use of NetFlow.

http://en-designetwork.hatenablog.com/entry/2016/02/05/020816en-designetwork.hatenablog.com

What's Lancope STEALTHWATCH?

What kind of company is the Lancope that Cisco has acquired? What kind of system is the STEALTHWATCH? As described in the talk around here is Cisco official website

www.cisco.com


Introduction of the STEALTHWATCH

Licensing

StealthWatch FlowCollector

Model Maximum Flows Per Second Maximum NetFlow Exporters Maximum Hosts Monitored Flow Storage Capacity
FlowCollector VE 30,000 1000 500,000 1 TB
FlowCollector 1000 30,000 500 250,000 1 TB
FlowCollector 2000 60,000 1000 500,000 2 TB
FlowCollector 4000 120,000 2000 1,000,000 4 TB

StealthWatch Management Console

Model Maximum FlowCollectors Supported Flow Storage Capacity
StealthWatch Management Console VE 5 1 TB
StealthWatch Management Console 1000 5 1 TB
StealthWatch Management Console 2000 25 2 TB

StealthWatch Flow Licenses

License Type
Flow Collection License - 1000 Flows
Flow Collection License - 10,000 Flows
Flow Collection License - 25,000 Flows
Flow Collection License - 50,000 Flows
Flow Collection License - 100,000 Flows

StealthWatch FlowSensor

Model Traffic Capacity
FlowSensor VE 1 per ESXi server
FlowSensor 250 100 Mbps
FlowSensor 1000 1 Gbps
FlowSensor 2000 2.5 Gbps
FlowSensor 3000 5 Gbps

StealthWatch FlowReplicator

Model Traffic Capacity - Inbound Traffic Capacity - Outbound
FlowReplicator 1000 10 KPPS 20 KPPS
FlowReplicator 2000 20 KPPS 60 KPPS

Flow of up to evaluation license available

  • Evaluation of application
  • Interaction with the person in charge (the United States)
  • Acquisition of members site account
  • Software Download
  • Software Installation (VM deployment)
  • License registration

When the necessary information input from the official Web, come mail to registered e-mail address, it was conveyed in clumsy English and want evaluation license. There is a proposal that will introduce support, that decline was pretty much ... None in particular caught the place for the installation itself is manual was polite.

Peripheral configuration

There needs to be a set of NetFlow in NW equipment. In my environment, I have a Cisco ASA5505 and NetFlow Exporter. See this article how to set.

designetwork.hatenablog.com

Impressions of STEALTHWATCH

This time, the license is because you have already applied to the workplace environment, at home not able to license application. Web, you can see each of Java in something like this.

Web

Java

Can be traffic analysis of full-featured Java client, it is impressive that displays targeted only important point in the Web access. However, creating a Flow Query even Web, you can display NetFlow data by running. Order to be able to Web access is considered to be important in terms of the system disclosure to the company, evaluation is high.

ISE cooperation

When used as a NaaE will require a combination of Cisco ISE, here I think that there is a high honestly hurdle. Because it requires not cheap cost, because the careful implementation plan is required, it can not be called try to introduce into trial, difficult to make a chance to show the effect.

OVERALL

I think that there's to propose as a one-stop SI together with Cisco equipment. However, since there is also a similar system in the OSS, it required comparison. I think that is a certain advantage in that it can receive Cisco support.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork