Because Cisco's acquisition of Lancope, I tried to introduce and test the Lancope STEALTHWATCH.
Rough flow will receive the VM deploy an account in order to get the evaluation version (Evaluation) license from Lancope.
That I exchanged e-mail with the direction of the US customer support for was interesting personal best, but can not publish unfortunately for using company e-mail ...
NaaS / NaaE
Cisco will use the entire network security sensors, as a defense system
- NaaS (Network as a Sensor)
- NaaE (Network as an Enforcer)
It has put forward the idea of.
The technical elements that operate the Flexible NetFlow on the Catalyst switch, but the idea of monitoring all communication. Thus, Kety a threat that can not be detected at the entrance measures and exit measures, are attempts to prevent. See this article for the use of NetFlow.
http://en-designetwork.hatenablog.com/entry/2016/02/05/020816en-designetwork.hatenablog.com
What's Lancope STEALTHWATCH?
What kind of company is the Lancope that Cisco has acquired? What kind of system is the STEALTHWATCH? As described in the talk around here is Cisco official website
Introduction of the STEALTHWATCH
Licensing
StealthWatch FlowCollector
Model | Maximum Flows Per Second | Maximum NetFlow Exporters | Maximum Hosts Monitored | Flow Storage Capacity |
---|---|---|---|---|
FlowCollector VE | 30,000 | 1000 | 500,000 | 1 TB |
FlowCollector 1000 | 30,000 | 500 | 250,000 | 1 TB |
FlowCollector 2000 | 60,000 | 1000 | 500,000 | 2 TB |
FlowCollector 4000 | 120,000 | 2000 | 1,000,000 | 4 TB |
StealthWatch Management Console
Model | Maximum FlowCollectors Supported | Flow Storage Capacity |
---|---|---|
StealthWatch Management Console VE | 5 | 1 TB |
StealthWatch Management Console 1000 | 5 | 1 TB |
StealthWatch Management Console 2000 | 25 | 2 TB |
StealthWatch Flow Licenses
License Type |
---|
Flow Collection License - 1000 Flows |
Flow Collection License - 10,000 Flows |
Flow Collection License - 25,000 Flows |
Flow Collection License - 50,000 Flows |
Flow Collection License - 100,000 Flows |
StealthWatch FlowSensor
Model | Traffic Capacity |
---|---|
FlowSensor VE | 1 per ESXi server |
FlowSensor 250 | 100 Mbps |
FlowSensor 1000 | 1 Gbps |
FlowSensor 2000 | 2.5 Gbps |
FlowSensor 3000 | 5 Gbps |
StealthWatch FlowReplicator
Model | Traffic Capacity - Inbound | Traffic Capacity - Outbound |
---|---|---|
FlowReplicator 1000 | 10 KPPS | 20 KPPS |
FlowReplicator 2000 | 20 KPPS | 60 KPPS |
Flow of up to evaluation license available
- Evaluation of application
- Interaction with the person in charge (the United States)
- Acquisition of members site account
- Software Download
- Software Installation (VM deployment)
- License registration
When the necessary information input from the official Web, come mail to registered e-mail address, it was conveyed in clumsy English and want evaluation license. There is a proposal that will introduce support, that decline was pretty much ... None in particular caught the place for the installation itself is manual was polite.
Peripheral configuration
There needs to be a set of NetFlow in NW equipment. In my environment, I have a Cisco ASA5505 and NetFlow Exporter. See this article how to set.
Impressions of STEALTHWATCH
This time, the license is because you have already applied to the workplace environment, at home not able to license application. Web, you can see each of Java in something like this.
Web
Java
Can be traffic analysis of full-featured Java client, it is impressive that displays targeted only important point in the Web access. However, creating a Flow Query even Web, you can display NetFlow data by running. Order to be able to Web access is considered to be important in terms of the system disclosure to the company, evaluation is high.
ISE cooperation
When used as a NaaE will require a combination of Cisco ISE, here I think that there is a high honestly hurdle. Because it requires not cheap cost, because the careful implementation plan is required, it can not be called try to introduce into trial, difficult to make a chance to show the effect.
OVERALL
I think that there's to propose as a one-stop SI together with Cisco equipment. However, since there is also a similar system in the OSS, it required comparison. I think that is a certain advantage in that it can receive Cisco support.