Cisco StealthWatch License
Cisco StealthWatch introduction
Cisco Stealthwatch observes network for any anomalies that maybe exists in the traffic, actually it does not analyze the packet itself and only packet headers are inspected and bypasses the encryption in the packet. As only the packet header is checked, Stealthwatch can inspect more traffic with consuming less CPU power.
When it comes to security, it must be Multi-layered and Cisco Stealthwatch License is not a single security solution but should be part of a much bigger solution and networks should also utilize other tools such as Cisco NGFW FirePower.
Stealthwatch is installed as an additional appliance through network. Firewall still is being used to protect the network against external threats.
Basically, in the network, either Firewall or switch would send a layer 3 data to the Stealthwatch and suspicious traffic will be identified and Stealthwatch is going to raise an alarm and take action on the data.
The largest Stealthwatch system can analyze up to 600,000 flows per second from 10,000 devices. Also, it is re-scalable compared to other systems. Flows are a single conversation between two network devices. When a large file is going to upload on the network, it would be fragmented into multiple packets though it would still represent a single flow. The sending of a TCP FIN or a timeout symbolizes the end of conversation.
Reasons to Use Cisco Stealthwatch
- Stealthwatch is scalable and can process large volumes of traffic.
- Stealthwatch is not just for security purposes and it gives network administrators complete network visibility
- Network can be continuously monitored for which traffics has already bypassed NGFWs, furthermore, internal network will still be checked.
- Using Encrypted Traffic Analytics: traffic can also be checked to ensure is compliant with PCI and HIPPA
Stealthwatch System Components
- Stealthwatch Management Console
This is basically is the heart of the system and controls other features. The SMC analyses collected flow data from other components. Then it stablishes a baseline up to 7 days and any anomalies which are outside the baseline are reported and in addition alerts are raised for any threats and attacks that occur before and after the stablished baseline. The administrators can also run reports on the console to observe what has been done when and by whom. Moreover, custom policies can be made which can watch for any activities outside the compony policy. Patching and updating can be done via SMC. Finally, The SMC has the ability to be integrated to Cisco ISE and Microsoft Active Directory and this feature makes allows linking of users to alerts.
SMC Capacities and Requirements
- Stealthwatch Flow Collector
Initially Layer 3 network devices need to send flow data to Flow Collector and it processes the raw data and cleans it and organizes it. After that it sends the data to SMC to be analyzed and correlated with other flows.
- Stealthwatch Flow Sensor
Very similar to Flow Collector though Flow sensor can analyze layer 2 packets and frames sent between hosts. These sensors are connected to SPAN ports. SPAN is known as switch port analyzer that makes an exact copy of all frames that are either transmitted or received on a specified port or VLANs and will transmit them out of a SPAN port to an IDS sensor, a host running Wireshark or a Stealthwatch Flow Sensor. After that relevant data would be sent to SMC.
- Stealthwatch UDP Director
UDP Director is responsible for two matter, first one is Data Aggregation which send collected data from multiple exporters as a single stream to FMC, Secondly, Flow sharing where flow data can be sent to multiple destinations such as SolarWinds, Cisco Prime and Cisco Stealthwatch.
Stealthwatch Data Storage
Advanced Features of Stealthwatch
Stealthwatch is not just a NetFlow analyzer is able to capture private and public addresses as some Public IP addresses might not be trustworthy and may be include Malware sites, command and control servers and ransomware servers. SMC checks each public address and for its trustworthiness and if an address points to a server that is a suspicious server it raises an alert.
Stealthwatch does not use the traditional methods to inspect threads like databases or pattern files instead it uses a service is called cisco Talos.
Cisco Talos is a threat intelligence group run by Cisco included full time researches, decoy systems and traps gather intelligence and updates a cloud-based database every 15 minutes for Cisco security devices to leverage for the purposes of attack mitigation.
Encrypted Traffic Analytics
As encryption is becoming more common now days, attackers also use encryption to avoid firewall inspection. Cisco License have introduced encrypted traffic analytics (ETA) and this feature can detect threats in encrypted packets. Cisco Stealthwatch License is able to analyze ETA data. Currently Cisco Catalyst 9000 switches, ISR 1000 Router, ISR 4000 Router, CSR 1000v Cloud Router, ASR 1000 Router and Catalyst 9800 series wireless controller supports ETA technology.
Beyond Network Security
Cisco Stealthwatch License provides following powerful features:
- Monitoring Tools
- Stats are collected about utilization
- Congested links can be closely monitored
- Pinpoint nodes using excessive bandwidth
- Applications in use can be identified
- QoS policies can be better tuned
- Unauthorized application discovery
- Network Auditing Tools
- Storing large amount of historical data
- Contributes data towards forensic investigations