StealthWatch FlowSensor AE Named to Network World's Products of the Week

Lancope’s StealthWatch FlowSensor AE is featured in Network World’s Products of the Week, a round-up of the week’s most intriguing new products.  You can access the slide show at http://www.nwwsubscribe.com/slideshows/2009/110909-products-of-the-week.html.  Scroll to slide 14 of 21 to see StealthWatch FlowSensor AE. 

Network Computing Reviews StealthWatch FlowSensor AE

Lancope Goes With The Flow
Posted by Mike Fratto on November 9, 2009

 

In the world of application performance management and network security monitoring, visibility is key. If you can't detect it, you can't do anything about it. That is why networks are populated with probes, taps and in-line sensors. Lancope, in addition to a system wide software upgrade, announced a new probe, the FlowSensory AE, that collects Netflow v9 records and sends them to a collector for collection and analysis. In addition, Lancope has extended Netflow v9 with additional fields that the StealthWatchXE collects outside of the normal flow data such as addresses, ports and byte counts...

Read more at http://www.networkcomputing.com/data-center/lancope-goes-with-the-flow.php

Lancope Delivers StealthWatch FlowSensor AE, Extending NetFlow for Response Time Management, Reduced Mean Time to Resolution and Cost-effective Network Visibility

~StealthWatch System 5.10 Upgrade Introduces New Appliance,Improves Network Performance and Security Monitoring~

ATLANTA, November 9, 2009 – Lancope®, Inc., the provider of the StealthWatch® System, the Best in NetFlow™ Analysis (http://www.lancope.com/news/08052008.aspx) and the leader in flow-based network performance and security monitoring for unified visibility across physical and virtual networks, today announced the StealthWatch FlowSensor AE appliance, a core component of the StealthWatch version 5.10 upgrade, which delivers flow-based Response Time Management (RTM) and comprehensive visibility of network and server performance metrics at one-third of the cost of traditional technologies. Building upon its strength in NetFlow analysis, StealthWatch version 5.10 introduces the appliance, new features and enhanced capabilities that continue to extend network visibility, improve Mean Time to Resolution (MTTR) and deliver actionable security and network intelligence to reduce total network and security management costs.

“Both network and security management professionals understand the value and utility of NetFlow within their respective domains; however, additional types of management data have still been needed to fully address the day-to-day tasks which differ between those teams,” said Jim Frey, research director for Enterprise Management Associates. “Lancope has now augmented their deep expertise in NetFlow analysis with additional new data types, in this case response times, progressing their StealthWatch solution into a practical common platform which can leverage the technological similarities between network security and performance management while addressing the unique needs of each.”

StealthWatch version 5.10 includes:
• StealthWatch FlowSensor AE
As the newest addition to the StealthWatch product family, the StealthWatch FlowSensor AE extends StealthWatch’s visibility into areas of the network that lack flow data or where traditional Ethernet sensor technology is cost prohibitive. The StealthWatch FlowSensor AE translates Ethernet communications into lightweight “flow records” which are sent to the StealthWatch Flow Collectors for detailed analysis. By delivering flow-by-flow visibility, StealthWatch provides network and server performance metrics, including connection information such as Round Trip Time (RTT), Server Response Time (SRT) and Retransmission Ratio (RT%).

Help desk, network operators and security analysts use context-rich network intelligence from StealthWatch to detect, diagnose, verify and manage network and server performance and security issues in real-time. By easily distinguishing between network and server root cause, StealthWatch dramatically improves Mean Time to Resolution (MTTR) of network and server response time issues. Operating as the single dashboard of actionable security and network intelligence to support global community of IT users, StealthWatch reduces total network and security management costs. Learn more about this appliance at http://www.lancope.com/downloads/StealthWatchFlowSensorAE.pdf.

• Enhanced Virtual Network Visibility
In this version, StealthWatch deepens its ability to monitor physical and virtual networks. StealthWatch expands on its support of VMware vSphere and delivers enhanced visibility into the virtual network. The StealthWatch FlowSensor VE now provides immediate notification of Virtual Machine (VM) instantiation and when VMs move between VM servers. By improving VM accounting and VM tracking, StealthWatch enables more intelligent decision support for source and destination server provisioning as well as network capacity planning. With the introduction of RTM capabilities for both physical and virtual networks, StealthWatch easily distinguishes between network and server root cause, whether communications are within the same VM server or across different physical servers.

• More Forensics, Broader Compliance Support
StealthWatch version 5.10 extends network visibility down to the host level through OS Fingerprinting and packet data. Capitalizing on the system’s superior NetFlow analysis capabilities, the StealthWatch FlowSensor AE and VE devices now captures critical portions of the packet payload for broader host context, better forensic details and more demonstrable compliance. Filling a critical void in network performance and security monitoring, StealthWatch identifies and prioritizes suspicious network communications that are indicative of botnets, worms, policy violations and misconfigured network devices. Presented in a single, customizable dashboard, StealthWatch enables drill down analysis of extensive network intelligence to access granular data to aid forensic incident investigation.

• Improved Traffic Visualization and Reporting
StealthWatch provides a wealth of network intelligence for unmatched contextual awareness of network, server and host activity. In this release, StealthWatch introduces capabilities and reports that facilitate ease-of-use and improve MTTR. One powerful new capability is the one-click QuickView feature that graphically displays host conversations, which are detailed in the Flow Table report. This simple but effective visualization of individual flows greatly improves usability and provides immediate access to the most relevant data for faster troubleshooting.

In addition, StealthWatch now offers the Network and Server Performance report which graphically displays RTT, SRT and RT%. This type of data presentation not only enables users to easily distinguish between network and server root case when troubleshooting network performance issues, but also increases staff productivity through quick diagnosis and resolution of end-user performance complaints.

“As a pioneer of NetFlow analysis, Lancope continues to maximize customers’ IT investments by leveraging flow data from the IT infrastructure to deliver cost-effective network performance and security monitoring,” said Harland LaVigne, president and CEO of Lancope. “The StealthWatch FlowSensor AE builds on our NetFlow expertise to extend low-cost, high-value visibility throughout the network. Our proven flow-based approach appeals to enterprises seeking a flexible, scalable alternative to traditional probe-based technologies.”

Join Enterprise Management Associates and Lancope for a joint webinar titled “Two Birds, One Stone:  NetFlow for Network Security & Performance Monitoring” at 11 a.m. ET on Tuesday, November 17. Register for this free event at http://www.lancope.com/news/webinars/.

Availability & Pricing
StealthWatch FlowSensor AE and the StealthWatch version 5.10 are now shipping. Introductory pricing for the StealthWatch FlowSensor AE begins at US $6,995. Current customers can contact their account manager or Lancope Customer Care for upgrades at support@lancope.com. For more information, contact Lancope at sales@lancope.com.

About Lancope

Lancope®, Inc. is the leader in NetFlow Analysis and the provider of the StealthWatch® System for flow-based network performance and security monitoring. Delivering unified visibility across physical and virtual networks, StealthWatch eliminates network blind spots and reduces total network and security management costs. Both OPSEC and Common Criteria-certified, StealthWatch monitors the networks of Global 2000 organizations, academic institutions and government entities worldwide. Lancope also partners with fellow best-of-breed solution providers through its Technology Alliance Program, which includes Cisco Systems, Brocade, Blue Coat, VMware, IBM Tivoli, Check Point, TippingPoint, ArcSight and A10 Networks. Lancope is a privately held, venture-backed company headquartered in Atlanta, Georgia. For more information, visit www.lancope.com.

# # #

©2009 Lancope, Inc. All rights reserved. Lancope, StealthWatch, and other trademarks are registered or unregistered trademarks of Lancope, Inc. All other trademarks are properties of their respective owners. StealthWatch is covered by U.S. Patent Nos. 7,290,283; 7,185,368; 7,475,426 and other U.S. and foreign patents pending.

Firewall rules required by StealthWatch 5.10

If you're installing a new StealthWatch System you should be aware that firewall rules might need to be updated to support communications between various StealthWatch components. The diagram below shows the various interconnections present in the 5.10 release of the StealthWatch System...

Here's a table that reflects the diagram above...

NOTE1: If you have purchased a redundant StealthWatch Management Console (SMC) you'll want to copy the primary SMC's firewalls rules over to the secondary. They have almost identical communication requirements. The primary and secondary SMCs should have TCP/443 available in both directions between the two.

NOTE2: UDP/2055 is the most commonly used port for NetFlow but can be (and often is) changed to some other >1024 UDP port.

So why is StealthWatch so scalable?

If you look through our marketing literature and/or past Webinars you'll see "scalability" come up a lot as a key differentiator of the Stealthwatch system. Here are a few numbers and a diagram:

Number of collectors per StealthWatch System:                 up to 25
NetFlow records per second per collector (sustained):         up to 40,000 (hourly average)
NetFlow records per second per collector (burstable):         up to 220,000
Number of unique NetFlow sources per collector:               up to 1000
Number of unique hosts baselined per collector:               up to 1,000,000
Number of simultaneous stateful bi-flows:                     up to 2,000,000
Flow storage per collector:                                   up to 1.8TB
 

In the NetFlow world, the primary indication of deployment size is the volume of unique NetFlow events being processed by the flow collector. Each of the StealthWatch Xe appliances can process tens of thousands of flow events per second from hundreds of unique NetFlow sources while stitching and deduplicating flow events. While some other systems may claim higher fps rates, they aren't deduplicating so their claims really don't count for much. If you're serious about security analysis of NetFlow data, you must deduplicate the incoming flows (see this post for more details on StealthWatch deduplication). Also, unlike some other NetFlow collection systems, the number of interfaces has no impact on licensing and only a small impact on performance.

Here's the top 3 contributors reasons we're so fast at flow processing...

1. Patented "flow-stitching" technology

As flows are received by the collector they are deduplicated and assembled into bi-directional, memory resident flows similar to that found in a stateful firewall. For each flow a client and server is determined. This helps reduce the amount of disk space taken up by flow records and is key to detecting network anomalies. The flow-stitching process is based on Dr. John Copeland's early flow analysis work at Georgia Tech and is very fast.

2. Distributed flow collection system

You can have up to 25 independent flow collectors in a single StealthWatch System. Each collector supports up to 1000 routers and up to 40,000 fps sustained (hourly average). As your flow volume increases you just buy more collectors.

3. Appliance-based product line

Many NetFlow collection products require that you supply the server, OS, and database. Lancope provides everything you need in a turnkey network appliance. All you have to do is take the device out of the box, give it an IP, and begin sending flows. Since we have full control over the platform, we can tune the flow database and collector OS in a way that works best for collecting high speed / high volume UDP datagrams.
 

Simplify Syslog Distribution and Collection Webinar now available!

Hi all, the Webinar we hosted yesterday is now available for download here. You'll have to register but it's well worth it if your interested in syslog replication and/or flow management using the StealthWatch Flow Replicator.

BTW:  This Webinar is really short... only 35 minutes or so.

If you just want the Presentation you can grab the PDF version from this link:

Download Syslog Flow Replicator Webinar Oct 2009 

About Lancope's NetFlow deduplication technology

I've mentioned NetFlow "deduplication" in a few other blog posts but never really stopped to explain what it is and how it works. I'm not going to give away too much here as the technical details of how this technology works is a closely guarded Lancope secret (become a customer and I'll explain it in detail!) but I will describe what it does and why you need it.

COMMON QUESTION: "Why do I need to deduplicate NetFlow?"

Take this simplified diagram as an example...

                                  

We see that packets traveling from 10.1.1.1 to 10.2.2.2 must traverse R1 > R2 > R3. Most customers want to enable NetFlow in as many places as possible to ensure complete visibility so it's fair to assume each of the three routers shown here will have NetFlow enabled. This means that the collector will see three of the same NetFlow record. If the flows represent a SYN Flood then we would triple report the magnitude of the attack.

We would also triple report the by count between 10.1.1.1 and 10.2.2.2. This means that systems lacking NetFlow deduplication must either:

1. misreport the attack traffic volumes or
2. force the user to select a specific router when analyzing traffic between the two hosts 

Neither of these options are very appealing. The StealthWatch system has built-in deduplication technology that automatically selects the "best exporter" for a given SRC_IP > DST_IP pair. This method involves a combination of several techniques including analysis of the NetFlow NEXT_HOP, NetFlow v9 TTL data, and flow counting on a per interface/per host basis. The result is that

                                  
Note: Even though we are deduplicating flows, we do not throw away the original exporters that contributed to a given bi-flow. For each StealthWatch bi-flow we track each router/interface that contributed but maintain a single deduplicated count for bytes/packets/etc. The screenshot below (from StealthWatch 5.10) show a Quick View'ed flow. 

The byte and packet counts are deduplicated...

...even though the list of "Interfaces" contains 3 different entries...

Neat huh?

In short: deduplicated NetFlow lets you think about the network and its hosts without having to worry about where on the network your observing the traffic.

StealthWatch by Lancope Certified as an RSA Secured® Partner

Interoperability Partnership Enables Joint Customers to Gain Network Visibility, Accelerate Incident Response and Facilitate Network Troubleshooting

ATLANTA, October 26, 2009 – Lancope®, Inc., the provider of the StealthWatch® System, the Best in NetFlow Analysis and the most widely used network behavior analysis (NBA) solution for unified visibility across physical and virtual networks, today announced that that it has joined the RSA Secured® Partner Program to certify interoperability between StealthWatch and the RSA enVision® platform from RSA, The Security Division of EMC (NYSE: EMC). This certification signifies that a technical interoperability partnership has been established to increase security and optimize IT and network operations for joint customers.

"As networks continue to grow in size and complexity, it becomes increasingly important for organizations to gain network visibility without adding significant cost or complicating deployment,” said Harland LaVigne, president and CEO of Lancope. “Utilizing flow data from routers and switches delivers vital, cost-effective visibility and contextual awareness of network incidents. Through the technical interoperability of StealthWatch with RSA enVision, we are providing joint customers with a best of breed approach that not only delivers comprehensive visibility, but also helps to improve security, accelerate incident response and facilitate network troubleshooting.” 

Leveraging NetFlow™, sFlow® and packet capture, StealthWatch combines flow-based anomaly detection and network performance monitoring into a single, integrated enterprise platform for security and network operations. By delivering unified visibility across physical and virtual networks, StealthWatch eliminates network blind spots and reduces total network and security management costs.

The RSA enVision platform is designed to give organizations a single, integrated 3-in-1 log management solution for Security Information and Event Management to simplify compliance; enhance the efficiency and effectiveness of security operations and risk mitigation; and optimize IT and network operations. The RSA enVision platform provides automated collection, analysis, alerting, auditing, reporting and storage of IT log data.

“We are pleased that Lancope is now certified with RSA enVision through the RSA Secured partner program and available to joint customers. Working with Lancope, we can further meet unique needs of the enterprise with a security information and event management platform that is now easily interoperable with a leading network behavior analysis solution,” said D.J. Long, Senior Director, Corporate Development at RSA.

About Lancope
Lancope®, Inc. is the leader in NetFlow Analysis and the provider of the StealthWatch® System, the most widely used network behavior analysis (NBA) solution combines flow-based anomaly detection and network performance monitoring. Delivering unified visibility across physical and virtual networks, StealthWatch eliminates network blind spots and reduces total network and security management costs. StealthWatch streamlines security, network and virtual monitoring into one process, reduces time and resources, and eliminates the costs and complexity associated with non-integrated point products. Both OPSEC and Common Criteria-certified, StealthWatch received the Global Excellence Award in NBA for the past three consecutive years. Defending the networks of Global 2000 organizations, academic institutions and government entities, StealthWatch protects hundreds of enterprise customers worldwide. Lancope is a privately held, venture-backed company headquartered in Atlanta, Georgia. For more information, visit www.lancope.com.

About the RSA Secured Partner Program
The RSA Secured Partner Program is one of the largest and longest-running technology alliance programs of its type, bringing over 1,000 complementary solutions across more than 300 organizations together. RSA SecurID®, RSA® Access Manager, RSA® Adaptive Authentication, RSA® Digital Certificate Solutions, RSA® Hybrid Authenticators, RSA® enVision, RSA® Federated Identity Manager and RSA® Key Manager Suite certification programs bring added assurance to customers that their solutions are certified as interoperable to help them achieve faster time to deployment and lower overall cost of ownership. The RSA Secured Partner Program reflects RSA’s commitment to driving inventive collaboration across the industry and support standards-based interoperability with its information-centric security solutions to help protect information, identities and infrastructures. For more information, please visit www.rsa.com/rsasecured. 

# # #

©2009 Lancope, Inc. All rights reserved. Lancope, StealthWatch, and other trademarks are registered or unregistered trademarks of Lancope, Inc. All other trademarks are properties of their respective owners. StealthWatch is covered by U.S. Patent Nos. 7,290,283; 7,185,368; 7,475,426 and other U.S. and foreign patents pending. RSA, enVision, Secured, and SecurID are registered trademarks or trademarks of RSA Security, Inc. in the U.S. and/or other countries. EMC is a registered trademark of EMC Corporation. All other company and product names may be trademarks of their respective owners.
 

StealthWatch 5.10 Preview: New Dashboards!

Well we're getting closer to the StealthWatch 5.10 release! Should see an official announcement sometime in the next few weeks. Until then I'll show off a few improvements that probably won't make the press release but are cool enough to mention here.

Existing StealthWatch users know that StealthWatch makes use of customizable Dashboards to display interactive, flow-derived charts and tables in the StealthWatch GUI. You can make up your own dashboards using the Document Builder feature or you can just select one of the built-in Dashboards from the "Dashboards" context-sensitive submenu.

StealthWatch 5.10 introduces a number of improvements to the existing built-in dashboards. We've improved the Interface, Domain, and Zone dashboards. Here's a few screenshots to give you a feel for each of the updated dashboard views...

Lancope Offers Product Replacement Program for End-of-Support Riverbed Cascade / Mazu Deployments

Lancope announced today a product replacement program for organizations that have deployed Riverbed Cascade (formerly Mazu Networks) technology. The replacement program, which can be customized to meet the needs of client network environments, makes it easy for organizations to replace their existing Cascade appliances with best-of-breed StealthWatch for NetFlow-based network performance monitoring and anomaly detection.

For more information about Lancope’s Riverbed Cascade/Mazu Replacement Program, visit this link.