Review: Lancope StealthWatch 5.5 offers more than IDS

INTRUSION DETECTION
StealthWatch 5.5 from Lancope
Price: StealthWatch starts at $9,995; IDentity-1000 starts at $19,795

Lancope StealthWatch 5.5 is much more than an anomaly-based IDS; it delivers a holistic view of your network -- and its users -- so you can monitor traffic in real-time and respond to three-alarm events, such as zero-day attacks, compliance violations and corporate espionage.

In addition to the standard configuration -- including a management console and Xe collector for NetFlow from Cisco Systems, and Juniper Networks' switches and routers -- we also tested the optional IDentity-1000, which provides automated user identification through directory services, such as RADIUS and Active Directory.

Configuration/Management: B
Using the Quick Start Checklist, terrific documentation and simple configuration menu, we were able to get the collector monitoring flow off our Cisco router within minutes. The Web-based console presents a rich display of multiple dashboards with information about connections, inbound and outbound traffic and protocols.

The management console was easy to install, but this is no simple product. Configuring StealthWatch to take advantage of all the advanced features, such as network planning and traffic engineering, requires extensive knowledge of networking protocols and infrastructure.

The IDentity-1000 is much more complex, requiring many more initial decisions and considerable time. The major configuration options are RADIUS or the Unified IDentity Manager, which includes LDAP, Active Directory and UNIX. Through the command-line interface, we configured the management and data ports and completed basic administration.

Policy Control: A
StealthWatch's highly flexible policy control allows you to assign similar devices, services, applications and protocols to a virtual zone. For example, traffic from mail servers has a separate zone from application servers, each zone with its baseline, threshold and policies. So while heavy traffic on a VoIP segment is normal, similar volume in another zone might indicate worm activity.

The IDentity-1000 also delivers exceptional security policy settings for authentication, authorization and accounting through an intuitive tabbed menu. We quickly added profiles defining numerous attributes, including those specific to vendor devices, and added access policies, assigning both conditions and actions.

Effectiveness: A
We're impressed with StealthWatch's security and network analysis, its ability to pick out anomalous events without using signatures, and the automated user tracking through the IDentity-1000, allowing us to trace offending connections to individual users.

The IDentity-1000 also allowed us to track down syn floods and audit policy-prohibited traffic. Our policies reflected secured groups, such as a development team and regulated environments. We unleashed malware through several vectors. StealthWatch detected and reported all of our events.

Reporting: A
The dashboards provide an almost overwhelming amount of useful real-time data and historical analysis. There is extensive reporting for network operations, identity tracking and external events.

StealthWatch allowed us to create customized views and delegate operations. Being able to feed group-specific information to network operations, the security team, or the legal department, will save time and headaches.

Verdict
StealthWatch goes far beyond traditional intrusion detection, with powerful network-monitoring features. The optional IDentity-1000 is an essential addition.

Testing methodology
We tested the StealthWatch Management Console paired with an Xe500 NetFlow collector gathering flow from Cisco routers, as well as the optional IDentity-1000 appliance configured as a proxy for a RADIUS server.

This article originally appeared in the December 2006 edition of Information Security magazine.