StealthWatch: basic concepts and minimum requirements. Part 1

1. Introduction
This article focuses on the Cisco StealthWatch network monitoring product.
Cisco Systems is actively promoting it as a product to improve network security, so let's understand.
The TS Solution blog has already had an article on this topic, in this series of articles I will focus on setting up and deploying the product. However, for those who first hear about StealthWatch, we define basic concepts.
“The Stealthwatch system provides industry- leading network monitoring and security analysis to speed up and more accurately detect threats, respond to incidents and conduct investigations,” says Cisco and cites about 50 success stories you can read here. .

Based on the telemetry data of your infrastructure, StealthWatch allows you to:
· Identify the most diverse cyber attacks (APTs, DDoS, 0-day, data leakage, botnet)
· Monitor compliance with security policies
· Detect abnormalities in user behavior and equipment
· To conduct traffic cryptoaudit (ETA technology)
')
At the heart of StealthWatch is the collection of NetFlow and IPFIX from routers, switches and other network devices. As a result, the network becomes a sensitive sensor and allows the administrator to look where traditional network protection methods, such as NGFW, cannot reach. The following protocols can compile StealthWatch: NetFlow (from version 5), sFlow, jFlow, cFlow, Netstream, nvzFlow, IPFIX, Packeteer-2 and other custom modifications.


2. What means for analytics does this software use?
Firstly, behavioral modeling and behavioral signatures, in other words, constant monitoring of each device in the network and the ability to determine basic indicators of normal and abnormal behavior. For each host, whether it is a user, server or router, its own baseline is built (the ideal model of behavior), deviating from which we see all the anomalies in relation to this host.
As an example: the user suddenly started downloading large amounts of data, although he never did this - StealthWatch almost instantly determines this.

Secondly, global threat analytics. This refers to integration with the well-known Cisco Talos, a huge database of known attack signatures updated throughout the world in real time.

Third, good old machine learning, in the case of Cisco, is based on Cognitive Intelligence technology.
The technology also underlies the ETA - Encrypted Traffic Analytics solution, which allows you to determine if the encrypted connection is bad without decrypting it (attack, unwanted traffic and C & C communication).

3. Brief introduction to the interface
So that you understand how it looks and did not invent beautiful pictures, I want to show a couple of screenshots from a Cisco lab that can be done by everyone in dcloud .

The fairly convenient charts and graphs in the Dashboard show general network statistics: alarms, from whom and when they were, network protocol traffic, applications, and security incidents.






In the monitor tab there is a more detailed listing of suspicious hosts and a table whose values ​​are responsible for suspicious behavior and attacks on a particular host.



Then you can see application traffic, broken by protocols. Of course, the time interval is changing, you can fall inward, highlighting the necessary area (in Flow in Dashboard, you can also “fall through).

All settings and full immersion in the interface, you will see in the following articles.

4. Architecture

On the one hand, the architecture of StealthWatch is slightly more complicated than that of its competitors, but on the other hand, it is granular and allows for more selective tuning. The required components are Flow Collector (FC) and StealthWatch Management Console (SMC).
FlowCollector is a physical or virtual device that collects NetFlow data and application data on the NBAR protocol from switches, routers and firewalls.

An SMC is a physical or virtual device that combines, organizes, and graphically represents the data collected from FC. Integration with AD and Cisco ISE is possible.

As an optional, but no less interesting device, I highlight FlowSensor (FS) and UDP-Director (UDP-D).

The first one can also be both a physical and a virtual device, and is a solution for generating NetFlow from legacy devices or when you use cheap access level switches. FlowSensor can ensure the formation of NetFlow-records for all traffic coming using SPAN, RSPAN protocols.
Moreover, in most cases, FlowSensor is required to use ETA technology (definition of malicious software in encrypted traffic), however, starting from ISR and ASR series, routers can work with ETA and without Flow Sensor.

UDP-D is a physical device that collects NetFlow data and sends it as a single and compressed stream to FlowCollector. As an example, he can export a stream simultaneously to StealthWatch, SolarWinds, and something else. It also reduces the load on the Flow Collector and optimizes network performance. In truth, only for exporting a stream to different platforms is it needed. As a result, the most expensive component of the StealthWatch architecture is not so necessary.

The architecture looks like this in a simplified version:


And in a more complete (complex and incomprehensible) version:


5. Minimum system requirements
Now you can switch to “you” from StealthWatch, so let's consider the minimum resources to deploy it on the network.
For StealthWatch Management Console:
RAM 16 GB (24GB recommended), 3 CPU, 125 GB disks
For FlowCollector:
RAM 16GB, 2 CPU, 200 GB disk
* Supports <250 exporters, <125000 hosts, <4500 fps

And if we want a complete architecture, which we will consider in the future, we should also allocate resources for FlowSensor and UDP-Director.
For FlowSensor:
RAM 4 GB, 1 CPU, 60 GB disk
For UDP Director:
RAM 4GB, 1 CPU, 60 GB Disk
* Preferably SSD for all VMs, but NetFlow “flies” on FlowCollector, therefore, it’s worth allocating resources for FC in the first place

The important caveat is that the images for these virtual machines are only available for VMware (ESXi) and KVM. Requirements and to them.

VMware (ESXi):
Version 6.0 or 6.5.
Live Migration and Snapshots are not supported.

KVM:
Using any compatible Linux distribution.
KVM host versions are libvirt 3.0.0, qemu-KVM 2.8.0, Open vSwitch 2.6.1 and Linux Kernel 4.4.38. They may be different, but at these engineers, Cisco conducted tests and confirmed performance.

If you are interested in looking at the security of your network from a different angle, you can contact us at sales@tssolution.ru, and we will hold a demonstration or free of charge we will pilot the StealthWatch on your network.

That's all for now. In the next article, we will proceed directly to the deployment of StealthWatch and talk more about the nuances of this process.