By Cameron Sturdevant  |  Posted 2004-08-23 Print this article Print

Lancope Inc.s launch this month of its first SMC (StealthWatch Management Console) appliance, and the simultaneous release of its StealthWatch 4.1 system software, makes the companys network behavior anomaly detection tools far easier to manage than previous StealthWatch versions.

The ability to manage sensors, policies, alerts and reports is a key differentiator in the hotly contested anomaly detection market, which includes competitors such as Arbor Networks Inc.s Peakflow X and iSpheres Corp.s Halo.

During tests at eWEEK Labs, in which we collected network data for more than a month to train the StealthWatch appliance, we found that Lancopes SMC made creating and distributing policies a painless task.

However, because configuration changes will have a huge impact on the quality of security data being reported by the StealthWatch appliance to the SMC, only senior security staff should be allowed to create SMC policies.

People can make mistakes, and we wish there were an automatic way to roll back configuration changes.

NBAD (network behavior anomaly detection) systems are relatively pricey, and Lancopes SMC and accompanying StealthWatch appliance are no exception. The SMC and the StealthWatch appliance start at $9,995 each, and there is a fee of $1,995 to $3,995 for every StealthWatch appliance connected to the SMC. The console is based on Dell Inc.s PowerEdge 1750 server with dual 3.06GHz processors, 4GB of RAM and 146GB of hard drive space in a RAID 5 configuration.

The beefy hardware is required to process the network traffic flows to discern patterns that fall outside the profiles the StealthWatch system software learns over time. New in this version of the software is a three-dimensional StatusView that clearly shows the security posture and the health of a network in real time—something earlier versions of the software could not do.

We found the graphic displays useful, but we recommend that IT managers spend their time scrutinizing the other real-time monitors included in this version of the system software.

The new investigation work space view provided us with all the data views created by the product and allowed us to move easily among windows of data while also being able to see tables that showed time stamps indicating when particular network devices were acting in an anomalous manner.

In tests, the SMC appliance worked without a hitch and should perform well in large-scale deployments. Setting up trust relationships between appliances and the SMC must be done manually, but these management connections are important enough to warrant the extra effort. Once we established these trusted relationships between the StealthWatch appliance and the SMC, the policy and configuration changes were simple to make.

Lancope did not significantly change the anomaly detection capabilities in this version of the StealthWatch system software, focusing, instead, on monitoring and management improvements. Nevertheless, we were impressed with the extent and accuracy of the SMCs reports of anomalous behavior in our network, and we could use the reports to determine quickly when likely security problems were occurring.

Labs Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel