Lancope IDS Looks Into the Unknown to Detect Threats -2

Lancope Inc.'s StealthWatch G1 intrusion-detection appliance taps Linux-based software to monitor data traffic, detecting both known and unknown threats to IP networks.

Lancope Inc.s StealthWatch G1 intrusion-detection appliance taps Linux-based software to monitor data traffic, detecting both known and unknown threats to IP networks. This easy-to-use tool was simple to set up in eWeek Labs tests, allowing us to quickly get to work stopping malicious hackers and new virus strings in their tracks while also preventing misuse of network resources.

The StealthWatch G1 is the first IDS (intrusion-detection system) we have seen that uses a non-signature-based method to detect intrusions. In tests, it alerted us to significant network threats and quickly detected all the known viruses we threw at it. For these reasons, the StealthWatch appliance is a better choice than signature-based IDSes for companies where security is a top priority.

However, the StealthWatchs impressive intrusion-detection capabilities dont come cheap. The StealthWatch G1, which can handle data flow analysis in Gigabit Ethernet networks, is priced at $40,000. It has four Intel Corp. 1GHz Pentium III processors, 512MB of RAM, dual-Gigabit Ethernet network monitoring ports and a single 10/100M-bps Ethernet port for Web administration.

Most signature-based IDSes detect intrusion attempts by examining TCP packets for known signatures (text strings identified in known hacker exploits). The IDS usually keeps a database of these exploits, which must be updated whenever a new type of attack occurs.

The StealthWatch G1 monitors IP data flows between hosts on the network and creates a service profile that dictates what types of traffic are considered legitimate. When anomalous data flows are detected, StealthWatch generates an alert and shows what protocols are out of place.

The StealthWatch G1 worked well in tests, creating profiles and detecting abnormalities when we launched attacks from elsewhere on the network. The appliance reports abnormal behaviors based on a Concern Index set by the administrator to determine what activities should be reported, weeding out "false positives" that arent signs of misdeeds. Most signature-based products cant distinguish false alarms from actual threats.

Technical Analyst Francis Chu can be reached at francis_chu@ziffdavis.com. A more comprehensive version of this review appears online at www.eweek.com/links.