Lancope Inc.s StealthWatch G1 intrusion-detection appliance taps Linux-based software to monitor data traffic, detecting both known and unknown threats to IP networks. This easy-to-use tool was simple to set up in eWeek Labs tests, allowing us to quickly get to work stopping malicious hackers and new virus strings in their tracks while also preventing misuse of network resources.
The StealthWatch G1 is the first IDS (intrusion-detection system) we have seen that uses a non-signature-based method to detect intrusions. In tests, it alerted us to significant network threats and quickly detected all the known viruses we threw at it. For these reasons, the StealthWatch appliance is a better choice than signature-based IDSes for companies where security is a top priority.
However, the StealthWatchs impressive intrusion-detection capabilities dont come cheap. The StealthWatch G1, which can handle data flow analysis in Gigabit Ethernet networks, is priced at $40,000. It has four Intel Corp. 1GHz Pentium III processors, 512MB of RAM, dual-Gigabit Ethernet network monitoring ports and a single 10/100M-bps Ethernet port for Web administration.
Most signature-based IDSes detect intrusion attempts by examining TCP packets for known signatures (text strings identified in known hacker exploits). The IDS usually keeps a database of these exploits, which must be updated whenever a new type of attack occurs.
The StealthWatch G1 monitors IP data flows between hosts on the network and creates a service profile that dictates what types of traffic are considered legitimate. When anomalous data flows are detected, StealthWatch generates an alert and shows what protocols are out of place.
The StealthWatch G1 worked well in tests, creating profiles and detecting abnormalities when we launched attacks from elsewhere on the network. The appliance reports abnormal behaviors based on a Concern Index set by the administrator to determine what activities should be reported, weeding out “false positives” that arent signs of misdeeds. Most signature-based products cant distinguish false alarms from actual threats.
Technical Analyst Francis Chu can be reached at francis_chu@ziffdavis.com. A more comprehensive version of this review appears online at www.eweek.com/links.
StealthWatch G1
StealthWatch G1
USABILITY |
B |
CAPABILITY |
A |
PERFORMANCE |
B |
INTEROPERABILITY |
B |
MANAGEABILITY |
B |
Lancopes newest StealthWatch appliance provides IT managers with a robust network security tool—at an equally robust price. With its support for Gigabit networks, this IDS appliance is especially useful in large enterprises.
SHORT-TERM BUSINESS IMPACT // Although the StealthWatch G1 can detect many intrusions right out of the box, IT managers should expect a familiarization period of several hours to several days, because the appliance must create service profiles based on the network size.
LONG-TERM BUSINESS IMPACT // Because the StealthWatch G1 doesnt use signature-based intrusion detection, it can detect previously unknown attacks and virus strings, allowing IT managers to better safeguard their networks down the road.
PROS: Flow-based architecture detects variety of threats; easy to set up.
CONS: Expensive; needs better forensic data analysis tools.
Lancope Inc., Norcross, Ga.; (678) 966-0116; www.lancope.com