Lancope IDS Looks Into the Unknown to Detect Threats

StealthWatch G1's unique approach makes it an impressive intrusion finder, but its price is hefty.

Lancope Inc.s StealthWatch G1 intrusion-detection appliance stands apart from standard signature-based detection products in several important ways. Its Linux-based software uses a unique flow-based architecture to monitor data traffic, not TCP packets, thus detecting both known and unknown threats to IP networks. Its an easy-to-use tool thats also simple to set up, allowing it to quickly get to work stopping malicious hackers and new virus strings in their tracks while also preventing misuse of network resources. Its also considerably more expensive than other intrusion detectors.

The StealthWatch G1 appliance is the first IDS (intrusion-detection system) eWEEK Labs has seen that uses a nonsignature-based method to detect incursions. In tests, the StealthWatch G1 didnt simply alert us to every ping probe and port scan on our network; it also quickly detected all the known viruses we threw at it. We believe the StealthWatch appliance would be a better choice than signature-based systems for companies where security is a top priority, such as financial or e-commerce sites, because it can also detect unknown attacks.

However, the StealthWatchs impressive intrusion-detection capabilities dont come cheap. The StealthWatch G1, which can handle data flow analysis in Gigabit Ethernet networks, is priced at $40,000. The StealthWatch G1 has four Intel Corp. 1GHz Pentium III processors, 512MB of RAM, dual-Gigabit Ethernet network monitoring ports and a single 10/100M-bps Ethernet port for Web administration.

(Lancope also offers the less expensive StealthWatch M50 and M100, with multiple 10/100M-bps ports for 10/100 Ethernet networks, at $15,000 and $20,000, respectively.)

Most signature-based IDSes cost less and when used properly, can adequately protect against known threats in lower-risk environments. Signature-based IDSes, such as NFR Security Inc.s Network Flight Recorder, detect intrusion attempts by examining TCP packets for known signatures (text strings identified in known hacker exploits). The IDS usually keeps a database of these exploits, which must be updated whenever a new type of attack is discovered. (For eWEEK Labs Feb. 19 review of NFRs Network Flight Recorder, go to,3658,s%253D708%2526a%253D11289,00.asp.)

Going with the flow

The StealthWatch G1, on the other hand, monitors the IP data flows between hosts on the network and creates a service profile that dictates what types of traffic is considered legitimate between hosts. When out-of-profile data flows are detected, StealthWatch will generate an alert and show what protocols are out of place.

In online financial services or e-commerce sites, for example, StealthWatch can monitor traffic between the transaction and the application servers and alert IT managers when it detects Telnet or FTP traffic--a possible indication of hackers attempting to download sensitive data. The StealthWatch G1 worked well on the test network, creating profiles of the hosts and detecting abnormalities when we launched several attacks from workstations elsewhere on the network. Sites that are already using signature-based IDSes can add StealthWatch to maximize their network security. Because the StealthWatch G1 is an appliance, its easier to use than a software IDS solution, which often requires a longer installation process.

The StealthWatch G1 provides real-time network monitoring in promiscuous mode and reports abnormal behaviors based on a Concern Index, a threshold set by the user to determine what activities should be reported, weeding out "false positives" that arent signs of misdeeds. Most signature-based products have no such ability to distinguish false alarms from actual threats.

The StealthWatch G1 can also detect new virus strings and stop them from spreading by detecting the abnormal activities of infected hosts. It can detect viruses such as Code Red that infect Web servers and try to propagate themselves by scanning other hosts on the network. The appliance detects the address scans as abnormal data flows between hosts and generates alerts.

It also keeps tabs on network performance by providing statistical data and reports hosts that are generating large amounts of traffic--a possible sign of bandwidth abuse.

The kernel of truth

The StealthWatch G1 runs on Red Hat Inc.s Linux 6.2 operating system with the 2.2 kernel, which Lancope has hardened to eliminate security holes and optimized by removing nonessential components. Lancope chose Linux because its easier to harden and more stable than Windows, officials said.

The StealthWatch is fairly easy to set up--knowledge of Linux, although not required, expedites the process. In tests, we gave the StealthWatch an IP address for remote Web administration over Secure Sockets Layer using standard Web browsers. We used the nmap port scanner to probe the test network for open ports. StealthWatch immediately picked up the scans and alerted us to a potential intrusion by labeling the nmap system as out-of-profile.

We used another Linux box to run Nessus, a scanner program that can generate common hacker attacks, to attack a Windows 2000 Server and the StealthWatch appliance. We pounded both systems with a variety of common attacks and had to reboot the Web server, but the StealthWatch held up fine, providing multiple alerts of the attacks, and we did not find any security holes on the StealthWatch system

The Web administration GUI provides in-depth tables showing forensic data. We downloaded the data files in txt format from the browser and imported them to Excel without a hitch, but it would be nice to have utilities that could analyze and automate the process.