Stealthwatch Architecture For Visibility, Detection & Incident Response

Should you consider implementing Stealthwatch on your network?

The purpose of this blog is to explain the reason why your organization may really benefit from implementing Stealthwatch architecture. Unfortunately no traditional security mechanisms can stop correctly authenticated user from accessing the network. As it turns out most of network breaches happen as a result of stolen or compromised passwords. As much as it is best practice to change passwords often it won’t help when someone steals them. Almost every day the news provide another story about massive data breach somewhere where thousands or millions of accounts have been compromised by hackers. Once you have an attacker correctly authenticated on your network there isn’t much you can do about it, is there?

Cisco Stealthwatch can help your organization see every conversation, know about every host, understand normal behaviors and alert you to any changes. It is a powerful tool that will also help you mitigate any threats once you have detected them. The following sections provide a brief overview about Stealthwatch Architecture and its main goals.

Cisco Stealthwatch Enterprise design goals and functionality

In its most basic form Stealthwatch architecture is very simple. It comprises of Management Console (SMC), Flow Collector (FC) and all existing network devices sending NetFlow data. It can also integrate with Identity Services Engine (ISE) to provide even more granular data and enable threat quarantine. There are three main objectives for any Stealthwatch implementation that we explain below.

Network visibility

Network devices send NetFlow data to a Flow Collector which provides single pane of glass for all network traffic including but not limited to IP addresses, Port Numbers, Endpoint Identity, Throughput etc. If all devices are NetFlow capable, Stealthwatch can provide both North-South and East-West network visibility. For the devices that don’t support NetFlow there is an option to either upgrade them or integrate with the optional Flow Sensor (FS). It is very important to understand that many attacks can happen inside a single VLAN. Although enabling NetFlow on the core switches can provide a lot of visibility, it will be limited to the traffic traversing the core.

Incident or pattern detection

Any larger organisation will have both network and security teams. Both of those teams can receive invaluable data for daily operations. From the security perspective, Stealthwatch can utilize machine learning and analyse traffic behaviours. This allows it to detect various types of attacks including Botnet, Malware, DDOS. At the same time, it can provide rich set of analytics for the networking team like top hosts, top applications, latency or performance characteristics.

Incident response

Mitigation is very important part of Stealthwatch functionality. It can integrate with ISE and other devices to quarantine certain threats that Stealthwatch detected. This is really powerful way of stopping attacks from spreading across the network. In the end of the day Stealthwatch is all about actionable outcomes to protect your environment.

The main components of Stealthwatch solution architecture

Exporters – those can be your network devices like routers, switches that are using NetFlow or IPFIX to send data to Flow Collector. In some cases Flow Sensors can be configured in the solution to provide data on behalf of devices that don’t support NetFlow. For the users that are not on-premise, Anyconnect with a specific module can be used to provide more data.

Flow Collector – receives traffic from all exporters and performs any required data de-duplication when it comes from different sources. The solution can integrate with ISE to provide additional context to NetFlow streams that are coming from the exporters. Therefore in addition to all flow details like IP addresses and port numbers you can also get user, device type and MAC address.

Management Console – this is the brain of the Stealthwatch Architecture with rich threat intelligence and ability to provide actionable outcomes. This is the place where you can see all the trends, reports, threats and it gives you the ability to quarantine devices based on their behavior on the network.

In addition to those devices your Stealthwatch deployment can also include some optional components:

Flow Sensor – as mentioned above, this device allows you to act on behalf of other devices. Another important aspect of FS is the ability to provide Deep Packet Inspection (DPI) for much greater visibility of all flows. It also delivers much more granular data for top talkers and network performance metrics.

Packet Analyzer – enables storing large amount of data as and when required on a device with 42T of rolling buffer.

UDP Director – in most cases, edge devices only support two NetFlow or Syslog destinations. Adding UDP director allows replicating all those flows on a dedicated box without impacting the resources on the network.

High level Stealthwatch implementation strategy

There are number of things that you need to configure on your network to get all benefits of Stealthwatch deployment. In the most simplistic form your deployment will have at least one Flow Collector and Stealthwatch Management Console. Both servers require IP Addressing, Domain Name, DNS and NTP settings. Once they are on the network you can start configuring your exporters to send NetFlow traffic to the Flow Collector. At the same time you have to establish communication between FC and SMC to view all the data that have been captured. If you have any firewalls between Stealthwatch components you need to open multiple ports for this communication to work. Cisco provides comprehensive Install and Upgrade Guides showing detailed steps and ports that you need to open.

Integrating Cisco ISE with SMC have multiple benefits. Firstly you can get additional contextual information. More importantly, you can use SMC to push policies to ISE to quarantine any threats. Although connecting ISE and Stealthwatch is optional it is definitely recommended. Part of providing this integration requires using Public Key Infrastructure and certificates to provide secure channels for data exchange. Cisco recommends using a dedicated ISE node for pxgrid integration to avoid taking too much resources from any existing policy node.

Finally, If your deployment includes UDP Directors and Flow Sensors it is time to add them in the end. Those elements provide additional scalability and visibility in certain cases. Don’t forget to open required ports for the traffic passing through the firewalls.

Stealthwatch and network as a sensor provide all you need for greater security

In a nutshell, this is all you need for implementing Stealthwatch. Using network as a sensor and delivering all data to centralized servers for processing. The ability to see into all traffic flows between applications and endpoints is critical to determine whether there may be anomalous behavior occurring on your network. Using sophisticated analytics engine, the Stealthwatch transforms data from existing infrastructure into actionable intelligence for improved visibility, security as well as incident response. This will not only give you much more insights into your traffic patterns but also allow you to stop any attacks with a single click.