Nowhere to hide

StealthWatch catches intruders even if they try to cover their tracks

In Texas, we have a saying that even a blind hog finds an acorn now and then. The saying applies to unpleasant experiences in identifying network attacks, such as when a user discovers an intrusion only because the hacker carelessly left a window open. As difficult as these network hacks are to find, the threat of undetected attacks is more disturbing.

StealthWatch+Therminator, developed by Atlanta-based Lancope Inc., is an intrusion-detection appliance designed to catch sneaky intruders, no matter how well they hide their activities. The unit comes in the form of a standard, rackmount PC running a hardened Linux operating system.

StealthWatch passively watches traffic on the network and rates the suspiciousness of new traffic by comparing it to recognized traffic. StealthWatch can tell what is normal by gathering baseline statistics, typically compiled over a two-week period after installation. Using complex algorithms and network heuristics, StealthWatch can rate suspicious events according to a concern index that shows how unusual or serious the event might be.

For example, say you have a Web server that you do not use for FTP, and one day that server starts to service FTP requests. StealthWatch will send an alarm to the administrator with a notice of an important change. In this example, the administrator may find that a hacker has compromised the server and is using it to distribute pirated software or music.

Because StealthWatch relies on baseline comparisons and algorithms, as opposed to downloaded signatures, it can catch penetration attempts for which signatures don't yet exist or penetrations that can't be detected by signatures.

Because StealthWatch examines traffic, it must be installed so that it can observe network activity. If we assume that we are using a switched Ethernet environment, a good spot for StealthWatch is a Switched Port Analyzer, which receives a copy of traffic on other ports.

In a large environment, you will need several StealthWatch units, each placed at key points throughout the network. Lancope provides a StealthWatch Management Console, allowing you to control the units from your Web browser.

Typically, you place the first port on the first StealthWatch unit on your Internet gateway. This port will listen to outside traffic, while the second port might listen to your server data farm. Still a third port could be set to listen to a subnetwork of workstations. On large installations, you probably can't catch every packet crossing the network, but if the units are well positioned it should be difficult for an intruder to circumvent detection.

Our tests

To get a feel for what StealthWatch reports, we decided to generate malicious traffic and watch the product react.

We pointed our Linux Nessus vulnerability scanner toward a Microsoft Corp. Windows 2000 file server and commanded our demon of daemons to try every hack in the book on the unsuspecting Microsoft box.

While the attack was in progress, we logged in to the StealthWatch Web interface on a Secure Sockets Layer encrypted session. We navigated to the Security menu of the application to see if StealthWatch detected anything suspicious — and did it ever! StealthWatch reported a constant stream of concerns, detailing specific services and ports that the attack involved.

The Nessus scan that we were performing generated reports of hundreds of abnormal events on the network. And StealthWatch quickly identified our Nessus server as the culprit of the attacks.

To put StealthWatch to a tougher test, we decided to see if it could detect more fiendishly subtle violations of company network policy. We loaded a popular peer-to-peer file-sharing program on our Windows XP workstation and left StealthWatch running to monitor our traffic.

After a few minutes of scanning for our favorite Grateful Dead bootlegs, we checked back with StealthWatch to see what it found. Although StealthWatch did not explicitly tell us that a file-sharing program was in use, it did create a concern index and reported that our XP workstation was scanning the network and searching for peers with whom to share files.

Be aware that although StealthWatch presents a large amount of information in an easy-to-read format, the operator of the program must possess a fair amount of network knowledge. The product presents information in a concern index, and if you want specific information about a concern, you are given the affected TCP/UDP port numbers with their corresponding protocols. Although this made perfect sense to us, it would be gibberish to anyone not trained in protocol analysis.

Our testing thus far was with the default StealthWatch configuration. But the default configuration doesn't even touch StealthWatch's real power. The product's value comes with the ability to define network policies that mirror the way your network works.

StealthWatch can determine what is normal on your network in two ways. The first is by configuring network policies and specifying what protocols are allowed for hosts in certain defined zones.

The second way is by using StealthWatch's proprietary heuristic algorithms. When you first install StealthWatch, you usually configure it in learning mode. In this mode, it accumulates statistics about normal network traffic. After you take the unit out of learning mode, it has the historical information to determine if a particular network event is sufficiently unusual to report to the security administrator.

What we liked

We like the fact that the system stands alone and requires no contact with hosts outside the network. For high-security installations, this is an important consideration.

We like Lancope's choice to run a standard hardened Linux kernel on standard server hardware. We feel these decisions contribute to the stability and resilience of the product.

We like the appliance-style approach that Lancope applies to this product. Even when we logged directly into the server's console, we were not presented with a command prompt. Rather, we were given the opportunity to choose by number such functions as Edit IP Settings, Change Host Name and Add Trusted Host. As we were installing the product, we kept the manual close by, fully expecting to wade through a complicated and cryptic Linux command line configuration. To our surprise, upon logging into StealthWatch, we were presented with only a few choices. We didn't even need the manual to assign the system an IP address and add trusted hosts. We give big points to Lancope for ease of setup.

Finally, StealthWatch is nonintrusive and only listens to traffic on your network. If the unit happens to fail, there will be no impact on your network traffic.

What we would like to see

Although this product is not perfect, we offer little criticism. The system carries

the same drawbacks as other intrusion-

detection systems: It has a limited network view, is expensive to deploy and provides cryptic information. But until someone circumvents the physical laws of the network, these drawbacks and limitations will be present in all intrusion-detection systems worth their salt. If information derived from protocol analysis doesn't appear cryptic, then the product probably isn't telling you anything useful.

We would like to see some sort of interface between StealthWatch and a firewall that would trigger the firewall to block malicious traffic. StealthWatch only reports concerns. We feel that Lancope may have serious competition if some firewall vendor also offers a corresponding intrusion-detection unit that would drop malicious traffic.

Overall, we give this system high marks. After examining the system's components, we are confident that StealthWatch is capable of providing years of service in an ever-changing network environment.

Even considering probable future growth in network technologies, it is hard for us to imagine any attack method that StealthWatch would not detect.

Greer is a network analyst at a large Texas state agency. Bishop operates PeoplesInformation.com, an Internet consulting firm. They can be reached at egreer@thecourageequation.com.

***

Detecting intruders

Lancope Inc.'s StealthWatch+Therminator offers three basic types of tools to detect intruders:

Visualization tools. StealthWatch analyzes and displays the patterns of change that occur as traffic flows back and forth across the network among user-defined groups of network devices. The solution generates graphs that highlight potential intrusions.

Event logs. StealthWatch maintains a log of the underlying network activity reflected in the graphs. The two tools are nicely integrated, so that with one mouse click, users can access log details of suspicious events.

Advanced flow logs and packet analysis. The event logs are also correlated with host-level activity and underlying packet details that can be examined more closely using advanced flow logs and packet analysis.

Source: Lancope Inc.

NEXT STORY: EDS gets infosec approval

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.