Tech Talk: Stealthwatch

Stealthwatch Solution Overview, NetFlow Fundamentals,

Components, and Design
Chad Sullivan

July 27, 2016

Stealthwatch Tech Talk: 3 Sessions
• Session #1: July 27 (Today)
• Solution Overview, NetFlow Fundamentals, Components, and Design

• Session #2: August 3

• Deployment and Initial Configuration

• Session #3: August 10

• Tuning Fundamentals, Operations / Optimizations Techniques
Stealthwatch
Solution Overview
Realities of Modern Threats
IPS
Highlights
One in four breaches are caused
by malicious insiders
IDS

FW 95% of all cybercrime is triggered

by a user clicking on a malicious
link disguised to be legitimate

Two in three breaches exploit

weak or stolen passwords

With lateral movement of advanced

External Internal
persistent threats, even external attacks
Source: 2014 Verizon Data Breach Investigations Report and Forrester research . eventually become internal threats
New Networks Mean New Security Challenges
Changing Dynamic Complexity
Business Models Threat Landscape and Fragmentation

ENTERPRISE ACQUISITIONS AND INTERNET

CLOUD
MOBILITY PARTNERSHIPS OF THINGS

Organizations lack visibility Acquisitions, joint ventures, Cloud usage is becoming more Over 50 billion connected
into the behavior of and partnerships are prevalent, but so is the lack of “smart objects” are projected
devices on their network increasing in frequency visibility into the cloud by 2020

Expanded Enterprise Attack Surface

It’s Not IF You Will Be Breached . . . It’s WHEN

Network Threats Are Getting Smarter
Sophisticated
Attacks, Complex
Hacking Becomes Landscape
an Industry
Phishing, Low
Sophistication

1990 1995 2000 2005 2010 2015 2020

Viruses Worms Spyware and Rootkits Advanced Persistent

1990–2000 2000–2005 2005–Today Threats, Cyberware
Today +

Criminals Know More About Your Network Than You Do

Custom malware remains dormant for months to learn vulnerabilities in the network and then attack those vulnerabilities
You Can’t Defend Against What You Can’t See

0101
0100
1011

0101
0100
1011
Citrix

WebEx

0101
0100
1011

SAP

0101
0100
1011

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Dissecting a Data Breach
Malware
dropped via
back door

Victim clicks phishing email link

Reconnaissance Lateral movement to find admin

Escalate privilege
to become admin

Data exfiltration using admin privilege

Information monetized after breach

Cisco’s adds Stealthwatch
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

Stealthwatch Stealthwatch
Discover and monitor traffic Detect breaches and insider
baseline for the network threats faster

Enable the deployment of Accelerate analysis

granular, software-based and understanding
segmentation of incidents
Stealthwatch for Macro-Level Visibility
Fight advanced threats with actionable intelligence and analytics

Monitor Detect Analyze Respond

• Obtain • Collect and analyze • Accelerate network

• Detect and analyze
comprehensive, holistic network audit troubleshooting and
network behavior
scalable enterprise trails threat mitigation
anomalies
visibility and
security context • Achieve faster root • Respond quickly
• Easily detect
behaviors linked to cause analysis to threats by
• Gain real-time taking action to
advanced persistent
situational • Conduct thorough quarantine through
threats (APTs), insider
awareness of traffic forensic investigations Cisco® Identity
threats, distributed
denial-of-service Services Engine
• Benefit from
(DDoS) attacks, and
network • Continuously
malware
segmentation using improve enterprise
Cisco®TrustSec security posture
Stealthwatch for Visibility, Context, and Control
Your Network Is Your Sensor
WHO WHAT WHERE WHEN HOW

Devices Internal Network Context

Identity

Proxy Server

Firewall

Routers and Switches

Use network data to extend Enrich flow of data with identity, events, proxy, Accelerated detection,
visibility to the access layer and application to create context investigation and response.
What Can Stealthwatch Provide to an
Organization?
Policy and Advanced
Extended Accelerated
Visibility Access Threat
Management Response
Protection
• Continuously • Monitor the entire • Obtain contextual • Improve incident
monitor devices, network and data threat intelligence response and
applications, and center to help with a historical forensic analysis
users throughout ensure that there audit trail of through actionable
distributed are no policy or NetFlow data intelligence
networks network access
violations • Achieve enhanced • Isolate the root
• Aggregate and visibility and cause of an
analyze advanced context to incident within
telemetry to accelerate threat seconds for
establish a detection mitigation
security baseline
of your network
Stealthwatch
NetFlow Fundamentals
NetFlow – The Network Phone Bill
Telephone Bill

Flow Record
Visibility through NetFlow 172.168.134.2

10.1.8.3 Switches Routers

Internet
Flow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION
172.168.134.2
NetFlow Provides ADDRESS

• A record of every conversation in your network SOURCE PORT 47321

• Collect records everywhere in your network DESTINATION PORT 443
(switch, router, or firewall) INTERFACE Gi0/0/0
• Network usage measurements IP TOS 0x00
• An ability to find north-south as well as IP PROTOCOL 6
east-west communication NEXT HOP 172.168.25.1
• Lightweight compared to full Packet (SPAN)-based TCP FLAGS 0x1A
traffic analysis SOURCE SGT 100
• Indications of compromise (IOC) : :
NBAR SECURE-
APPLICATION NAME
HTTP
Collecting Traditional NetFlow
Flow Collector
Traditional NetFlow

• Provides router interface statistics

NetFlow
• Builds the Network’s “Phone Bill”

• Very easy to deploy; available for “free” almost anywhere Cisco

equipment is found
• Feature included in Base IOS

• No packet-level visibility or response time information

• This is NOT Full Packet Capture
Creating Flows from Network Connections
{NetFlow}

• Network protocol developed by Cisco Systems for collecting IP traffic information.

• Based on 7 key fields (along with other data):

• 1. Source IP address
• 2. Destination IP address
• 3. Source port number
• 4. Destination port number
• 5. Layer 3 protocol type (ex. TCP, UDP)
• 6. ToS (type of service) byte
• 7. Input logical interface

If one field is different on an incoming packet, a new flow is created in the local flow cache.
Create a New TCP Flow Key Fields
Ingress and Egress ports are based on the interface on which
the packets entered and left the router
Non-Key Fields

Source Source Destination First Last TCP

Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:06 1 195 Gi4/13 Gi2/1 S

NETFLOW CACHE

Data TCP 10.1.1.1 1024 10.2.2.2 80 SYN

Create a New TCP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:06 1 195 Gi4/13 Gi2/1 S

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.07 1 132 Gi2/1 Gi4/13 SA

NETFLOW CACHE

SYN/ACK 1024 10.1.1.1 80 10.2.2.2 TCP Data

Update Existing TCP Flow Packet and Byte counts are incremented accordingly. Last Seen
is also updated.

Source Source Destination First Last TCP

Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:08 2 425 Gi4/13 Gi2/1 SA

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.07 1 132 Gi2/1 Gi4/13 SA

NETFLOW CACHE

Data TCP 10.1.1.1 1024 10.2.2.2 80 ACK

Update Existing TCP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:08 2 425 Gi4/13 Gi2/1 SA

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.08 2 862 Gi2/1 Gi4/13 SAP

NETFLOW CACHE

ACK/PSH 1024 10.1.1.1 80 10.2.2.2 TCP Data

Create New UDP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:08 2 425 Gi4/13 Gi2/1 SA

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.08 2 862 Gi2/1 Gi4/13 SAP
UDP 10.3.1.1 2918 10.2.8.12 53 23.14:11 23.14.11 1 176 Gi4/12 Gi2/1 -

NETFLOW CACHE

Data UDP 10.3.1.1 2918 10.2.8.12 53

Create New UDP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:08 2 425 Gi4/13 Gi2/1 SA

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.08 2 862 Gi2/1 Gi4/13 SAP
UDP 10.3.1.1 2918 10.2.8.12 53 23.14:11 23.14.11 1 176 Gi4/12 Gi2/1 -
UDP 10.2.8.12 53 10.3.1.1 2918 23.14:11 23.14.11 1 212 Gi2/1 Gi4/12 -

NETFLOW CACHE

2918 10.3.1.1 53 10.2.8.12 UDP Data

 Create New UDP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:08 2 425 Gi4/13 Gi2/1 SA

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.08 2 862 Gi2/1 Gi4/13 SAP
UDP 10.3.1.1 2918 10.2.8.12 53 23.14:11 23.14.11 1 176 Gi4/12 Gi2/1 -
UDP 10.2.8.12 53 10.3.1.1 2918 23.14:11 23.14.11 1 212 Gi2/1 Gi4/12 -
ECHO-
ICMP 10.1.1.4 - 10.2.8.14 REQUEST 23.14.12 23.14.12 1 96 Gi4/19 Gi2/1 -

Most NetFlow caches do not offer ICMP type and code fields so
the Destination Port column is overloaded with with ICMP
information.

NETFLOW CACHE

ECHO-
Data ICMP REQUEST
10.1.1.4 10.2.8.14
Update Existing ICMP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:08 2 425 Gi4/13 Gi2/1 SA

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.08 2 862 Gi2/1 Gi4/13 SAP
UDP 10.3.1.1 2918 10.2.8.12 53 23.14:11 23.14.11 1 176 Gi4/12 Gi2/1 -
UDP 10.2.8.12 53 10.3.1.1 2918 23.14:11 23.14.11 1 212 Gi2/1 Gi4/12 -
ECHO-
ICMP 10.1.1.4 - 10.2.8.14 REQUEST 23.14.12 23.14.13 2 192 Gi4/19 Gi2/1 -

NETFLOW CACHE

ECHO-
Data ICMP REQUEST
10.1.1.4 10.2.8.14
Create New ICMP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:08 2 425 Gi4/13 Gi2/1 SA

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.08 2 862 Gi2/1 Gi4/13 SAP
UDP 10.3.1.1 2918 10.2.8.12 53 23.14:11 23.14.11 1 176 Gi4/12 Gi2/1 -
UDP 10.2.8.12 53 10.3.1.1 2918 23.14:11 23.14.11 1 212 Gi2/1 Gi4/12 -
ECHO-
ICMP 10.1.1.4 - 10.2.8.14 REQUEST 23.14.12 23.14.13 2 192 Gi4/19 Gi2/1 -
ECHO-
ICMP 10.2.8.14 - 10.1.1.4 RESPONSE 23.14.13 23.14.13 1 92 Gi2/1 Gi4/19 -

NETFLOW CACHE

ECHO-
10.1.1.4 10.2.8.14 RESPONSE
ICMP Data
Continued Operation
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags

TCP 10.1.1.1 1024 10.2.2.2 80 23:14:06 23:14:08 2 425 Gi4/13 Gi2/1 SA

TCP 10.2.2.2 80 10.1.1.1 1024 23.14:07 23.14.14
23.14.08 3
2 1883
862 Gi2/1 Gi4/13 SAP
UDP 10.3.1.1 2918 10.2.8.12 53 23.14:11 23.14.11 1 176 Gi4/12 Gi2/1 -
UDP 10.2.8.12 53 10.3.1.1 2918 23.14:11 23.14.11 1 212 Gi2/1 Gi4/12 -
ECHO-
ICMP 10.1.1.4 - 10.2.8.14 REQUEST 23.14.12 23.14.13 2 192 Gi4/19 Gi2/1 -
ECHO-
ICMP 10.2.8.14 - 10.1.1.4 RESPONSE 23.14.13 23.14.13 1 92 Gi2/1 Gi4/19 -
TCP 10.9.9.1 2310 10.2.2.4 443 23.14.14 23.14.14 1 72 Gi4/23 Gi2/1 S
TCP 10.2.2.4 443 10.9.9.1 2310 23.14.14 23.14.14 1 102 Gi2/1 Gi4/23 SA
ECHO-
ICMP 10.1.1.4 - 10.2.8.15 REQUEST 23.14.15 23.14.15 1 96 Gi4/19 Gi2/1 -

NETFLOW CACHE

ACK 1024 10.1.1.1 80 10.2.2.2 TCP Data

SYN/ACK 2310 10.2.2.4 443 10.9.9.1 TCP Data

Data TCP 10.9.9.1 2310 10.2.2.4 443 SYN

ECHO-
Data ICMP REQUEST
10.1.1.4 10.2.8.15
Exporting Flow Records
#1 End of Flow #4 Cache Full
• RST or FIN packets seen on a flow will cause the flow record to be exported. • If the local Exporter Flow
Cache fills up, the device will
#2 Inactive Timeout begin to export the oldest
• Configures how long a flow can be inactive before it is expired from the cache flows to make room for new
flow tracking.
• Recommend 15 seconds (which is also the IOS default)
• All exporters should have similar inactive timeouts
#3 Active Timeout
• Configures longest amount of time a flow can stay in the cache regardless of activity
• Recommend 1 minute (Cisco default of 30 minutes is far too long)
• All exporters should have similar active timeouts Last Seen – First Seen == Time Active
Scaling Visibility: Flow Stitching

eth0/1

eth0/2
10.2.2.2 10.1.1.1
port 1024 port 80

Unidirectional Flow Records

Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712

Bidirectional Flow Record

• Conversation flow record
• Allows easy visualization and analysis

Server Client Client Server Server

Start Time Client IP Client Port Server IP Port Proto Bytes Pkts Bytes Pkts Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1
eth0/2
Scaling Visibility: NetFlow Deduplication
Router A: 10.2.2.2:1024 -> 10.1.1.1:80
Duplicates
Router B: 10.2.2.2:1024 -> 10.1.1.1:80 10.1.1.1
port 80
Router C: 10.1.1.1:80 -> 10.2.2.2:1024

Router B

• Without deduplication
Router C
• Traffic volume can be misreported
• False positives would occur
• Allows for efficient storage of flow data Router A
• Necessary for accurate host-level reporting
• Does not discard data 10.2.2.2
port 1024
Flow Export Review
google.com Flow-Enabled Router 10.1.1.1

• Hosts generate flows of information…

eth0/1
eth0/2
• Flow export devices capture flow data in
each direction (unidirectionally). Flow Statistics Counted
Flow Statistics Counted

• Unidirectional Flow Records are Start Time Interface Src IP SRC

Port
Dest IP Dest
Port
Prot Pkts
Sent
Bytes Sent TCP Flags

Exported to the Flow Collector. 10:20:12.221 eth0/1 10.1.1.1 1024 google.com 80 TCP 5 1029 SYN, ACK,
PSH

10:20:12.871 eth0/2 google.com 80 10.1.1.1 1024 TCP 17 28712 SYN, ACK,

FIN

• Stealthwatch stitches the unidirectional

Flow Records together to create Flow Packet Header Flow Cache
conversational flows. It also stitches Flow #1 Ready for Export

together the ongoing time-slices for Flow #2

Stealthwatch
Flow #3
Flows longer than a minute in duration. Flow #4
UDP Packets Flow Collector

Flow #5

…
Conversational Flow Record

Where

What
Who
When Who

• Highly scalable (enterprise-class)

collection
• High compression => long-term storage
• Months of data retention

More context

Security group
(Net)Flow Versions
Version Status
v1 Similar to v5 but without sequence numbers or BGP info
v2 Never released
v3 Never released
v4 Never released
v5 Fixed format, most common version found in production
v6 Never released
v7 Similar to v5 but without TCP flags, specific to Cat5k and Cat6k
v8 Aggregated formats, never gained wide use in the enterprise
v9 “Next Gen” flow format found in most modern NetFlow exporters, supports IPv6, MPLS,
Multicast, many others. Admin has control over what is included in the Flow Record.
IPFIX Similar to v9 but standardized and with variable length fields
 Another Flow Type: sFlow
• Packet sampling based – not a flow record
Ex “1 in 128” packets captured

• Foundry, Extreme, HP Procurve, etc

• The first ~100 bytes of the Ethernet frame is extracted & placed into a
UDP packet
• Performs poorly in low-bandwidth environment or
when full flow details are needed (compliance)
• No complete visibility to all packets/conversations

sFlow Collection
sFlow packets are sent to the
sFlow collector

Collector scales the byte counts

based on scaling factor
NetFlow Configuration
NetFlow Configuration
Most Cisco Routing and Switching Platforms support NetFlow Export, However:

• Support is at Layer 3

• Configuration commands will vary

• Edge IOS Router, Chassis Based L2/L3 Switch, Access Layer Switch With Uplinks
• Cisco Product Family impacts configuration
– Catalyst versus Nexus, etc.
Configuring NetFlow – Flexible NetFlow
1a. Configure the Exporter
Router(config)# flow exporter my-exporter
Where do I want my data sent?
Router(config-flow-exporter)# destination 1.1.1.1

1b. Configure the Flow Record

Router(config)# flow record my-record
Router(config-flow-record)# match ipv4 destination address
What data do I want to
Router(config-flow-record)# match ipv4 source address
meter?
Router(config-flow-record)# collect counter bytes

2. Configure the Flow Monitor

Router(config)# flow monitor my-monitor
Router(config-flow-monitor)#
How do exporter
I wantmy-exporter
to cache information
Router(config-flow-monitor)# record my-record

3. Apply to an Interface
Router(config)# interface gi0/1
Which interface do I want to monitor?
Router(config-if)# ip flow monitor my-monitor input
Configuring a Flexible NetFlow Flow Record
Match Parameter = Key Field
Router(config)# flow record my-record
Router(config-flow-record)# match ipv4 tos
Router(config-flow-record)# match ipv4 protocol
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match ipv4 source address
Router(config-flow-record)# match transport source-port
Router(config-flow-record)# match transport destination-port
Router(config-flow-record)# match interface input
Router(config-flow-record)# collect routing destination as
Router(config-flow-record)# collect routing next-hop address ipv4
Router(config-flow-record)# collect ipv4 dscp
Router(config-flow-record)# collect ipv4 ttl maximum
Router(config-flow-record)# collect ipv4 ttl minimum
Router(config-flow-record)# collect transport tcp flags
Router(config-flow-record)# collect interface output
Router(config-flow-record)# collect counter bytes
Router(config-flow-record)# collect counter packets
Router(config-flow-record)# collect timestamp sys-uptime first
Router(config-flow-record)# collect timestamp sys-uptime last
Configuration Example:
3500-X 10GE Service Module
!
flow record CYBER_3KX_RECORD
!
match datalink mac source-address
flow monitor CYBER_MONITOR
match datalink mac destination-address
record CYBER_3KX_RECORD
match ipv4 tos
exporter CYBER_EXPORTER
match ipv4 ttl
cache timeout active 60
match ipv4 protocol
cache timeout inactive 15
match ipv4 source address
!
match ipv4 destination address
interface TenGigabitEthernet1/1/1
match transport source-port
switchport trunk encapsulation dot1q
match transport destination-port
switchport mode trunk
collect interface input snmp
ip flow monitor CYBER_MONITOR input
collect interface output snmp
ip flow monitor CYBER_MONITOR output
collect counter bytes
!
collect counter packets
interface TenGigabitEthernet1/1/2
collect timestamp sys-uptime first
switchport trunk encapsulation dot1q
collect timestamp sys-uptime last
switchport mode trunk
!
ip flow monitor CYBER_MONITOR input
flow exporter CYBER_EXPORTER
ip flow monitor CYBER_MONITOR output
destination <ip-address>
source <SVI-interface>
transport udp 2055
NetFlow Data Plane Overhead
No direct correlation between bandwidth and NetFlow overhead
• Ex. A high volume long lived flow at (1Gbps) will generate one NetFlow Record
every 60 seconds

On average, 1Gbps of traffic generates between 1000 and 5000 fps

Is a function of:
• Traffic flow volume—measured in flows per second (fps)
• Flow Record Size
• NetFlow Record Generation timers
• Recommended 60 second Active and 15 second Inactive timeouts

Typically in the 1% to 1.5% range

Could get as high as 15% CPU on software enabled platforms
NetFlow at the Edge
NetFlow Security Event Logging (NSEL)
Edge
• ASAs have been supporting NSEL with NetFlow v9
ISR-G2 since version 8.1(1) of code

• NSEL adds the capabilities to collect flow status

Site-to-Site
VPN

NetFlow indicators regarding security events which cause state

change
ASA

• Keeps track of flow-create, flow-teardown, and flow-

denied events, and generates appropriate NSEL data
records.
Remote
Access

• Provides NAT Translation information

Flow Tracking Issue: NAT/PAT
{NAT: Network Address Translation}

Problem:

Different flow exporting devices in the

communication path will report the flow
using different Source IP addresses
depending on if they are seeing the
connection Pre- or Post- NAT/PAT.

Solution: NAT Stitching

Links the original Source IP address that

initiated the conversation with the
Translated IP Address visible beyond the
NAT boundary.
 NAT Stitching
www.destination.com
Internet 98.17.17.17
NetFlow Collector

SOURCE IP TRANSLATED IP DESTINATION IP

85.85.85.44 98.17.17.17 85.85.85.44

85.85.85.44 10.20.30.101 98.17.17.17 Firewall Performing NAT

192.168.1.1
10.20.30.101 98.17.17.17

10.20.30.101
NetFlow Security Event Logs (NSEL)
Edge

ASA (config)# access-list NaaS-PCI_Zone-Flows permit ip any 10.10.5.0 255.255.255.0 Sample PCI Environment
ISR-G2
ASA (config)# class-map NaaS-ClassMap-Flows
Flow-teardown also
Site-to-Site
ASA (config-cmap)# match access-list NaaS-PCI_Zone-Flows
VPN
implies creation
ASA (config)# policy-map NaaS-PolicyMap-Flows
ASA (config-pmap)# class NaaS-ClassMap-Flows
ASA (config-pmap-c)# flow-export event-type flow-teardown destination 10.10.50.10
ASA
ASA (config-pmap)# class class-default
ASA (config-pmap-c)# flow-export event-type all destination 10.10.2.102

ASA (config)# service-policy NaaS-PolicyMap-Flows global

Flow-creation
Flow-denied
Flow-teardown
Remote All events not
Access
matching the ACL
will be forwarded to
another collector
The Value of NetFlow
The Network as a Scalable Source of Truth

Interweb NetFlow Fields

Usage • Packet count • Source IP address From/To

• Byte count • Destination IP address

Time • Start sysUpTime • Packet count Application

• End sysUpTime • Byte count

Where • Input ifIndex • Next hop address

• Output ifIndex • Source AS number
NetFlow Data • Dest. AS number Routing and
• Source prefix mask Peering
• Type of Service
QoS • TCP flags • Dest. prefix mask
Internal • Protocol
Network
Flow Collector
NetFlow – The Heart of Network as a Sensor
Example: NetFlow Alerts With Cisco Stealthwatch

Network Scanning Botnet Detection

TCP, UDP, Port Scanning Across Multiple Hosts When Inside Host Talks to Outside C&C Server
for an Extended Period of Time

Denial of Service Policy Violations

SYN Half Open; ICMP/UDP/Port Flood Hosts that are baselined, exceeding predetermined thresholds.

Host Reputation Change Worm Propagation

Inside Host Potentially Compromised or Worm Infected Host Scans and Connects to the Same Port Across
Received Abnormal Scans or Other Malicious Attacks Multiple Subnets, Other Hosts Imitate the Same Above Behaviors

Data Exfiltration
Large Outbound File Transfer VS. Baseline
Stealthwatch
Architecture and Components
Stealthwatch Architecture

Visibility and Management

• Aggregate up to 25 FlowCollectors
• Access Documents, Perform Queries, and Tune Alarms
• Manage the System Stealthwatch
Management Console

Flow Aggregation, Analysis and Context

• Gain and Store Flow and related data
• Identity, device, reputation, threat and
application feeds
• Provide threat context
Stealthwatch Stealthwatch
Cisco ISE
Flow Collector Threat Feed

Flow Exporters
• NetFlow is generated by:
• Switches, Routers, Firewalls
• Flow Sensors in areas without flow support
• Aggregate, replicate, and forward flows to Stealthwatch Stealthwatch
Firewall, Switches,
destination(s) with a UDP director Flow Sensor UDP Director
and Routers
 Stealthwatch System Components
Stealthwatch
UDP Director Stealthwatch Additional Context
Management
• Console
UDP (NetFlow, Syslog, Management • Proxy License, ISE
Console
(SMC)
SNMP) Repeater Integration, Threat Feed,
•• Used in HA
Maximum environments
2 (HA Deployment) Cloud License

Flow
FlowSensor
Collector
• Uses Packet Capture to create flow
• Maximum 25
• Statistical Analysis
Flow Collector Cisco ISE
UDP Director

www
User and Device Feeds of emerging threat
Information information
Flow Sensor Web Proxies
NetFlow,
syslog, SNMP NetFlow enabled
infrastructure
Required Components
and Licenses
Stealthwatch: Primary Required Components
Flow Collector
• A physical or virtual appliance that aggregates and normalizes NetFlow and application data
collected from exporters such as Cisco routers, switches, and Firewalls

Stealthwatch Management Console (SMC)

• A physical or virtual appliance that aggregates, organizes, and presents analysis from Flow
Collectors, the Cisco Identity Services Engine, and other sources.

Flow Collection License

• Collection, management, and analysis of NetFlow by the Stealthwatch system is licensed on the
basis of flows per second (FPS).
Note about Stealthwatch Appliance Delivery
Each of the Stealthwatch components (SMC, Flow Collector, Flow Sensor, and
UDP Director) can be deployed either as an appliance or as a Virtual Edition.
• The Virtual Edition of each has been tested on VMware ESX version
5.0, and 5.5.

The Stealthwatch appliances are all fixed configuration platforms.

• In the event of failure appliance is returned to Cisco Alpharetta. These
appliances are not field serviceable.
• The HDD size is fixed and storage is not configurable on any appliance.
 Required: Stealthwatch Flow Collector
• Isolates the root cause in seconds for
improved security incident response. Policy is
monitored and Alarms are generated based on Note: Separate Flow Collectors by Flow Type
the flows analyzed here. Stealthwatch Flow Collector for NetFlow
Stealthwatch Flow Collector for sFlow
• Allows organizations and agencies to retain
large amounts of data for extended periods of
time. Database location of Flow Storage.

• Leverages multiple types of flow data

(NetFlow, IPFIX, etc) to provide cost-effective,
behavior based network protection Flow https

• Performs deduplication to ensure that any

flows that might have traversed more than one Stealthwatch Stealthwatch
Flow Collector Management Console
router are counted only once, and then
stitches the flow information together
Flow Telemetry from Cisco
• Asymmetric Flows should be sent to the same Switches, Routers, and
Flow Collector when possible. Flows are Firewalls
stitched on the collector.
 Flow Collector Options
Appliances
FC 1010 FC 2010 FC 4010 FC 5020
Maximum Flows Per Second Up to 30,0000 fps 60,000 fps 120,000 fps 240,000 fps

Maximum Exporters 500 1,000 2,000 4,096

Flow Storage 1 TB (RAID-6 Redundant) 2 TB (RAID-6 Redundant) 4 TB (RAID-6 Redundant) 6 TB (RAID-6 Redundant)

Virtual Editions
FC VE Flows per Exporters Hosts Reserved Reserved Max
Model Second Memory CPUs Disk
Storage
1000 Up to 30,000 Up to 1,000 Up to 32 GB 5 1 TB
500,000
2000 Up to 60,000 Up to 1,500 Up to 64 GB 6 2 TB
750,000
4000 Up to 120,000 Up to 2,000 Up to 128 GB 7 4 TB
1,000,000
Note: FC 5020 requires professional services
Flow Collector: 1010 & 2010 & 4010

Flow Collector Front View 1010, 2010, & 4010

Flow Collector Back View 1010, 2010, & 4010

Flow Collector: 5020 Engine & Database

Flow Collector 5020 is a 2 box solution connected via 10G SFP+ Uplink connection.
1. Engine Node:
• UCSC-C220-M4S (1RU)
2. Database Node:
• UCSC-C240-M4S2 (2RU)

Note: FC 5000 requires professional services

Flow Collector: Placement in the Network
• It must be able to communicate with the Stealthwatch Management Console

• It must be able to receive flow records from its associated exporters (Routers,
Switches, Firewalls, etc.)

• If more than 1 Flow Collector is deployed, ensure that they are placed in order to best
service the flows from the customer environment:

• Ensure data retention goals are met. Each FC is disk limited. (appliance)

• Ensure the assigned exporters can access/reach the FC.

• Think about the NetFlow traffic associated with transmitting the records to the FC.
Geographically deployed FC is a common approach.

• Think about de-duplication and stitching since this is performed per collector.
Required: Stealthwatch Management Console
• Rapidly detect and prioritize security
threats, pinpoint network misuse and
suboptimal performance and manage event
response across the enterprise

• Provides graphical representation of the

state of the network in a clean, easy to
understand format

• Display multiple alarm categories visibly on

the home dashboard allowing operators to
quickly asses the security posture of an
organization

• Configures, coordinates and manages the

Stealthwatch System appliances
 SMC Options
Appliances
SMC Rec Max Max Flow Rec Size Memory Max
Model Exporter Exporter Collectors Host Disk
Capacity Capacity Capacity Storage
1010 500 1000 5 300,000 1U 8 GB 1 TB
2010 1000 2000 25 600,000 2U 16 GB 2 TB

Virtual Edition
Flow Collectors Concurrent Users Reserved Memory Reserved CPUs
1 2 4 GB 2
3 5 8 GB 3
5 10 16 GB 4
Stealthwatch Management Console: 1010 &
2010

Stealthwatch Management Console 1010 Front View Stealthwatch Management Console 2010 Front View

Stealthwatch Management Console 1010 Rear View Stealthwatch Management Console 2010 Rear View
SMC: Placement in the Network
• It must be able to communicate with the Flow Collectors and other appliances

• It must be able to be accessed by the Stealthwatch users (Admin and Analysts)

• It will need to access other integrated solutions such as Cisco ISE

• It will need to send email, syslog, snmp, etc.

Required: Stealthwatch Flow Licenses
Flow Count Product Number

1,000 FPS License L-LC-FPS-1K=

10,000 FPS License L-LC-FPS-10K=

25,000 FPS License L-LC-FPS-25K=

50,000 FPS License L-LC-FPS-50K=

100,000 FPS License L-LC-FPS-100K=

Additional Product Numbers are available for Redundant FPS licenses.

 Estimating FPS
• Flows Per Second (FPS) can be estimated
based on the number and type of IP hosts active
within the customer network

• FPS is not directly related to Bandwidth. An Host Type FPS per Host
interface showing a current bandwidth of 1Gbps Server 5
could be related to a single flow or possibly
thousands of flows. Workstation/Laptop 1.2
• Long-lived vs. Short-lived network Router or Switch 75
connections
• New connections per second IP Phone 0.002

• It is strongly recommended to estimate and

maintain an FPS license higher than observed

• Use the FPS calculator located at:

https://www.lancope.com/fps-estimator

• Request a 30-day free evaluation of the UDP

director for more accurate FPS results
Note about Stealthwatch Licensing
Stealthwatch software features a ‘nag’ license. That means that if
the FPS license installed is for 10,000 FPS and the install records
flow at a observed level higher than 10,000 FPS a warning message
will appear on the admin console and the solution will continue
processing.
In the event that FPS rate approaches the capacity of the installed
hardware the Flow Collector may stop recording flow from certain
exporters.
Optional Components
and Licenses
 Optional: Stealthwatch Flow Sensor
• Provides true layer 7 application visibility by
gathering application information along with packet-
level performance statistics Stealthwatch
Flow Collector
• Gathers packet-level performance statistics, which
the Stealthwatch System analyzes to build a
baseline of application and network performance
Application Packet-Level
• Pinpoints any unusual network behavior and
Information + Metrics
immediately sends an alarm with contextual
intelligence

• Enhances operational efficiency and reduce costs Stealthwatch

HyperVisor with
Stealthwatch
by identifying and isolating the root cause of an Flow Sensor
Flow Sensor VE
issue/incident within seconds VE

• Flows generated by a FlowSensor are not counted

against your FPS license.
SPAN/TAP VM VM
 Flow Sensor: Application Awareness
http (TCP/80)

FACEBOOK

INSTANT MESSENGER

WEB

Flow Sensor Appliance

 The Flow Sensor Appliance can perform deep-packet inspection using

Application Signatures to identify the Application (Layer 7) using the Service Port (Layer 4)
Application Versus Service

layer-7 layer-4
FlowSensor: Extracting URL Data
Added Application Details (meta-data) via Deep Packet Inspection
For HTTP: Host name, path, and response code / error messages
For HTTPS: Common name and organization
Flow Sensor: Performance Statistics
• The Flow Sensor can report response time measurements.
RTT = 15ms SRT = 4500ms

• RTT = Network Round Trip Time

– Network Response
• Calculated per individual TCP Flow
• Timing based on the 3-way handshake TCP setup prior to the Application layer getting involved

• SRT =Server Response Time

– Application (Server) Response
• Delay in the application server’s response after the client requests data (occurs after the 3-way
handshake completes)
Virtual Flow Sensor
• The Flow Sensor VE monitors the VM VM SERVICE
Flow Sensor VE
CONSOLE
following types of VDS network
environments:

• A network with VLAN trunking

• Discrete VLANs where one or

capture
more VLANs are prohibited from
attaching packet monitoring
devices (for example, due to local
policy)

• Private VLANs

• ESX hosts rather than VLANs

 Flow Sensor Options
Appliances
FS 1010 FS 2010 FS 3010 FS 4010
Communications
Throughput 1.0 Gbps 2.5 Gbps 5.0 Gbps 20 Gbps
(512 Byte Packets) (512 Bype Packets) (512 Bype Packets) (512 Byte Packets)
400 Mbps 800 Mbps 1.2 Gbps 4 Gbps
(64 Byte Packets) (64 Byte Packets) (64 Byte Packets) (64 Byte Packets)

Interfaces
Monitor Port 3 Cu; 10/100/1000 5; 1 GB; 5 copper, or 3 copper 2; 10 GB; fiber optic (Rated to 4; 10 GB; fiber optic (Rated to
and 2 fiber optic (Rated to monitor 5 Gbps total) monitor 20 Gbps total)
monitor 2.5 Gbps)

Virtual Edition
Minimum Disk Hypervisors Minimum Minimum CPU
Space Supported: Memory Requirements
Requirements VMware ESXi Requirements
1.4 GB V4.x or v5.x 4 GB Reserved 2 GHZ
Flow Sensor: 1010 & 2010

Flow Sensor 1010 Front View Flow Sensor 2010 Front View

Flow Sensor 1010 Back View Flow Sensor 2010 Back View
Flow Sensor: 3010 & 4010

Flow Sensor 3010 Front View Flow Sensor 4010 Front View

Flow Sensor 3010 Back View Flow Sensor 4010 Back View
Flow Sensor: Placement in the Network
• It can be placed anywhere that flow generation or the advanced Flow Sensor
capabilities are desired:

• Internet Edge: Application Identification and HTTP/HTTPS analysis

• Datacenter Edge: Application Identification and Performance info (RTT/SRT)

• Any blind spot in the network. Some examples:

• Local device cannot generate flow (CPU constrained device, S-Flow only
location, or otherwise incapable of generating flow)

• Network team or 3rd party will not provide flow

• Newly acquired network or site

Optional: UDP Director
Stealthwatch Stealthwatch
Flow Collector Management Console
• Receives data from any
connectionless UDP application, Server
and then retransmits it to multiple
destinations, duplicating the data if
required
NetFlow/IPFIX
• Directs point log data (NetFlow, Router
sFlow, Syslog, SNMP) to a single
destination without the need to NetFlow/IPFIX Syslog & SNMP
reconfigure the infrastructure when
new tools are added or removed
SIEM or Monitoring Tools
UDP Director
• Detailed Flow Statistics feature
enables organizations to estimate
flows and estimate number of flows
per second (fps) Firewall

• Simplifies network security and * Note: Only UDPD-VE (via vMotion) and UDPD-2000 Support HA
monitoring
UDP Director Options
Appliances
UDP Director 1010 UDP Director 2010

Packet Replication Rate 25,000 pps 37,500 pps

(input)
Packet Repliation Rate 50,000 pps 75,000 pps
(output)

Virtual Edition
UDP Director VE
Packet Replication 15,000 pps
Rate (input)
Packet Replication 30,000 pps
Rate (output)
Minimum 1 Virtual CPU
Requirements 3 GHZ
1 GB Ram
UDP Director: 1010 & 2010

UDP Director 1010 Front View UDP Director 2010 Front View

UDP Director1010 Back View UDP Director2010 Back View

UDP Director: Placement in the Network
• Located between the UDP management traffic it will receive, and the management
tools set to receive these connections

• For NetFlow, it would be placed in a logical location between the Flow Exporters and
the various Flow Collectors.
Redundant UDP Director
• Clustered UDP Director model, a
maximum of 2 UDP Directors are
supported per cluster

• One virtual IP will be used to

receive and send flows

• Configuration on the primary UDP

Director will be automatically
replicated to the secondary UDP
Director
Stealthwatch Threat Intelligence License
Behavioral Attack
• Reporting on the specific botnet name Anomaly Simulations
responsible for the infection Research

Malware Incident
• Detection of either attempted or Analysis Investigations

successful C&C communications

• Visual tagging of malicious hosts for Darknet Research

fast identification Analysis Partnerships

• Correlation of user and device

information for the infected hosts to
add context

• Utilization of application metadata such

as HTTP URLs from Stealthwatch
Flow Sensor to increase accuracy of
detection
Optional: Proxy License
• Collects and extends visibility by
processing proxy server logs.

• Enhance security context for

advanced threat detection and
investigation

• Improve incident response and

forensics

• Reduce enterprise risk

• This is sold as an add-on
feature and is licensed to a
deployed Flow Collector
Proxy License
Expanded context with proxy data (url and user) associated to flow data
Supported Proxy Servers:
• Cisco WSA, Squid, BlueCoat, McAfee
Optional: Identity Services Engine Integration
• Stealthwatch is integrating with ISE
through the Cisco Platform Exchange
Grid (pxGrid)
Stealthwatch Management Console
• Cisco ISE and TrustSec deliver a wide
range of identifying features, but not
limited to:

• User Identity
• Network Authorization
Cisco ISE
• End Device Identification
• Operating system and patch level
• Device security posture
• Which security group the user
belongs to
• Location from which the user is
trying to gain access
• How the user is trying to obtain
access – i.e, wired, wireless, VPN
Stealthwatch-ISE Integration
Flow Attribution
• Leverage ISE syslog to
match a username to an IP
Address
Authentication events

syslog (udp/3514)

Identity Stealthwatch
Services Management
Engine Console

pxGrid
Quarantine/Unquarantine instructions
The Stealthwatch Cloud License Solution
VPC Hosts with
agent installed

IPFIX
Encrypted
Tunnel

TLS
Netflow
Cloud Concentrator
Stealthwatch Deployment
Cloud Concentrator Agent
Cloud VM Host
Cloud License – How it works
Fields collected:
• Lightweight agent deployed to cloud
VMs • Protocol
• Source IP
• Agents report activity to a Cloud
• Source Port
Concentrator
• Destination IP
• Concentrator sends IPFIX data to • Destination Port
Stealthwatch Flow Collector
• Bytes
• Concentrator treated like standard • Packets
flow exporter by FC/SMC • Flow Start
• Stealthwatch conducts analytics per • Flow Stop
usual • Direction
Cloud License: Agent Communication
• Agents will only communicate with the Concentrator it was created on
• Communication between Agents and Concentrator is encrypted via certificate stamped
to the Agent during creation process
• The Agent installer is a RPM (MSI/EXE in Windows); tools able to deploy these forms
of executable can deploy Cloud License Agents
• Network:
• To create an Agent, Concentrator requires public IP access via port 8080/tcp
• For IPFIX export, Concentrator requires outbound access to the UDP port used by the Flow
Collector
• For management, Concentrator requires 22/tcp open for SSH
• Agents communicate to Concentrator via port 443/tcp
The Cloud License Solution
Additional Information

• No encryption between Cloud Concentrator and Stealthwatch Flow

Collector
• Recommended deployment should leverage an encrypted tunnel for
Concentrator and Flow Collector communication
• 1 Concentrator per ~20k reporting agents
• Cloud License hosts do not count against Stealthwatch FPS licensing
• Works with existing implementations of Stealthwatch
• Version 6.8

• Version 6.7 (requires patch to correct FPS licensing)

The Cloud License Solution
Supported Deployment Options

• Host Operating Systems

• Linux
• CentOS 5, 6 and 7 (x64 only)

• RedHat Enterprise Linux 5, 6 and 7 (x64 only)

• Windows
• In development

• Cloud Environments
• Amazon Web Services (AWS)
The Cloud License Solution
Agent Resource Usage

• Resource usage dependent on server activity load

• 1% CPU typical, 5% maximum
• 128-200MB RAM, .1% - .2% typical, ~1% worst case
• <1G Disk space

• Top end usage points of reference:

• CPU: 8 cores, all at 100% utilization
• RAM: ~20k connections, mix of active/non-active
The Cloud License Solution
Concentrator Sizing Information
Virtual Appliance Equivalent
Rec AWS
Agents CPU Memory Network
Instance Type Disk (GB)
Cores (GB) Bandwidth
1000 c4.large 2 4 8 250 Mbps

2000 c4.xlarge 4 8 16 500 Mbps

4000 c4.2xlarge 8 16 32 1 Gbps

10000 c4.4xlarge 16 32 64 2 Gbps

20000 c4.8xlarge 32 64 64 4 Gbps

Stealthwatch
Design Guidance
Design Guidance
• Each appliance chassis will support at least a minimum guaranteed
flow volume
• Most significant metrics to consider:
• Data Rate – The rate of FPS the Flow Collector is receiving from Flow
Sensors and other Exporters (network devices)

• Flow Storage – If historical data is needed, select a larger chassis

• Host Count – The number of hosts (both inside and outside)

• Exporter Count – Number of Flow Sensors or router/switch data sources

each Flow Collector can accept
Sizing the Solution
• The volume of NetFlow telemetry that can be collected from the
network is determined by the aggregate capacity of the Stealthwatch
Flow Collector appliances.
• Each individual appliance’s storage capacity is sized to allow for the retention of
approximately 90 days of flow records at the appliance’s maximum rated FPS
volume.

• Multiple Flow Collectors can, and should, be deployed to scale the

system.

• The Flow Collectors are also where the NetFlow records are stored
for later historical analysis.
Single Leg Deployment (Most Common)
• Single Stealthwatch Management
Console and Flow Collector

• Single SMC is the most common

HTTPS
deployment

• The Flow Collector will send it’s

summary data to the SMC

• The SMC can be configured to

receive logs, such as Syslog, from

flow
ISE
Stealthwatch High Availability Design

• Stealthwatch is often deployed with no HA or redundancy

since the solution is not deployed inline in the network.

• HA can be applied at the SMC layer

• FC Redundancy can be accomplished at the Exporter (multiple destinations)

• HA is also available at the UDP Director layer.

 Redundant SW Management Console
Secondary
• The Primary SMC is Primary
SMC
Read/Write capable (used by SMC
Admin), the Secondary is Read
Only

• Configuration and Data is

synchronized automatically from the
Primary to the Secondary

• The Flow Collectors(s) will send data

to both SMCs.

flow
• ISE integration should be
configured on both SMCs.
Redundant SMC and Regional Collectors
Requires: Primary Secondary
• 2 SMC + SMC Support SMC SMC
license
• Multiple FC + FC
Support license
• Multiple FPS license
Stealthwatch Stealthwatch
Flow Collector Flow Collector
Note:
• The specific FC and
SMC used in this
Americas EMEA Asia Pacific
scenario depends on Internet/MPLS Internet/MPLS Internet/MPLS

the Flows Per Second

observed in the
environment.
Redundant Flow Collection
• The flows from each flow Primary Secondary
exporter (switch, router, firewall) SMC SMC
should be sent to both FCs.

• A UDP director could be used

instead

• Both Flow Collectors are Stealthwatch

connected with the SMC Flow Collectors

• Flows per second licenses value

will have to be multiplied by two
Americas EMEA Asia Pacific
Internet/MPLS Internet/MPLS Internet/MPLS
Stealthwatch Install Order

Stealthwatch
Flow Sensor

Stealthwatch Stealthwatch Threat Cisco ISE

Stealthwatch
Flow Collector Management Intelligence Feed
Console

Stealthwatch
Licensed Features
UDP Director

Install Order

First Last Add-on

Network Requirements: Communication Ports
From (Client) To (Server) Port Protocol Function
Admin PC All Appliances TCP/443 HTTPS Interface Access

Admin PC All Appliances TCP/22 SSH Command-Line Access

All Appliances Network Time Source UDP/123 NTP Time Sync

All Appliances DNS Server UDP/53 DNS DNS Resolution

SMC Flow Collector TCP/443 HTTPS Management Channel

SMC Flow Sensor TCP/443 HTTPS Management Channel

SMC Flow Exporters UDP/161 SNMP Retrieve Interface Name,

Description, Speed
SMC Cisco ISE TCP/443 HTTPS Management Channel

SMC Threat Feed TCP/443 SSL Retrieve Threat Feed Data

SMC Email Gateway TCP/25 SMTP Email Alerts

Email Reports
SMC 3rd Party event UDP/162 SNMP-trap SNMP Alerts
management systems UDP/514 Syslog Syslog Alerts
Network Requirements: Communication Ports
From (Client) To (Server) Port Protocol Function
Flow Collector SMC TCP/443 HTTPS Management Channel

Flow Sensor SMC TCP/443 HTTPS Management Channel

NetFlow Exporters Flow Collector – NetFlow UDP/2055 NetFlow NetFlow Records

Flow Sensors UDP Director
sFlow Exporters Flow Collector – sFlow UDP/6343 sFlow sFlow Records
UDP Director
UDP Director Flow Collector - NetFlow UDP/2055 NetFlow NetFlow Forwarding
Flow Collector –sFlow UDP/6343 sFlow sFlow Forwarding
Syslog Destination UDP/514 Syslog Syslog Forwarding
Other Other UDP Other UDP Other UDP Forwarding

Cisco ISE SMC TCP/443 HTTPS Management Channel

Cisco ISE SMC UDP/3514 Syslog Authentication Logging

Stealthwatch Deployment - Gotchas
Appliance
• Stealthwatch appliances were
developed to be installed in a
data center environment.
• Power outages can result in a
FSCK of the base OS and a
rebuild of one or both of the
onboard databases.
• Conditioned power via a UPS
is a good thing.
Virtual Edition
• Stealthwatch VE ships (or rather
downloaded) as OVF files.
• All Stealthwatch VE components
are tested on several builds of
VMware.
• VE installation instructions call for
VMware resource reservation to
be used.
Stealthwatch Tech Talk: 3 Sessions
• Session #1: July 27 (Today)
• Solution Overview, NetFlow Fundamentals, Components, and Design

• Session #2: August 3

• Deployment and Initial Configuration

• Session #3: August 10

• Tuning Fundamentals, Operations / Optimizations Techniques