What is StealthWatch, It's - Working, Uses and How It Increases Visibility Over the Network Infrastructure

StealthWatch, by the name itself we can understand that it’s a watching/ analyzing device which works in stealth or hidden. As the name indicates StealthWatch works behind the scenes, stays hidden and analyses the complete traffic flow going through the switches/ routers/ any network devices. 

StealthWatch is a network flow analysis, visibility tool which can be used for in-depth network traffic flow analysis. It’s an Industry requirement not only for IT industries but also every industry must implement such a tool.

StealthWatch can identify almost any kind of attacks like DOS attacks, injection attacks, insecure data transfer, brute force attacks. It can be used to detect any insider trying to do some malicious activities which is nothing but an Insider Threat.


What is StealthWatch
What is Netflow
What is Flow
When is Flow Record Exported
Flow Collection and Deduplication
StealthWatch Components
·         Flow Sensor
·         Flow Collector
·         StealthWatch Management Console
·         UDP Directory/ Flow Replicator
·         IDentity
·         SLIC Threat Feed

What is StealthWatch?

StealthWatch is a device/ Appliance/ Virtual created by Cisco for defense in depth network traffic flow analysis. This works by collecting the data/ flow from the network devices and analyses them completely, makes patterns, correlates, gives visibility of the complete flow of the packet. This works on the Net Flow Protocol.

So, what is NetFlow?

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. By analyzing flow data, a picture of network traffic flow and volume can be built. Using a NetFlow collector and analyzer, you can see where network traffic is coming from and going to and how much traffic is being generated. Later they moved to IPFIX protocol which is the next version of NetFlow. This can accomplish many more functionalities that NetFlow Cant.

We have been taking about flow, NetFlow, IPFix and other stuff. So, what is Flow?

1)A network flow is a unidirectional sequence of packets that have common characteristics
2)Flow is the stream of information exchanged between the routing protocols, the routing tables and the forwarding tables as well sa the flow of local packets from the route's physical interfaces to the routing engine.
3)   Flow tells you how your network is being used
4) Flow can provide a 24x7 complete account of all the communication that are occurring across your organization’s network environment.
5)   Flow provides visibility to port numbers, src,dst,packet counts

There are different types of flows like NetFlow, jflow, cflow, ipfix and so on.. Each vendor has their own name & protocol

There are different kinds of NetFlow’s

NetFlow: Version V5 is a fixed or a standard. It has a set of number of fields such as source and destination IP, port number, time stamp, protocol etc.

NetFlow V9: Flexible NetFlow or "Next Gen” flow format found in most modern NetFlow exporters, supports ipv6, MPLS, Multicast, many others.

IPFIX: similar to V9 but standardized and with variable length fields.

Packets in NetFlow:
o   Source  and Destination  IP
o   Source and Destination Port
o   Start time
o   End time
o   Mac address
o   Byte count etc...

So Explaining Briefly:

When 2 computers on the same network begun to communicate, packets from the communication crosses the multi-layer switches  flow is recorded, later the records are exported to intelligent data base on the network called flow collector.

NetFlow/ IPFIX collects the data from the network devices and sends them to another device called flow collector. All the data from these tables is stored in tables for later use.
ü  End of flow: When the reset or finish flag is in the packet
ü  Inactive Timeout: When flow has been inactive longer than 15 secs, it is exported from the catche
ü  Active Timeout: When the flow has been active longer than 1 min.

Flow Collection and Deduplication:

For example I sent a packet named “X”. In a network infrastructure when a packet has to reach the source or destination it has to move through different kinds of network devices and in each device the packet “X” flow is recorded. Thus, creating a duplicate copy of the Packet “X” in all the devices. To avoid this StealthWatch came up with a flow collection and Deduplication concept.

Flow Collection or Stitching:  it is a process of combining flows to form the logical bidirectional conversation that occurred in multiple reporting network devices

Deduplication: Many times conversations are Asymmetric, Deduplication ensures traffic reporting is accurate regardless of the number of devices that the flow traverses.

Finally let’s go to the important components of StealthWatch. There are some optional components which are not mandatory to be implemented, those are the components that can be implemented according to the usage and the network infrastructure deployed in your company.  

StealthWatch Components:

There are a total of 6 major components in StealthWatch.
·         Flow Sensor
·         Flow Collector
·         StealthWatch Management Console
·         UDP Directory/ Flow Replicator  (optional)
·         IDentity  (optional)
·         StealthWatch Labs Intelligence Center(SLIC) Threat Feed (optional)

  1)  Flow Sensor in StealthWatch:
It is a Hardware Device/ Appliance/ Virtual Device which Creates flow data in environments in which NetFlow is not enabled, Flow Sensors delivers performance analysis and deep packet inspection. All the flow data collected by the Flow Sensors is sent to the flow collector.

Note: The Environments in which NetFlow is enabled by default, need not implement Flow Sensors.

Flow Sensors Connects into existing Infrastructure via one of the following
          1) Switch port Analyzer (SPAN)
          2) Mirror Port
          3) Ethernet Test Access Port (TAP)

Points to Note:

ü  Flow sensor VM is used to collect NetFlow data from virtual hosts inside a VMware Server. It scales dynamically based on the resources allocated.

ü  Flow sensor gathers application level information along with packet level visibility
§  Deep Packet Inspection(DPI)
§  Behavior analysis
§  True Level 7 Application Visibility
§  performance Metrics like RTT,SRT, packet loss for TCP sessions

ü   Identifies applications and protocols:
                   Plain Text
                   Advanced Encryption
                   Obfuscation Techniques

ü  Application Details:
                   Server Response Time
                   Round Trip Time
                   Mean time take known

ü  Packet Level Metrics:
                   Header data
                   Packet Payload

  2)  Flow Collector in StealthWatch:
ü  Flow collector aggregates flow data from multiple networks or network components
ü  collects and analyses data for further retrieval and analysis
ü  Flow Collector of StealthWatch send and analyzes data sent from the SMC
ü  Send an alarm if any unusual activity occurred or detected.
ü  Flow collector can either be a Virtual Applicance/ Hardware Device.

  3)  StealthWatch Management Console:
ü  Centralized location for summary data, alarms, policy, management and data collection
ü  Translates raw data into sophisticated reports and graphical representations
ü  Manages data
ü  coordinates data
ü  configures data
ü  organizes data
ü  It identifies applications and protocols and displays the info
ü  It is the main Dashboard of StealthWatch

  4)  UDP Director/ Flow Replicator:
ü  Simplifies the management of UDP data streams from NetFlow, sFlow, Syslog, SNMP Traffic
ü  Forwards data from multiple network and security locations in a single data stream to network devices including the flow collector;
ü  Aggregates and provides a single destination for UDP data and allows distribution of it across the organization
ü  High speed high performance appliance that simplifies the collection of network and security across your network
ü  reduces point of failure on your network
ü  provides a single destination for all UDP formats on network including NetFlow, SNMP, Syslog
ü  Reduces network congestion for optimum network performance.

  5)  IDentity in StealthWatch:
ü  Requires no agent or service running on an identity or authentication server
ü  Correlates user names with IP addresses using information obtained from DHCP and AD sources
ü  Multiple administrators can access this data simultaneously so both network identification and security response teams can handle
ü  Identity data can be obtained from StealthWatch identity appliance or through cisco Identity service engine(ISE)
ü  Identity is a hardware (physical) appliance only.
ü  Supports VPN’s DHCP IP addressing within network segments and large dynamic pools of remote access device.
ü  requires no server side service
ü  Provides a direct linkage between individual users and specific network events
ü  Integrates user information with network traffic statistics by NetFlow and sflow enabled switches
ü  automatically connects any network events with the user/users who caused it and gives out the complete details like
·         Search username/ip address
·         run flow queries
·         generate reports
·         obtain user snapshot of network activity

  6)  StealthWatch Labs Intelligence Center(SLIC) Threat Feed:
ü  Uses global threat intelligence and correlates it with data from the StealthWatch systems to provide network and security context to detect new and emerging malware threats.
ü  Aggregates emerging threat information from around the world
ü  Adds an additional layer of protection from botnet command and control centers and other attacks
ü  Detects:
o   Attempted/successful botnet communication
o   Internet scanning activity
o   Backscatter (DDOS)
ü  Working:
o   Correlates flow data with a global threat feed
o   Monitors customer networks for C&C servers
o   adds new botnets to its radar as they are identified
o   pinpoints specific port, protocol an URL used
o   generates alarms and concern index events
ü  Required HTTP/HTTPS threat feeds.


Stealth watch provides visibility over all the network devices present in your infrastructure. StealthWatch should be implemented as a defense in-depth principle which helps in identifying malicious activities done by users and prevent any damage to the organization. I do not recommend this for small scale industries because it’s not cost effective. Medium and large scale industries should implement StealthWatch in their infrastructure to secure their network from hackers as well as insider threat.

========       Hacking Don't Need Agreements    ========
Just Remember One Thing You Don't Need To Seek Anyone's Permission To Hack Anything Or Anyone As Long As It Is Ethical, This Is The Main Principle Of Hacking Dream
            Thank You for Reading My Post, I Hope It Will Be Useful For You

I Will Be Very Happy To Help You So For Queries or Any Problem Comment Below Or You Can Mail Me At Bhanu@HackingDream.net

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment