Collect and Analyze NetFlow, IPFIX and sFlow with the StealthWatch FlowCollector
Lancope's StealthWatch FlowCollector appliance leverages NetFlow (from Cisco, Juniper), IPFIX, or sFlow (from HP ProCurve, Brocade) to provide cost-effective, behavior-based network protection and high performance levels for distributed enterprise environments.
The FlowCollector appliance aggregates high-speed network behavior data from multiple networks or network segments to deliver end-to-end protection and improve performance across geographically dispersed networks. It provides a cost-effective solution for organizations seeking to protect internal resources while delivering an optimal user experience and safely maintaining trusted relationships with customers, partners and other third-party networks. The FlowCollector is available as a physical or virtual appliance.
Read the StealthWatch FlowCollector datasheet.
The StealthWatch FlowCollector provides the following features to cost-effectively optimize security, network and application performance across the enterprise:
Leverages existing investment in NetFlow, IPFIX and sFlow technology
StealthWatch gathers traffic information from NetFlow-, IPFIX- or sFlow-enabled routers and switches. Most layer 3 enabled network devices are already equipped to export NetFlow, IPFIX or sFlow traffic; the network engineer need only enable and utilize this powerful technology. No additional hardware, sensor technology, inline device or software agent is required. In addition to leveraging existing infrastructure to provide in-depth visibility into the internal network, the FlowCollector can also conduct behavioral analytics on data from perimeter-based technologies such as firewalls. Integrating internal and external monitoring provides greater contextual awareness for improved network and security operations.
Stops threats that are visible only at the enterprise level
The StealthWatch FlowCollector monitors traffic across hundreds of network segments simultaneously, providing the ability to spot suspicious network behavior that only becomes apparent at the enterprise level. For example, the FlowCollector employs a sophisticated correlation technology called "Worm Tracker," which visually graphs the spread of a worm or virus throughout the network from node to node, providing instant visibility into the scope and impact of a worm outbreak. StealthWatch can also detect sophisticated threats including advanced malware, DDoS attacks, APTs and insider threats.
Provides real-time traffic analysis for billing, bandwidth accounting, and network performance troubleshooting
NetFlow analysis allows for extremely fine-grained traffic reporting and accounting. Where SNMP polling falls short, NetFlow excels. StealthWatch utilizes NetFlow (or other flow data) to its fullest extent, providing top talkers, services and conversations in both a real-time and historic basis for each NetFlow-, IPFIX- or sFlow-enabled router and switch interface active on the network. The StealthWatch FlowCollector enables traffic accounting, historical trending and troubleshooting capabilities not found in any other flow-based technology available today.
Works in extremely high-speed environments
Since StealthWatch FlowCollectors rely on NetFlow-, IPFIX- or sFlow-capable network devices as well as StealthWatch FlowSensors to generate traffic flow information, it does not have to perform both traffic generation and behavioral analysis at the same time. The result is extremely rapid detection and response for networks operating at speeds exceeding 10Gb per second.
|
Features |
Network |
Security |
|---|---|---|
|
Automatic baselining of all IP traffic |
X | X |
|
Automatic anomaly detection in traffic/host behavior |
X | X |
|
Layer 7 anomaly detection* |
X | X |
| Massive scalability | X | X |
| Flexible deployment options, including virtual | X | X |
| NAT stitching | X | X |
|
Peer-to-Peer (P2P) file sharing detection |
X | X |
|
Host and service profiling |
X | X |
|
Index-based prioritization technology |
X | X |
|
OS fingerprinting** |
X | X |
|
Support for application-aware flows such as NBAR* |
X | X |
|
Support for custom applications |
X | X |
|
Closest interface determination and tracking |
X | X |
|
Deduplication of flows |
X | X |
|
Virtual environment monitoring* |
X | X |
|
Host Group tracking and reporting |
X | X |
|
Router interface tracking and reporting |
X | |
|
Bandwidth accounting and reporting |
X | |
|
Packet-level performance metrics* |
X | |
|
QoS (DSCP) monitoring |
X | |
|
Interface utilization alarming |
X |
|
| Unauthorized host access detection* | X | X |
| Unauthorized Web server detection | X | X |
| Misconfigured firewalls detection* | X | X |
| Combined internal and external monitoring | X | X |
| Full flow logging | X | |
| Worm detection | X | |
| Botnet detection* | X | |
| DoS/DDoS detection (SYN, ICMP, or UDP flood) | X | |
| Fragmentation attack detection** | X | |
| Network scanning and reconnaissance detection | X | |
| Large file transfer detection | X | |
| Rogue server detection | X |
*Limited functionality with sFlow
**Limited functionality with NetFlow
StealthWatch FlowCollector for NetFlow Benefits
- Seamlessly integrates NetFlow or IPFIX from routers and switches into the StealthWatch System
- Extends enterprise protection across distributed networks operating at up to and beyond 10GB per second
- Provides detailed insight into network traffic patterns, link utilization and overall network performance.
The StealthWatch for NetFlow collector appliance is available in a number of different configurations, each designed to balance a specific combination of value and performance. Model numbers reflect the sustained flow rate and hardware redundancy options installed. Models capable of monitoring higher flow rates also support a larger number of devices.
|
Model |
Flows Per Second | Routers |
Description |
|---|---|---|---|
| StealthWatch FC 1000 | Up to 30,000 | Up to 500 | This StealthWatch FlowCollector appliance provides redundant power, storage, and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks. |
| StealthWatch FC 2000 | Up to 60,000 | Up to 1000 | The FC 2000 for NetFlow is a powerhouse NetFlow collector, providing full hardware redundancy and enough flow-processing horsepower for extremely large NetFlow or IPFIX environments. |
| StealthWatch FC 4000 | Up to 120,000 | Up to 2000 | The FC 4000 is massively scalable to process very high volumes of flow data. It also features extensible storage capabilities of up to 4 TB. |
Note: The maximum number of devices that may be connected to a StealthWatch FlowCollector for NetFlow appliance is dependent on multiple factors including flows per second, physical location of NetFlow-enabled routers and quantity of NetFlow-enabled devices connected.
Lancope's StealthWatch for sFlow collector appliance leverages sFlow traffic samples from Brocade, Extreme, HP ProCurve and other leading network infrastructure vendors to provide cost-effective, behavior-based network protection for distributed enterprise environments. FlowCollector for sFlow supports versions 2, 4, and 5 of sFlow.
StealthWatch for sFlow aggregates high-speed network behavior data from multiple networks or network segments to extend StealthWatch protection across geographically dispersed enterprise networks. It provides a cost-effective solution for organizations seeking to protect internal resources while safely maintaining trusted relationships with customers, partners and other third-party networks.
StealthWatch FlowCollector for sFlow Benefits
- Seamlessly integrates sFlow from routers and switches into the StealthWatch System
- Extends enterprise protection across distributed networks operating at up to and beyond 10GB
- Provides detailed insight into network traffic patterns, link utilization and overall network performance.
The StealthWatch for sFlow collector appliance is available in a number of different configurations, each designed to balance a specific combination of value and performance. Model numbers reflect the sustained flow sample rate and hardware redundancy options installed. Models capable of monitoring higher sample rates also support a larger number of devices.
| Model | Flows Per Second | Description |
|---|---|---|
| StealthWatch FC 1000 for sFlow | Up to 30,000 | This StealthWatch FlowCollector appliance provides redundant power, storage, and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks. |
| StealthWatch FC 2000 for sFlow | Up to 60,000 | The FC 2000 for sFlow is a powerhouse sFlow collector, providing full hardware redundancy and enough flow-processing horsepower for extremely large sFlow environments. |
| StealthWatch FC 4000 for sFlow | Up to 120,000 | The FC 4000 for sFlow is massively scalable to process very high volumes of flow data. It also features extensible storage capabilities of up to 4 TB. |
Note: The maximum number of devices that may be connected to a StealthWatch FlowCollector for sFlow appliance is dependent on multiple factors including samples per second, physical locations of sFlow-enabled devices and quantity of flow-enabled devices connected.
|
FC 1000 |
FC 2000 |
FC 4000 | |
|---|---|---|---|
|
Maximum |
Up to 30,000* fps |
Up to 60,000* fps |
Up to 120,000* fps |
|
Maximum Exporters |
500 |
1,000 |
2,000 |
|
Network |
Management Port: |
Management Port: |
Management Port: 1 - 10/100/1000 Copper Monitoring/Listening Ports: 3 |
|
Flow Storage |
1 TB |
2 TB |
4 TB (RAID 6-Redundant) |
|
Rack Units (Mountable) |
1U |
1U |
2U |
|
Power |
Redundant 750W |
Redundant 750W |
Redundant 750W AC, 50/60 Hz Auto Ranging (100V to 240V ) |
|
Heat Dissipation |
2,891 BTU per hour maximum |
2,891 BTU per hour maximum |
2,891 BTU per hour maximum |
|
Dimensions |
Height:
Width:
Depth: |
Height:
Width: 27.25 in. (69.2 cm) |
Height:
Width:
Depth: |
|
Weight |
41 lb (18.6 kg) |
41 lb (18.6 kg) |
64.3 lb (29.2 kg) |
|
Rails |
Sliding Ready Rails with Cable Management Arm |
||
|
Regulatory |
Please call for a complete list. |
||
*The maximum fps can change depending on varying network conditions. Please contact a Lancope representative for details.
the resources allocated to it. Therefore, for the FlowCollector VE to operate effectively, be sure to allocate resources so that they are reserved for the FlowCollector VE and not shared with any other virtual machine.
Read the StealthWatch FlowCollector VE datasheet.
| Flows Per Second | Exporters | Hosts | Reserved Memory | Reserved CPUs |
|---|---|---|---|---|
| Up to 4,500 | Up to 250 | Up to 125,000 | 4 GB | 2 |
| Up to 15,000 | Up to 500 | Up to 250,000 | 8 GB | 3 |
| Up to 22,500 | Up to 1,000 | Up to 500,000 | 16 GB | 4 |
| Up to 30,000 | Up to 1,000 | Up to 500,000 | 32 GB | 5 |
Note: More details can be found in the StealthWatch System Capacities & Sizing Guidelines. Contact Sales or a Lancope partner for the document.
