StealthWatch FlowCollector

Collect and Analyze NetFlow, IPFIX and sFlow with the StealthWatch FlowCollector

Lancope's StealthWatch FlowCollector appliance leverages NetFlow (from Cisco, Juniper), IPFIX, or sFlow (from HP ProCurve, Brocade) to provide cost-effective, behavior-based network protection and high performance levels for distributed enterprise environments.

The FlowCollector appliance aggregates high-speed network behavior data from multiple networks or network segments to deliver end-to-end protection and improve performance across geographically dispersed networks. It provides a cost-effective solution for organizations seeking to protect internal resources while delivering an optimal user experience and safely maintaining trusted relationships with customers, partners and other third-party networks. The FlowCollector is available as a physical or virtual appliance.

Read theStealthWatch FlowCollector datasheet.

The StealthWatch FlowCollector provides the following features to cost-effectively optimize security, network and application performance across the enterprise:

Leverages existing investment in NetFlow, IPFIX and sFlow technology

StealthWatch gathers traffic information from NetFlow-, IPFIX- or sFlow-enabled routers and switches. Most layer 3 enabled network devices are already equipped to export NetFlow, IPFIX or sFlow traffic; the network engineer need only enable and utilize this powerful technology. No additional hardware, sensor technology, inline device or software agent is required. In addition to leveraging existing infrastructure to provide in-depth visibility into the internal network, the FlowCollector can also conduct behavioral analytics on data from perimeter-based technologies such as firewalls. Integrating internal and external monitoring provides greater contextual awareness for improved network and security operations.

Stops threats that are visible only at the enterprise level

The StealthWatch FlowCollector monitors traffic across hundreds of network segments simultaneously, providing the ability to spot suspicious network behavior that only becomes apparent at the enterprise level. For example, the FlowCollector employs a sophisticated correlation technology called "Worm Tracker," which visually graphs the spread of a worm or virus throughout the network from node to node, providing instant visibility into the scope and impact of a worm outbreak. StealthWatch can also detect sophisticated threats including advanced malware, DDoS attacks, APTs and insider threats.

Provides real-time traffic analysis for billing, bandwidth accounting, and network performance troubleshooting

NetFlow analysis allows for extremely fine-grained traffic reporting and accounting. Where SNMP polling falls short, NetFlow excels. StealthWatch utilizes NetFlow (or other flow data) to its fullest extent, providing top talkers, services and conversations in both a real-time and historic basis for each NetFlow-, IPFIX- or sFlow-enabled router and switch interface active on the network. The StealthWatch FlowCollector enables traffic accounting, historical trending and troubleshooting capabilities not found in any other flow-based technology available today.

Works in extremely high-speed environments

Since StealthWatch FlowCollectors rely on NetFlow-, IPFIX- or sFlow-capable network devices as well as StealthWatch FlowSensors to generate traffic flow information, it does not have to perform both traffic generation and behavioral analysis at the same time. The result is extremely rapid detection and response for networks operating at speeds exceeding 10Gb per second.

Features

Network

Security

Automatic baselining of all IP traffic

X X

Automatic anomaly detection in traffic/host behavior

X X

Layer 7 anomaly detection*

X X
Massive scalability X X
Flexible deployment options, including virtual X X
NAT stitching X X

Peer-to-Peer (P2P) file sharing detection

X X

Host and service profiling

X X

Index-based prioritization technology

X X

OS fingerprinting**

X X

Support for application-aware flows such as NBAR*

X X

Support for custom applications

X X

Closest interface determination and tracking

X X

Deduplication of flows

X X

Virtual environment monitoring*

X X

Host Group tracking and reporting

X X

Router interface tracking and reporting

X  

Bandwidth accounting and reporting

X  

Packet-level performance metrics*

X  

QoS (DSCP) monitoring

X  

Interface utilization alarming

X

 
Unauthorized host access detection* X X
Unauthorized Web server detection X X
Misconfigured firewalls detection* X X
Combined internal and external monitoring X X
Full flow logging   X
Worm detection   X
Botnet detection*   X
DoS/DDoS detection (SYN, ICMP, or UDP flood)   X
Fragmentation attack detection**   X
Network scanning and reconnaissance detection   X
Large file transfer detection   X
Rogue server detection   X

*Limited functionality with sFlow
**Limited functionality with NetFlow

StealthWatch FlowCollector for NetFlow Benefits

  • Seamlessly integrates NetFlow or IPFIX from routers and switches into the StealthWatch System
  • Extends enterprise protection across distributed networks operating at up to and beyond 10GB per second
  • Provides detailed insight into network traffic patterns, link utilization and overall network performance.

The StealthWatch for NetFlow collector appliance is available in a number of different configurations, each designed to balance a specific combination of value and performance. Model numbers reflect the sustained flow rate and hardware redundancy options installed. Models capable of monitoring higher flow rates also support a larger number of devices.

Model

Flows Per Second Routers

Description

StealthWatch FC 1000 Up to 30,000 Up to 500 This StealthWatch FlowCollector appliance provides redundant power, storage, and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks.
StealthWatch FC 2000 Up to 60,000 Up to 1000 The FC 2000 for NetFlow is a powerhouse NetFlow collector, providing full hardware redundancy and enough flow-processing horsepower for extremely large NetFlow or IPFIX environments.
StealthWatch FC 4000 Up to 120,000 Up to 2000 The FC 4000 is massively scalable to process very high volumes of flow data. It also features extensible storage capabilities of up to 4 TB.

Note: The maximum number of devices that may be connected to a StealthWatch FlowCollector for NetFlow appliance is dependent on multiple factors including flows per second, physical location of NetFlow-enabled routers and quantity of NetFlow-enabled devices connected.

Lancope's StealthWatch for sFlow collector appliance leverages sFlow traffic samples from Brocade, Extreme, HP ProCurve and other leading network infrastructure vendors to provide cost-effective, behavior-based network protection for distributed enterprise environments. FlowCollector for sFlow supports versions 2, 4, and 5 of sFlow.

StealthWatch for sFlow aggregates high-speed network behavior data from multiple networks or network segments to extend StealthWatch protection across geographically dispersed enterprise networks. It provides a cost-effective solution for organizations seeking to protect internal resources while safely maintaining trusted relationships with customers, partners and other third-party networks.

StealthWatch FlowCollector for sFlow Benefits

  • Seamlessly integrates sFlow from routers and switches into the StealthWatch System
  • Extends enterprise protection across distributed networks operating at up to and beyond 10GB
  • Provides detailed insight into network traffic patterns, link utilization and overall network performance.

The StealthWatch for sFlow collector appliance is available in a number of different configurations, each designed to balance a specific combination of value and performance. Model numbers reflect the sustained flow sample rate and hardware redundancy options installed. Models capable of monitoring higher sample rates also support a larger number of devices.

Model Flows Per Second Description
StealthWatch FC 1000 for sFlow Up to 30,000 This StealthWatch FlowCollector appliance provides redundant power, storage, and extra interfaces for flow collection on multiple interfaces while providing enough horsepower for mid- to large-sized networks.
StealthWatch FC 2000 for sFlow Up to 60,000 The FC 2000 for sFlow is a powerhouse sFlow collector, providing full hardware redundancy and enough flow-processing horsepower for extremely large sFlow environments.
StealthWatch FC 4000 for sFlow Up to 120,000 The FC 4000 for sFlow is massively scalable to process very high volumes of flow data. It also features extensible storage capabilities of up to 4 TB.

Note: The maximum number of devices that may be connected to a StealthWatch FlowCollector for sFlow appliance is dependent on multiple factors including samples per second, physical locations of sFlow-enabled devices and quantity of flow-enabled devices connected.

 

FC 1000*

FC 2000*

FC 4000*

Maximum
Flows Per Second

Up to 30,000** fps

Up to 60,000** fps

Up to 120,000** fps

Maximum Exporters

500

1,000

2,000

Network

Management Port:
1 – 10/100/1000 Copper

Monitoring/Listening Ports:
3

Management Port:
1 – 10/100/1000 Copper

Monitoring/Listening Ports:
3

Management Port:
1 - 10/100/1000 Copper

Monitoring/Listening Ports:
3

Flow Storage

1 TB
(RAID-6 Redundant)

2 TB
(RAID-6 Redundant)

4 TB 
(RAID 6-Redundant) 
Hardware Platform R620 R720
Hardware Generation 12G

Rack Units (Mountable)

1U

1U

2U

Power

Redundant 750W
AC, 50/60 Hz
Auto Ranging
(100V to 240V)

Redundant 750W
AC, 50/60 Hz
Auto Ranging
(100V to 240V)

Redundant 750W AC, 50/60 Hz
Auto Ranging
(100V to 240V ) 

Heat Dissipation

2,891 BTU per hour maximum

2,891 BTU per hour maximum

2,891 BTU per hour maximum

Dimensions

Height:
1.68 in. (4.3 cm)

Width:
17.08 in. (43.4 cm)

Depth:
27.25 in. (69.2 cm)

Height:
1.68 in. (4.3 cm)

Width:
17.08 in. (43.4 cm)

Depth:
27.25 in. (69.2 cm)

Height
3.4 in. (8.7 cm)

Width
17.5 in. (44.4 cm)

Depth
29.2 in. (74.1 cm)

Weight

41 lb (18.6 kg)

41 lb (18.6 kg)

64.3 lb (29.2 kg)

Rails

Sliding Ready Rails with Cable Management Arm

Regulatory

  • FCC (U.S. only) Class A
  • DOC (Canada) Class A
  • CE Mark (EN55022 Class A, EN55024, EN61000-3-2, EN 61000-3-3, EN60950)
  • VCCI Class A
  • UL 1950
  • CSA 950

Please call for a complete list.

* Specs for StealthWatch v6.5

**The maximum fps can change depending on varying network conditions. Please contact a Lancope representative for details.

The FlowCollector Virtual Edition (VE) is designed to perform the same function as the appliance editions, but in a VMware environment. The following table shows the minimum resource requirements for the FlowCollector VE to operate based on the flows per second you need to monitor. However, the FlowCollector VE scales dynamically according to
the resources allocated to it. Therefore, for the FlowCollector VE to operate effectively, be sure to allocate resources so that they are reserved for the FlowCollector VE and not shared with any other virtual machine.
Read the StealthWatch FlowCollector VE datasheet.

 Flows Per Second Exporters Hosts Reserved Memory Reserved CPUs
Up to 4,500 Up to 250 Up to 125,000 4 GB 2
Up to 15,000 Up to 500 Up to 250,000 8 GB 3
Up to 22,500 Up to 1,000 Up to 500,000 16 GB 4
Up to 30,000 Up to 1,000 Up to 500,000 32 GB 5

Note: More details can be found in the StealthWatch System Capacities & Sizing Guidelines. Contact Sales or a Lancope partner for the document.