tag:blogger.com,1999:blog-4088979.post111082789396007085..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: First Impressions of Lancope StealthWatchRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4088979.post-1110933012529923242005-03-15T19:30:00.000-05:002005-03-15T19:30:00.000-05:00Jon, you said"Any security product that requires t...Jon, you said<BR/><BR/>"Any security product that requires the user to go look at the packets to figure out what's going on seems to me to be a waste of time."<BR/><BR/>I picked a "long flow" event to show what sort of data could be analyzed to learn more about the event. Not every alarm raised by the StealthWatch requires that investigative process.<BR/><BR/>I chose to experiment with this device because there are limitations to signature-based intrusion detection. There are obviously limits to the anomaly detection approach, but the two techniques complement each other. Simply from a passive network profiling standpoint, systems like StealthWatch are very valuable.<BR/><BR/>Regarding flows -- the StealthWatch I used is an "independent" system which collects traffic and formulates its own flows. Another model can operate strictly used NetFlow data collected by routers and other NetFlow probes.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1110928448833236182005-03-15T18:14:00.000-05:002005-03-15T18:14:00.000-05:00Hard to say.. increase in IKE traffic could mean...Hard to say.. increase in IKE traffic could mean key exchange failures and intermittent vpn connectivity, so it could be very handy if it was baselined at a certain amount, then later you see an increase.. IKE traffic should be pretty consistent with most hosts as there are fixed SA lifetimes (gw-to-gw at least, not client vpn) This looks pretty cool, my interest has been piqued since seeing it mentioned on IDS mailing list using netflows output. A holistic approach to network health, I dig it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1110908183344685372005-03-15T12:36:00.001-05:002005-03-15T12:36:00.001-05:00This doesn't look useful - flagging your IKE traff...This doesn't look useful - flagging your IKE traffic as suspicious seems to be a waste of your time to look at. Did you find anything more compelling in the product that might be useful?<BR/><BR/>Any security product that requires the user to go look at the packets to figure out what's going on seems to me to be a huge waste of time. How many IKE and AIM sessions will you end up staring at hex dumps for, before you realize the product you bought is a time sink?<BR/><BR/>Then again, my IDS systems aren't necessarily any better. But I don't know which is worse, a product that cries "wolf" all the time, or a product that cries "Hello"!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1110908169935552242005-03-15T12:36:00.000-05:002005-03-15T12:36:00.000-05:00This doesn't look useful - flagging your IKE traff...This doesn't look useful - flagging your IKE traffic as suspicious seems to be a waste of your time to look at. Did you find anything more compelling in the product that might be useful?<BR/><BR/>Any security product that requires the user to go look at the packets to figure out what's going on seems to me to be a huge waste of time. How many IKE and AIM sessions will you end up staring at hex dumps for, before you realize the product you bought is a time sink?<BR/><BR/>Then again, my IDS systems aren't necessarily any better. But I don't know which is worse, a product that cries "wolf" all the time, or a product that cries "Hello"!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1110907928056519502005-03-15T12:32:00.000-05:002005-03-15T12:32:00.000-05:00This doesn't look useful - flagging your IKE traff...This doesn't look useful - flagging your IKE traffic as suspicious seems to be a waste of your time to look at. Did you find anything more compelling in the product that might be useful?<BR/><BR/>Any security product that requires the user to go look at the packets to figure out what's going on seems to me to be a waste of time. How many IKE and AIM sessions will you end up staring at hexdumps for, before you realize the product you bought is a time sink?<BR/><BR/>Then again, my IDSs aren't necessarily any better. But I don't know which is worse, a product that cries "wolf" all the time, or a product that cries "hello!"Anonymousnoreply@blogger.com