Lancope boosts traffic-inspection capabilities

Lancope this week is set to announce an updated version of its flagship product suite that it says can now more deeply inspect application and Cisco router traffic for potential worms, viruses and malicious behavior on internal networks.

The company's StealthWatch suite of traffic analysis appliances have been upgraded to manage more security devices, to process NetFlow data from Cisco routers, and inspect traffic for application-specific policies such as port usage. By monitoring traffic flows and inspecting packets across a network, this type of network-anomaly behavior detection tool from Lancope, Arbor Networks and Q1 Labs attempts to provide an early warning to network and security managers.

Burton Group analyst Trent Henry says Lancope's product provides additional insight into security issues that could have sneaked by perimeter tools such as firewalls and intrusion-detection systems (IDS) or intrusion-prevention systems (IPS). According to a Forrester Research survey of 190 IT shops, 58% of companies this year will invest in network firewalls, 43% will invest in gateway anti-virus, and 35% will invest in network-based IDS or IPS. The same survey also found IT managers more concerned over internal security problems.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Lancope this week is set to announce an updated version of its flagship product suite that it says can now more deeply inspect application and Cisco router traffic for potential worms, viruses and malicious behavior on internal networks.

The company's StealthWatch suite of traffic analysis appliances have been upgraded to manage more security devices, to process NetFlow data from Cisco routers, and inspect traffic for application-specific policies such as port usage. By monitoring traffic flows and inspecting packets across a network, this type of network-anomaly behavior detection tool from Lancope, Arbor Networks and Q1 Labs attempts to provide an early warning to network and security managers.

Burton Group analyst Trent Henry says Lancope's product provides additional insight into security issues that could have sneaked by perimeter tools such as firewalls and intrusion-detection systems (IDS) or intrusion-prevention systems (IPS). According to a Forrester Research survey of 190 IT shops, 58% of companies this year will invest in network firewalls, 43% will invest in gateway anti-virus, and 35% will invest in network-based IDS or IPS. The same survey also found IT managers more concerned over internal security problems.

Henry says Lancope and its competitors could gain traction among enterprise network and security managers looking to more quickly lock down internal threats.

"Network-anomaly detection is used to some extent by IDS and IPS systems for known vulnerabilities, but Lancope goes a bit further by providing visualization across the entire network," he says. "Anomaly-detection tools monitor normal vs. potential bad behavior, but they are also like [security information management] products in that they provide event management and correlation to other systems to more quickly pinpoint the problem."

Lancope packages its StealthWatch 5 software on appliances that are distributed across a network, near a core switch or data center router. Upon installation, it performs a benchmark of normal traffic behavior and continuously monitors for changes. The product does not sit in line of network traffic, but passively monitors conversations between hosts and clients. Administrators can tap into the appliances via a Web-based interface or use the management console to configure, monitor and generate reports from multiple distributed appliances.

If a relatively unused host begins to propagate many requests, it could be falling victim to a worm. Or if enterprise application traffic deemed content-sensitive starts to use Port 80, the port left open on firewalls for Internet traffic, compliance policies could be in the process of being breached.

According to Lancope, StealthWatch can be configured to alert IT security staff to abnormal network traffic and provide an audit trail to the origin of the problem. The product can determine which server was the first host infected with a virus by analyzing traffic between servers. With that information, IT managers can determine the vulnerability on the server and lock it down.