Understanding Secure Network Analytics with Cisco DNA Center (former Stealthwatch)
- Marco
- May 11, 2022
- 3 min read
In the ordering process of Catalyst 9000 series you can choose between three tier.
A lot of my customers have chosen the premier tier because if the included ise licenses.
After looking in the Smart Licensing Portal, they recognize some Secure Network Analytics licenses and wanted to know what this technologie is good for and what are the advantages of using it in conjunction with the DNA Center. I will use the abbreviation SNA further in this article.
SNA is collecting all of the meta data in the network using netflow. With this data SNA can observe the behavior of the network devices. This configuration should be done on all network devices along the data path.
This is achieved in two fashions.
First SNA search for pattern of unwanted behaviors, like a client replies DHCP requests or does port scanning.
Because in a network there are Servers that should reply on a DHCP request like a DHCP Server or ping the whole network, like a network management system, it is very important to declare those addresses to its proper role.
This in done in the host groups and very important right of the beginning.
As i explained this on time to a customer of mine, he instantly challenged that with nmap in gentle mode. SNA won ;-)
The other threat detection is to build a baseline over time. So SNA can learn on a daily basis, but more heavily on a weekly basis, if the client is acting as usual or does some weird and abnormal things.
At the beginning of an implementation this has a high potential risk of false positives. An example for this was a machine in a manufacturing area. This machine was collecting data a whole week and is pushing the bulk data once a week. This behavior raised an alarm.
And what are the benefits of using it together with an SDA Campus?
The configuration in a legacy environment is pretty long and in a multisite-topologie the configuration has to be adapted according to the local flow collector.
flow record Stealthwatch_FlowRecord
description Flow Record for Export to Stealthwatch (optional)
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match ipv4 tos
match transport source-port
match transport destination-port
match interface input
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name --> needed for nbar!
flow exporter Stealthwatch_Exporter
description Stealthwatch Export to Flow Collector
destination [Collector_IP_Address/local Flow Collector]
source [Physical_Interface | Logical_Interface]
transport udp 2055
option interface-table --> need for interface-name
option applicaton-table
flow monitor Stealthwatch_Monitor
description Stealthwatch Flow Monitor
exporter Stealthwatch_Exporter
cache timeout active 60
record Stealthwatch_FlowRecord
interface [Interface_ID]
ip flow monitor Stealthwatch_Monitor input
vlan configuration <VID>
flow montitor <flow monitor> export
et-analyse enableThis whole configuration is done by the DNA Center plus the checking of the requirements. IOS-XE version for instance.
The configuration steps are:
Register the Stealthwach Managment Center under:
System -> Settings -> Stealthwatch
The DNA Center will receive all Flow Collectors. These Flow Collector will now tied to the corresponding fabric site in:
Design -> Network Settings -> Network
After this step go to:
Provision -> Stealthwatch Secure Analytics
From there it is possible to activate all Edge Nodes on all Sites at once or on a per site manner. Just follow the wizard.
In my case traffic from a fabric enabled wireless SSID was not seen in the SNA. DNA-C Version 2.2.3.5. To solve this figure the Vlan ID of the desired IP Pool out. (Done at an Edge Node). After that take the VIDs and configure manually or with the Template Editor:
vlan configuration <#, #, #>
flow monitor <flow monitor> export
et-analyse enableAnother cool feature i want to mention is ANC (Adaptive Network Control) in conjunction with SNA. This is not exclusive to an SDA fabric. But because in the most cases a SDA campus is built with ISE, i want to cover it at this post as well.
After connection the SMC with the ISE it is possible to use the ANC rules of the ISE in SNA.
There are two ways of using it.
One is in an automated fashion. It is possible to activate a ANC rule as an action for a host alarm. I do not recommend doing this in the early stage of the implementation, because of the false positives mention above.
The second way is manually. While investigation an alarm that appears to be suspicious, active the desired ANC rule in the same GUI mask. Shutdown the port or Quarantine the host for instance. It is not necessary to find out the device ip address, where it is located (Europe, North America? Wired, Wireless?) and shut down the port manually. In a case of a malware breach a fast reaction is crucial.
Comments