The following provides an introduction to installing the Cisco Stealthwatch Learning Network License (Learning Network License) platform, installing a controller on an ESXi host, and deploying an agent as a virtual service.
If your Network Element supports installing an agent on a UCS E-Series blade server, see the Cisco Stealthwatch Learning Network License UCS E-Series Blade Server Installation Guide.
Learning Network License Introduction
The Learning Network License system is a hyper-distributed analytics
architecture that inspects your network traffic and applies machine learning algorithms
to perform a behavioral analysis. As a result, the system can identify anomalous
behavior, such as malware, distributed botnets, data exfiltration, and more.
You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies in real-time to the controller for additional system and user analysis. Based on the anomalies, you can provide relevance feedback, which the system incorporates into internal traffic models. This allows the system to better identify and report anomalies of interest.
You can also configure mitigations based on
anomaly properties, such as hosts involved and application traffic transferred. These
mitigations reduce or eliminate the impact of detected anomalies now and in the future.
The combination of behavioral analysis, user feedback, and traffic mitigation customizes
the system to address the threats specific to your network and better protect your
Figure 1 illustrates an example security deployment within an enterprise network.
Figure 1. Example Security Deployment
To install the Cisco Stealthwatch Learning Network License system, the organization deploys:
an ESXi host running a controller in the network core
a Cisco ISR running an agent in each branch, between the hosts and the internet
The organization also deploys an optional Cisco SNS-3415 to collect ISE user identity data. Though not required for Learning Network License, the user identity data provides additional context to anomalies.
Though a Learning Network License
controller can manage up to 1000 agents, the diagram only shows a controller managing two agents.
Example Learning Network License Deployment
Figure 1 illustrates the Learning Network License system, focusing on the interaction among Learning Network License components.
Figure 2. Example Learning Network License Deployment
Both agents transfer management traffic, including anomaly
data, over a TCP connection to the controller. The controller transfers management traffic, including
mitigations, back to the agents over the same connection.
The controller integrates with other systems. It consumes
threat intelligence from Talos to better identify traffic anomalies and malicious
behavior, as well as user identity information from ISE to provide details about hosts
involved in anomalies.
The controller implements a northbound RESTful API for
mitigations. Other authorized security appliances
can use this API to take mitigation actions on
traffic in the network.
It is not possible to
accurately predict throughput and processing capacity for controller and agent virtual appliances. A number of factors heavily
influence performance, such as the:
amount of memory and CPU capacity of the
ESXi host and router running the
number of total virtual machines running on
the ESXi host and router
number of sensing interfaces, network performance, and interface
amount of resources assigned to each virtual machine
level of activity of other virtual
appliances sharing the ESXi host and router
complexity of mitigation policies applied to an agent
VMware provides a number of performance measurement and resource
allocation tools. Use these tools on the ESXi host while you run your virtual
appliance to monitor traffic and determine throughput. If the throughput is not
satisfactory, adjust the resources assigned to the virtual appliances that
share the ESXi host.
You can enable VMware tools to improve the
performance and management of your virtual appliances. Alternatively, you can
install tools (such as esxtop or VMware/third-part add-ons) on the host or in the
virtualization management layer (not the guest layer) on the ESXi host to examine
Security and Internet Access
Management traffic sent from the agent to the controller includes health checks and anomaly data. The bandwidth required varies based on multiple factors, including the nature of your network traffic and how the system learns and prioritizes detected anomalies. However, the system rate-limits the total amount of anomaly data sent by an agent per day, ensuring that they do not overwhelm your network by sending extraneous anomalies. The agent only reports anomalies of interest, based on user feedback and the machine learning algorithms.
Encrypted management traffic sent from the controller to the agent includes:
Each mitigation is relatively small, measured in kilobytes.
Installing the Learning Network License System
provides a high-level overview to installing the
Learning Network License
What to Do Next
configuration, inspect anomalies, and mitigate anomalous traffic, as
described in Next Steps.
Optionally, enable audit and event logging on the controller. See Logging Configuration Overview for more information.
Optionally, integrate your deployment with ISE by configuring pxGrid. See
Integrating pxGrid for more information.
Optionally, configure a pxGrid
integration demo to populate anomalies with sample user identity data. You
do not need to have ISE deployed to your environment for the pxGrid
integration demo. See ISE pxGrid Demo for more information.