Solved: Re: Stealthwatch Cloud Limitations

Daniel Lucas · ‎01-23-2019

Does anyone know the limitations Stealthwatch Cloud has versus the on-premise enterprise solution? I am thinking ISE and Active Directory integration isn't available, but can't find any documentation explicitly saying this. Also curious what other benefits would be to going with the on-premise solution.

-Thanks

Damien Miller · ‎02-13-2019

I agree with you here, I see no identity integration on SW Cloud like Stealthwatch Enterprise has with ISE via pxgrid. It is a major shortcoming of the cloud based platform right now. Stealthwatch Cloud might share the same name as Stealthwatch Enterprise, but they are certainly two different products. It is not straight forward for customers/clients or partners as there is no outline around feature parity.

If a customer wants to monitor AWS, Azure, or Google Cloud, then Stealthwatch Cloud needs to be looked at. It picks up the flow data already generated by the cloud providers. SW cloud can also monitor the LAN through the use of a private network monitor virtual server, think of it as a flow sensor and flow collector in one. The PNM device then sends the flow data up to the cloud for analysis. Cisco just acquired Obserable and the offering was renamed to SW cloud. So while similar in many ways and functions, it is not really Stealthwatch as we know it. At least for me right now, it is a compliment to SW Enterprise.

In contrast, SW Enterprise (previously just Stealthwatch, and Lancope pre-acquisition) is the SW we know. It's built for the enterprise network and as far as I can see still has it's place. Identity integration with ISE is a huge selling point, and it also supports ingestion and filtering on TrustSec tags which is often why I'm looking at it.

I feel the common misconception is that you spin up SW cloud, point your enterprise network devices to send netflow to this cloud hosted IP, and you replace SW Enterprise. I am hopeful that one day we will get to a point of feature parity between the two platforms. I suspect you knew most of this though prior to asking the question. Cisco should really publish a quick comparison slide.

View solution in original post

balaji.bandi · ‎01-23-2019

I do not see any Limitation here on both cloud and on-premises,

Again if your ISE and AD on Premises and you have all the network device you want to collect flows in the network, i prefer to have on-site equipment rather cloud.

here is the deployment guide with AD and ISE.

https://www.network-node.com/blog/2016/5/30/stealthwatch-installation-and-setup

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/ISE/SW_7_0_ISE_Configuration_Guide_DV_1_0.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Daniel Lucas · ‎01-28-2019

I am sure there are some limitations using the cloud version vs. the on-premise appliances. I do not see anywhere in the cloud portal for configuring AD or ISE integration, and the deployment guides do not mention it at all.

balaji.bandi · ‎01-28-2019

Stealthwatch can be integrated with ISE, and ISE intern connect to AD if you looking any user credential / other checks.

what exactly you looking to achieve so we can understand better and suggest right guide for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Daniel Lucas · ‎01-31-2019

Just want to understand the benefits and limitations of using cloud-based vs. on-premise to provide customers with the right solution to fit their requirements.

Damien Miller · ‎02-13-2019

I agree with you here, I see no identity integration on SW Cloud like Stealthwatch Enterprise has with ISE via pxgrid. It is a major shortcoming of the cloud based platform right now. Stealthwatch Cloud might share the same name as Stealthwatch Enterprise, but they are certainly two different products. It is not straight forward for customers/clients or partners as there is no outline around feature parity.

If a customer wants to monitor AWS, Azure, or Google Cloud, then Stealthwatch Cloud needs to be looked at. It picks up the flow data already generated by the cloud providers. SW cloud can also monitor the LAN through the use of a private network monitor virtual server, think of it as a flow sensor and flow collector in one. The PNM device then sends the flow data up to the cloud for analysis. Cisco just acquired Obserable and the offering was renamed to SW cloud. So while similar in many ways and functions, it is not really Stealthwatch as we know it. At least for me right now, it is a compliment to SW Enterprise.

In contrast, SW Enterprise (previously just Stealthwatch, and Lancope pre-acquisition) is the SW we know. It's built for the enterprise network and as far as I can see still has it's place. Identity integration with ISE is a huge selling point, and it also supports ingestion and filtering on TrustSec tags which is often why I'm looking at it.

I feel the common misconception is that you spin up SW cloud, point your enterprise network devices to send netflow to this cloud hosted IP, and you replace SW Enterprise. I am hopeful that one day we will get to a point of feature parity between the two platforms. I suspect you knew most of this though prior to asking the question. Cisco should really publish a quick comparison slide.

Daniel Lucas · ‎02-15-2019

Thanks for the response and information.
I am running a trail of Stealthwatch cloud w/ the virtual sensor deployed right now, and so far I am liking it. Certainly not as many tuning knobs and advanced features like the Enterprise solutions seems to have, but I could see the cloud version having it's place with some customers.
-Thanks

Niladri Datta · ‎01-24-2019