Introduction

The following provides an introduction to installing the Cisco Stealthwatch Learning Network License(Learning Network License) platform, installing a controller on an ESXi host, and deploying an agent as avirtual service.

If your Network Element supports installing an agent on a UCS E-Series blade server, see the CiscoStealthwatch Learning Network License UCS E-Series Blade Server Installation Guide.

• Learning Network License Introduction, page 1

• Example Deployment, page 2

• Example Learning Network License Deployment, page 3

• System Performance, page 4

• Security and Internet Access, page 4

• Installing the Learning Network License System, page 5

Learning Network License IntroductionThe Learning Network License system is a hyper-distributed analytics architecture that inspects your networktraffic and applies machine learning algorithms to perform a behavioral analysis. As a result, the system canidentify anomalous behavior, such as malware, distributed botnets, data exfiltration, and more.

You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies inreal-time to the controller for additional system and user analysis. Based on the anomalies, you can providerelevance feedback, which the system incorporates into internal traffic models. This allows the system tobetter identify and report anomalies of interest.

You can also configure mitigations based on anomaly properties, such as hosts involved and application traffictransferred. These mitigations reduce or eliminate the impact of detected anomalies now and in the future.The combination of behavioral analysis, user feedback, and traffic mitigation customizes the system to addressthe threats specific to your network and better protect your users.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 1

Example DeploymentFigure 1: Example Security Deployment, on page 2 illustrates an example security deployment within anenterprise network.

Figure 1: Example Security Deployment

To install the Cisco Stealthwatch Learning Network License system, the organization deploys:

• an ESXi host running a controller in the network core

• a Cisco ISR running an agent in each branch, between the hosts and the internet

The organization also deploys an optional Cisco SNS-3415 to collect ISE user identity data. Though notrequired for Learning Network License, the user identity data provides additional context to anomalies.

Though a Learning Network License controller can manage up to 1000 agents, the diagram only shows acontroller managing two agents.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.12

IntroductionExample Deployment

Example Learning Network License DeploymentFigure 2: Example Learning Network License Deployment, on page 3 illustrates the Learning NetworkLicense system, focusing on the interaction among Learning Network License components.

Figure 2: Example Learning Network License Deployment

Both agents transfer management traffic, including anomaly data, over a TCP connection to the controller.The controller transfers management traffic, includingmitigations, back to the agents over the same connection.

The controller integrates with other systems. It consumes threat intelligence from Talos to better identifytraffic anomalies and malicious behavior, as well as user identity information from ISE to provide detailsabout hosts involved in anomalies.

The controller implements a northbound RESTful API for mitigations. Other authorized security appliancescan use this API to take mitigation actions on traffic in the network.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 3

IntroductionExample Learning Network License Deployment

System PerformanceIt is not possible to accurately predict throughput and processing capacity for controller and agent virtualappliances. A number of factors heavily influence performance, such as the:

• amount of memory and CPU capacity of the ESXi host and router running the virtual service

• number of total virtual machines running on the ESXi host and router

• number of sensing interfaces, network performance, and interface speed

• amount of resources assigned to each virtual machine

• level of activity of other virtual appliances sharing the ESXi host and router

• complexity of mitigation policies applied to an agent

VMware provides a number of performance measurement and resource allocation tools. Use these toolson the ESXi host while you run your virtual appliance to monitor traffic and determine throughput. If thethroughput is not satisfactory, adjust the resources assigned to the virtual appliances that share the ESXihost.

You can enable VMware tools to improve the performance and management of your virtual appliances.Alternatively, you can install tools (such as esxtop or VMware/third-part add-ons) on the host or in thevirtualization management layer (not the guest layer) on the ESXi host to examine virtual performance.

Note

Security and Internet AccessManagement traffic sent from the agent to the controller includes health checks and anomaly data. Thebandwidth required varies based on multiple factors, including the nature of your network traffic and how thesystem learns and prioritizes detected anomalies. However, the system rate-limits the total amount of anomalydata sent by an agent per day, ensuring that they do not overwhelm your network by sending extraneousanomalies. The agent only reports anomalies of interest, based on user feedback and the machine learningalgorithms.

Encrypted management traffic sent from the controller to the agent includes:

• health check requests

• mitigations

• requests for anomaly-related PCAP files if packet buffer capture (PBC) is enabled

• startup files when managed agents restart and do not have certain local files

Each mitigation is relatively small, measured in kilobytes.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.14

IntroductionSystem Performance

Installing the Learning Network License SystemThe following provides a high-level overview to installing the Learning Network License system.

Step 1 Ensure your Network Elements support installing the Learning Network License system, and have the proper licensesand hardware. See Installation Prerequisites for more information.

Step 2 Deploy a separate ESXi host to run the controller. See Controller Host Requirements for more information.Step 3 Download the agent and controller OVA files at http://www.cisco.com/c/en/us/support/security/

stealthwatch-learning-network-license/tsd-products-support-series-home.html. See Downloading the OVA Files fromCisco for more information.

Step 4 Deploy the controller to the ESXi host. Log into the controller VM console. Run the setup script to configure the networkconnection, NTP servers, and generate public key certificates. See Installing the Controller for more information.

Step 5 Update the controller configuration file to configure public key certificate management settings, then log into the controllerweb UI to update administrator credentials. See Controller and Agent Communications Overview for more information.

Step 6 Configure NTP servers on your Network Element. See NTP Configuration for more information.Step 7 Deploy the agent as a virtual service to a Network Element. See Deploying Agents Using the Install Script for more

information.Step 8 Log into the controller web UI, then enable and configure your agents with the controller as described in Enabling Agents

on the Controller.Step 9 Allow the system an initial learning phase to create a baseline model of your network traffic. See Initial Learning Phase

Overview for more information.

What to Do Next

• Fine-tune your configuration, inspect anomalies, and mitigate anomalous traffic, as described in NextSteps.

• Optionally, enable audit and event logging on the controller. See Logging Configuration Overview formore information.

• Optionally, integrate your deployment with ISE by configuring pxGrid. See Integrating pxGrid for moreinformation.

• Optionally, configure a pxGrid integration demo to populate anomalies with sample user identity data.You do not need to have ISE deployed to your environment for the pxGrid integration demo. See ISEpxGrid Demo for more information.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 5

IntroductionInstalling the Learning Network License System

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.16

IntroductionInstalling the Learning Network License System