BDS Competitive Analysis Fortideceptor

Hillstone Networks
Fortideceptor/Fortinet
How to Win Fortideceptor/Fortinet– Hardware
3
Hardware
❑ Interfaces and Ports - Less Interfaces/ports numbers and expansible-ports-card.
❑ Expansion Module – bypass ports nor expansible bypass card .
❑ Capacity - high-end devices have lower connection rate and concurrent connections

3 www.hillstonenet.com
How to Win Fortideceptor/Fortinet– Performance
4
Performance
❑ Number of Users - Have limitation for number of users it can support. Hillstone can support
much more number of users PC and Servers Network analysis.
❑ Extra Licenses – Hillstone offers much types of licenses like (APP/IPS/AV/Intelligence
Licenses ABD+ATD).
❑ Resistance to Evasion Techniques - Evasion techniques are a means of disguising and
modifying attacks at the point of delivery in order to avoid detection by security products.
❑ Deep Content Inspection – Doesn't have the Deep Content
Inspection, a unique isolation and inspection environment that simulates an entire host (including
the CPU, system memory, and all devices) to analyze malware.
❑ Threat Correlation Analytics- Correlation among unknown threats, abnormal behavior and
application behavior to discover potential threat or attacks
❑ Multi-dimension correlation rules- Automatic daily update from the cloud

4 www.hillstonenet.com
 How to Win Fortideceptor/Fortinet– Software
Category Detail FORTIDECEPTOR 1000F Hillstone I-Series Server
5
Breach Detection
System(sBDS)

Deploy Deceptive to lure hackers to engage with deception VMs. Yes No

VM's and Setup
Decoys
Monitor activities such as login and logout, Yes Yes
windows share access, intrusions activities, web
page access.
Correlate Events and with information about logins to hosts, website visits to Yes Yes
Create Incidents download payloads, and logouts per Deception VM.
Eliminate Attacks to/from Decoys by identifying Yes Yes
and stopping intrusions, websites visits and malware
scanning on all files planted during attack
Generate Custom and from incident tables from the GUI in PDF format. Yes Yes
Comprehensive
Reports
Configure Alerts and via email, SNMP or syslog server. Yes Yes
send Alert Notifications
Complete Indicator of IOCs events are threat events detected during the post breach attack. They are identified among large No Yes
Compromises and numbers of the threat attacks in the network that are directly associated with the protected server or host
Cyber kill chain
Forensic Information conducts threat mitigation, analyze and validate threat alerts, they can add threat elements such as IP No Yes
addresses, type of threats
Preemptive Mitigation prevents future attacks from spreading to broader network territories. No Yes

5 www.hillstonenet.com
 How to Win Fortideceptor/Fortinet– Software
Category Detail FORTIDECEPTOR 1000F Hillstone I-Series Server
6
Breach Detection
System(sBDS)

Advanced Threat toBehavior-based advanced malware detection No Yes

Detection
Abnormal Behavior Behavior modeling based on L3-L7 baseline traffic to reveal anomalous network behavior, such as HTTP No Yes
Detection scanning, Spider, SPAM, SSH/FTP weak password ï Detection of DDoS including Flood, Sockstress, zip
of death, reflect, DNS query, SSL and application DDoS ï Supports inspection of encrypted tunneling traffic
for unknown applications
Attack Detection Abnormal protocol attack detection No Yes
DoS/DDoS detection, including SYN Flood, DNS Query Flood
Threat Mitigation One-click cleanup of server/computer threat and reevaluation of host security ï Threat events whitelist, No Yes
including threat name, source/destination IP, hit count
Threat Mitigation Sysmon endpoint service integration No Yes

Threat Mitigation Threat hunting No Yes

6 www.hillstonenet.com
 How to Win Fortideceptor/Fortinet–
Business and What to Avoid
Business and Others 7
❑ Security Effectiveness - Very weak at security,
❑ Malware Detection - spend hours researching false alarm , Highest rated detection technology identifies threats others
miss and eliminates the need.
❑ Complete Indicator of Compromises- IOCs events are threat events detected during the post breach attack. They are
identified among large numbers of the threat attacks in the network that are directly associated with the protected server
or host
❑ Subscription - Price is higher than Hillstone. 3Y to 5Y renewal subscription price is Higher. Total TCO is high.

What to Avoid
❑ FortiDeceptor deploys Deception VMs and Decoys which inspects the behavior of the attacker and validate
the malicious intent.

7 www.hillstonenet.com
Fortinet Product Overview
8

FORTIDECEPTOR VM

Capacity
Deception VM OS Windows and Ubuntu

VM Instance support (Maximum) 16 Win / Linux / Mix

VLANs support (maximum) 32

Deception VMs Shipped 0 Upgradable to max. 256

Virtual Machine
Hypervisor Support VMWare vSphere ESXi 5.1, 5.5 or 6.0 and later, KVM

Virtual CPUs (min / max) 4 / Unlimited* Intel Virtualization Technology (VT-x/EPT) or AMD
Virtualization (AMD-V/RVI).

Virtual Network Interfaces 6

Virtual Memory (min / max) 4GB / Unlimited**

Virtual Storage (min / max) 200GB / 16TB***

8 www.hillstonenet.com
Fortinet Product Overview
9
FORTIDECEPTOR 1000F I-2850 I-3850

Capacity and Performance

Size RAM DDR4-2400 48GB ECC RDIMM (16GB*3) 16G 32G
On Board Flash 2 GB USB n/a n/a

Deception VM OS Windows and Ubuntu N/A N/A

VM Instance support (Maximum) * 16 Win / 16 Linux / Mix N/A N/A

VLANs support (Maximum) 32 1000 1000

Deception VMs Shipped * 2Win (1 x Win7 & 1 x Win10) and 8 Linux 5 service type (FTP, HTTP, MySQL, SSH, 5 service type (FTP, HTTP, MySQL, SSH,
Telnet) Telnet)

Hardware Specifications

Form Factor 1 RU Rackmount 1U 2U

4 x GbE 6 x GbE
IOC-S-4GE-B IOC-S-4SFP IOC-S-8GE-B IOC-S-4GE-B IOC-S-4SFP IOC-S-8GE-B
Total Interfaces 4 x GbE (RJ45), 4 x GbE (SFP) IOC-S-8SFP IOC-S-4GE-4SFP IOC-S-2SFP+ IOC-S-8SFP IOC-S-4GE-4SFP IOC-S-2SFP+
IOC-S-4SFP+ IOC-S-4SFP+

Storage Capacity 2TB (2 x 1TB HDD) 1T HDD 1T HDD

Usable Storage (After RAID) 1 TB 1T HDD 1T HDD
Removable Hard Drives No N/A N/A
RAID Levels Supported RAID 0/1 1 HDD, no Raid 1 HDD, no Raid
Default RAID Level 1 1 HDD, no Raid 1 HDD, no Raid
Redundant Hot Swap Power Supplies No AC 100-240V 50/60Hz AC 100-240V 50/60Hz
Compliance
Safety Certifications FCC Part 15 Class A, C-Tick, VCCI, CE, UL/cUL, CB no certification FCC 15 A, UL/cUL, CB, CE
9 www.hillstonenet.com
BDS Competitive Analysis Darktrace

Hillstone Networks
Enterprise Immune
System
Gartner Definition
Market Guide for Network Traffic Analysis Published 28 February 2019 - ID G00381265 12
❑ Network traffic analysis (NTA) uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious
activities on enterprise networks. NTA tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that
reflect normal network behavior. When the NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitor ing north/south
traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network tr affic or flow
records that it receives from strategically placed network sensors.

Inclusion Criteria Exclusion Criteria

Vendor must: We exclude solutions that:
❑ Analyze raw network packet traffic or traffic flows (for example, ❑ Require a prerequisite component — for example, those that require a
NetFlow records) in real time or near real time security information and event (SIEM) or firewall platform

❑ Have the ability to monitor and analyze north/south traffic (as it ❑ Work primarily on log analysis
crosses the perimeter), as well as east/west traffic (as it moves laterally
throughout the network)
❑ Primarily use rules, signatures or reputation for detection capabilities
❑ Be able to model normal network traffic and highlight anomalous traffic

❑ Offer behavioral techniques (non-signature-based detection), such as ❑ Are based primarily on analytics of user session activity — for example,
machine learning or advanced analytics, that detect network anomalies user and entity behavior analytics (UEBA) technology

❑ Be able to emphasize the threat detection phase, rather than the

forensics — for example, packet capture (PCAP) analysis — phase of ❑ Focus primarily on analyzing traffic in Internet of Things (IoT) or
an attack. operational technology (OT) environments

12 www.hillstonenet.com
How to Win Enterprise Immune System– Not Have….
13
Data Sources Investigation Capabilities
❑ Anomaly Correlation
❑ Wire Data ❑ Transaction Indexing
❑ Protocol Decoders ❑ Forensics
❑ Automated Campaign Analysis ❑ Emulating the answer of a web server

Analytics Deployment Options

❑ Machine Learning
❑ Decryption ❑ Cloud (Maximum 6GB)
❑ Critical Asset Prioritization
❑ Threat Intelligence Integration

13 www.hillstonenet.com
How to Win Enterprise Immune System– Not Have….
14
Deployment: Multiple Options , not All in One……
❑ Darktrace appliances.
❑ Software sensors and Connectors that are installed passively in the customer’s
network or cloud.
❑ Master appliance correlates behavior across the organization’s infrastructure.
❑ Darktrace Antigena, an optional product that provides autonomous response
capabilities.

❑ Darktrace primarily uses unsupervised learning to ascertain a device’s “pattern of

life”. This approach, while an improvement on traditional detection approaches,
still suffers from a challenge of being noisy since “patterns of life” change often
for very legitimate business purposes–e.g. new software deployments, employee
work habits, etc. In addition, this approach also fails when devices are already
compromised before the “pattern of life” is learned

14 www.hillstonenet.com
How to Win Enterprise Immune System– Software
Category Detail Darktraece - Enterprise Hillstone I-Series Server
15
Immune System Breach Detection
System(sBDS)

Analysis Multiple techniques (e.g., TCP Reset, applying Active Lists via firewall integrations) to No Yes
automatically mitigate threats to the customer’s environment.

Subscription Subscription service based on the size of the company and the distribution of the deployment. Yes Yes

Functionalities Threat Intelligence Reports, which analyze the most significant threats detected. Yes Yes

Extracts Layer 7 metadata and applies clustering, an unsupervised learning algorithm. Yes Yes

Identify deviation from normal activity. Yes Yes

Embeds a management and monitoring interface No Yes

Centralized cloud monitoring is also available. No Yes

Primarily targets the data center as a dashboards focused No Yes

15 www.hillstonenet.com
How to Win Enterprise Immune System– Software
Category Detail Darktraece - Enterprise Hillstone I-Series Server
16
Immune System Breach Detection
System(sBDS)

Monitor activities such as login and logout, No Yes

windows share access, intrusions activities, web
page access.
Correlate Events with information about logins to hosts, website visits to Yes Yes
and Create download payloads, and logouts per Deception VM.
Incidents
Eliminate Attacks to/from Decoys by identifying No Yes
and stopping intrusions, websites visits and malware
scanning on all files planted during attack
Generate Custom from incident tables from the GUI in PDF format. Yes Yes
and
Comprehensive
Reports
Configure Alerts via email, SNMP or syslog server. Yes Yes
and send Alert
Notifications
Complete Indicator IOCs events are threat events detected during the post breach attack. They are identified No Yes
of Compromises among large numbers of the threat attacks in the network that are directly associated with the
and Cyber kill chain protected server or host
Forensic conducts threat mitigation, analyze and validate threat alerts, they can add threat elements No Yes
Information such as IP addresses, type of threats
Preemptive prevents future attacks from spreading to broader network territories. No Yes
Mitigation

16 www.hillstonenet.com
How to Win Enterprise Immune System– Software
Category Detail Darktraece - Enterprise Hillstone I-Series Server
17
Immune System Breach Detection
System(sBDS)

Advanced Threat To Behavior-based advanced malware detection Yes Yes

Detection
Abnormal Behavior Behavior modeling based on L3-L7 baseline traffic to reveal anomalous network behavior, No Yes
Detection such as HTTP scanning, Spider, SPAM, SSH/FTP weak password ï Detection of DDoS
including Flood, Sockstress, zip of death, reflect, DNS query, SSL and application DDoS ï
Supports inspection of encrypted tunneling traffic for unknown applications
Attack Detection Abnormal protocol attack detection No Yes
DoS/DDoS detection, including SYN Flood, DNS Query Flood
Threat Mitigation One-click cleanup of server/computer threat and reevaluation of host security ï Threat events Yes Yes
whitelist, including threat name, source/destination IP, hit count
Threat Mitigation Sysmon endpoint service integration No Yes

Threat Mitigation Threat hunting No Yes

Enterprise Inmune Flagship AI cyber defense solution. Yes Yes

System It combines real-time threat detection, network visualization, and advanced
investigation capabilities in a single unified system
Darktrace Mobile Available for iOS and Android Yes Yes
App
Threat Visualizer easy-to-use graphical interface, threat visualization Yes Yes
and investigations are simplified. The Threat Visualizer
provides real-time visibility of your entire environment

17 www.hillstonenet.com
 Business and What to Avoid
Business and Others 18
❑ Malware Detection - spend to much time researching false alarm , Highest rated detection technology identifies threats
others miss and eliminates the need.
❑ Complete Indicator of Compromises- IOCs events are threat events detected during the post breach attack. They are
identified among large numbers of the threat attacks in the network that are directly associated with the protected server
or host
❑ Subscription - Price is higher than Hillstone. Renewal subscription price is Higher. Total TCO is high.

What to Avoid
❑ Deploys Deception VMs and Decoys which inspects the behavior of the attacker and validate the malicious
intent.

18 www.hillstonenet.com
Firewall Competitive Analysis - FireEye

Hillstone Networks September, 2019

About Companies
Brief introduction
Hillstone vs FireEye (as companies)
• Hillstone:
• Founded on 2006
• Gartner Enterprise and SMB firewall
• Gartner Guide NTA and NIPS
• Focus on layer security
• NSS Labs mentioned as best TCO
• Some products have AI
• Hardware and Software
• Experienced of all layer securities
• In the perimeter also having AI
• In the internal also having AI
21
• FireEye:
• Founded on 2004
• Gartner EndPoint Protection Platform
• Gartner SIEM Report
• Focus on vulnerability analysis and
prevention.
• NSS Labs mentioned
• Based on Software
• Experience on EndPoint Security, threat
intelligence and cloud
www.hillstonenet.com
 What they do?
And what we do?
All products
Products of FireEye

The solutions are focused on detection and

prevention of advanced threats:
✓ FireEye Expertise
✓ FireEye and Third party apps
✓ FireEye Market
✓ FireEye Helix Security OP
✓ FireEye Network security and forensics
✓ FireEye email security
✓ FireEye EndPoint Security
✓ Third party solutions

23 www.hillstonenet.com
Products of Hillstone Networks

• The concept is to build a Security that Works! That

means in all layers of the Network
✓ NGFW
✓ iNGFW
✓ Data Center Firewall
✓ sBDS
✓ nIPS
✓ CloudEdge and CloudHive
✓ vHSM and vHSA
✓ Cloudview

24 www.hillstonenet.com
 SmartVision vs
sBDS
Network Security
FireEye SmartVision

• Detects and classifies lateral movements on internal network:

• Detects formerly undetectable suspicious lateral movements
• Delivers visibility into suspicious network traffic within the network
• Employs an advanced network event correlation and analytics engine, machine-learning
technology and more than 120 intrusion detection rules
• Supports a variety of deployments as part of FireEye Network Security
• Supports 8 phases of the lateral attack life cycle.

26 www.hillstonenet.com
sBDS
• Hillstone used sBDS to do the AI in the internal network (we have T-Series for perimeter doing AI), the
main functions are:
• Advanced Threat Detection
• Abnormal Behavior Detection
• IDS
• Virus Scan
• Botnet Detection
• Application Identification
• Deception Detection

27 www.hillstonenet.com
Hillstone vs FireEye (as features)
Main features sBDS FireEye Smartvision
AI engine Yes Yes
Analysis of Internal Network Yes Yes
Behavior detection Yes Yes
Signatures detection Yes Yes
Virus Scan Yes Not
IDS Yes Yes
Deception detection (honeypots, used for Yes Not
proactive detection)
Network mapping Only about threat Yes
traffic
Monitoring from end devices Yes (cloudview) Not

28 www.hillstonenet.com
Hillstone vs FireEye (as features)
Main features sBDS FireEye Smartvision
Protection about advanced threats Yes (joint solution Yes
with E-Series)
Acting as a SIEM Partially Partially
Centralized management Yes (vHSM) No
Easy Deployment Yes (using a port Yes (TAP mode and
mirror) inline mode)
Host and serrvice enumeration Yes Yes
App identification/ Yes Not
Botnet detection
Reporting tool Yes Not info but Smartvision
has integration with
FireEye Network Secuitty
Platform
Correlation of threats Yes Yes
Rich
29 forensic information Yes Yes www.hillstonenet.com
So, are we better?
Security that works!
Security that Works!

• We can manage not just one sBDS, we can manage some sBDS from one HSM/vHSM
• We can do also monitoring via application mobile using CloudView
• In our case, we can do microsegmentation without NSX, using ClouHive
• We have a High Speed Auditing device, in order to send logs with high performance using HSA/vHSA

31 www.hillstonenet.com
 THANK YOU!
Keep in touch
with us

Address: Website:
5201 Great America Pkwy, www.hillstonenet.com
#420, Santa Clara, CA 95054

E-mail: Phone:
amanssur@hillstonenet.com +1-800-889-9860

32
Thanks
NTA Competitive Analysis - Cisco
Gartner Definition
Market Guide for Network Traffic Analysis Published 28 February 2019 - ID G00381265 35
❑ Network traffic analysis (NTA) uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious
activities on enterprise networks. NTA tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that
reflect normal network behavior. When the NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitor ing north/south
traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network tr affic or flow
records that it receives from strategically placed network sensors.

Inclusion Criteria Exclusion Criteria

Vendor must: We exclude solutions that:
❑ Analyze raw network packet traffic or traffic flows (for example, ❑ Require a prerequisite component — for example, those that require a
NetFlow records) in real time or near real time security information and event (SIEM) or firewall platform

❑ Have the ability to monitor and analyze north/south traffic (as it ❑ Work primarily on log analysis
crosses the perimeter), as well as east/west traffic (as it moves laterally
throughout the network)
❑ Primarily use rules, signatures or reputation for detection capabilities
❑ Be able to model normal network traffic and highlight anomalous traffic

❑ Offer behavioral techniques (non-signature-based detection), such as ❑ Are based primarily on analytics of user session activity — for example,
machine learning or advanced analytics, that detect network anomalies user and entity behavior analytics (UEBA) technology

❑ Be able to emphasize the threat detection phase, rather than the

forensics — for example, packet capture (PCAP) analysis — phase of ❑ Focus primarily on analyzing traffic in Internet of Things (IoT) or
an attack. operational technology (OT) environments

35 www.hillstonenet.com
 Vender Profiles – by Gartner
Cisco
Headquartered in San Jose, California, Cisco plays in the NTA market with
Cisco Stealthwatch. Stealthwatch’s data source is primarily NetFlow records
and is deployed as a physical appliance, a virtual appliance or a SaaS
solution. Through its Flow Sensors, Stealthwatch provides Layer 7 application
visibility by gathering application information, along with on-demand PCAP.
Stealthwatch can also ingest data from cloud platforms, such as AWS, Azure
and GCP, as well as from Kubernetes environments. It also has the option to
run on-demand PCAP. Full PCAP is not natively supported. Stealthwatch
leverages various techniques for analytics, including signature-based
detection, statistical analysis, and both supervised and unsupervised
machine learning. Cisco integrates with Cisco Talos Intelligence Group for
threat intelligence feeds.
Stealthwatch is sold as a term-based subscription based on the necessary
flows per second, network device count or total monthly flows, depending on
the product and deployment infrastructure. The subscription includes virtual
flow collectors and the management console; however, additional fees are
required for the appliance-based version of the product. The cloud version of
Stealthwatch uses a combination of sensors for customer premises and API
connectivity to flow sources in public clouds. Stealthwatch is integrated
with the Cisco Identity Services Engine, which allows it to quarantine
hosts. Stealthwatch does not decrypt traffic, but uses Encrypted Traffic
Analytics (ETA) to detect malware and ensure cryptographic compliance.
The product’s core market is midsize-to-large enterprises.
36
Hillstone Networks 36
Hillstone Networks is a network security vendor, with a regional headquarters
in Santa Clara, CA. The vendor introduced its NTA product, named Server
Breach Detection System (sBDS), with two appliances in 2017. Hillstone’s
NTA product extracts Layer 7 metadata and applies clustering, an
unsupervised learning algorithm, to identify deviation from normal activity.
sBDS also includes an IPS and an antivirus engine. It also implements
some limited deception features (for example, emulating the answer of a
web server). Each appliance embeds a management and monitoring
interface, and centralized cloud monitoring is also available (Hillstone
CloudView). sBDS integrates with Hillstone firewall to add blocking
capabilities. Hillstone sBDS does not decrypt SSL/TLS traffic.
Hillstone NTA primarily targets the data center, with many dashboards
focused on this use case. The vendor prices its NTA solution using the
traditional appliance model, with upfront cost for the hardware, and
subscription and support as yearly fees. It also offers NTA as a service,
where the cost of the devices is included in the yearly subscription.
www.hillstonenet.com
How to Win Cisco Stealthwatch – Hardware
37
Hardware
❑ System Components - At the core of Stealthwatch Enterprise are the required components:
the Flow Rate License, Flow Collector, and Management Console
❑ Expansion Module - No expansion slots available for IOC card at Cisco Stealthwatch.
❑ Deployment - The Cisco Stealthwatch system installation is complex and not easy to manage.

37 www.hillstonenet.com
How to Win Cisco Stealthwatch – Functions
38
Performance
❑ Critical Assets - Cisco Stealthwatch doesn’t have the server based detection and analysis.
❑ Extra Functions – Hillstone offers much types of functions like (IPS/AV/Sandbox/Anti-
spam/Honeypot etc.)
❑ GUI- Cisco Stealthwatch system GUI is not user friendly, not easy to use and understand

38 www.hillstonenet.com
How to Win Cisco Stealthwatch – Software
Category Detail Cisco Stealthwatch Hillstone sBDS 39

Encrypted traffic It helps illuminate the dark corners in encrypted traffic without any decryption by using new Yes No
analytics (ETA) types of data elements or telemetry that are independent of protocol details.

Subscription Subscription service based on the size of the company and the distribution of the Yes Yes
deployment.
Functionalities Threat Intelligence Reports, which analyze the most significant threats detected. Yes Yes

Extracts Layer 7 metadata and applies clustering, an unsupervised learning algorithm, to Yes Yes
identify deviation from normal activity.

Embeds a management and monitoring interface Yes Yes

Centralized cloud monitoring No Yes

Deception features (for example, emulating the answer of a web server). No Yes

Application Identification Yes Yes

IPS and an antivirus engine No Yes

Anti-Spam No Yes

Cloud-Sandbox No Yes

Botnet C&C Detection Yes Yes

39 www.hillstonenet.com
How to Win Cisco Stealthwatch – Software
Category Detail Cisco Stealthwatch Hillstone sBDS
40

Monitoring Visual details of threat status for critical assets and other risky host, including risk level, risk No Yes
certainty, attack geo-location, kill chain mapping and other statistical information
Visual details of network threat events, including threat analysis, knowledge No Yes
base, history and topology
Real-time Threat Monitoring for Critical Servers No Yes
Generate Custom Reports can be exported in PDF, Word and HTML format Yes Yes
and
Comprehensive
Reports
Configure Alerts via email, SNMP or syslog server. Yes Yes
and send Alert
Notifications
Complete Indicator IOCs events are threat events detected during the post breach attack. They are identified No Yes
of Compromises among large numbers of the threat attacks in the network that are directly associated with the
and Cyber kill chain protected server or host
Threat Correlation Correlation among unknown threats, abnormal behavior and application behavior to discover Yes Yes
Analytics potential threat or attacks
Forensic Threat forensic including threat analysis, knowledge base, history and PCAP Yes Yes
Information
Preemptive threat mitigation with conjunction of protection device (such as NGFW) to block the threat IP Yes Yes
Mitigation by policy, this prevents future attacks from spreading to broader network territories.

40 www.hillstonenet.com
How to Win Cisco Stealthwatch – Software
Category Detail Cisco Stealthwatch Hillstone sBDS
41

Advanced Threat Behavior-based advanced malware detection. Yes Yes

Detection Detect known and unknown malware families including Virus, Worm, Trojan, Overflow etc
Detect major ransomware and cryptomining malware.
Abnormal Behavior modeling based on L3-L7 baseline traffic to reveal anomalous network behavior, Yes Yes
Behavior Detection such as HTTP scanning, Spider, SPAM, SSH/FTP weak password. Detection of DDoS
including Flood, Sockstress, zip of death, reflect, DNS query, SSL and application DDoS.
Supports inspection of encrypted tunneling traffic for unknown applications
Attack Detection Abnormal protocol attack detection Yes Yes
DoS/DDoS detection, including SYN Flood, DNS Query Flood, ARP attack detection
Threat Mitigation One-click cleanup of server/computer threat and reevaluation of host security. No Yes
Threat events whitelist, including threat name, source/destination IP, hit count
Sysmon endpoint service integration No Yes
Threat hunting No Yes
Hot Threat Real-time push of the most serious threat information found in the industry to device from No Yes
Intelligence the cloud. Provide detailed information of threat and suggestion of solution
Threat Easy-to-use graphical interface, threat visualization and investigations are simplified. The No Yes
Visualization Threat Visualization provides real-time visibility of the entire environment

41 www.hillstonenet.com
 Business and What to Avoid
42
Business and Others
❑ Business Focus – Cisco Stealthwatch Enterprise targets midsize-to-large enterprises, it has no dashboards focused on
servers, not a solution for Data centers.
❑ Subscription - Cisco Stealthwatch Enterprise requires multiple components to work together, price is higher than
Hillstone sBDS. Renewal subscription price is Higher. Total TCO is high.

What to Avoid
❑ Encrypted traffic analytics (ETA)
❑ Public cloud and private cloud monitoring. Cisco Stealthwatch Cloud Public Cloud Monitoring provides
visibility and threat detection in Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure
infrastructures. It is a cloud-delivered, SaaS-based solution that can be deployed easily and quickly.

42 www.hillstonenet.com
Product Specs – Hillstone sBDS
43

43 www.hillstonenet.com
Product Specs – Required components of Cisco
Stealthwatch System
44
Flow Rate License
The Flow Rate License is required for the collection, management, and analysis of flow telemetry and aggregates flows
at the Management Console. The Flow Rate License also defines the volume of flows that may be collected and is
licensed on the basis of flows per second (fps). Licenses may be combined in any permutation to achieve the desired
level of flow capacity.
Flow Collector
The Flow Collector leverages enterprise telemetry such as NetFlow, IPFIX (Internet Protocol Flow Information Export),
and other types of flow data from existing infrastructure such as routers, switches, firewalls, endpoints, and other
network infrastructure devices. The Flow Collector can also receive and collect telemetry from proxy data sources, which
can be analyzed by the cloud-based, multilayered machine learning engine, Cognitive Intelligence, for deep visibility into
both web and network traffic.
Management Console
The Stealthwatch Management Console aggregates, organizes, and presents analysis from up to 25 Flow Collectors, the
Cisco Identity Services Engine, and other sources. It uses graphical representations of network traffic, identity
information, customized summary reports, and integrated security and network intelligence for comprehensive analysis.

44 www.hillstonenet.com
Product Specs – Optional components of Cisco
Stealthwatch System
45
Flow Sensor
The Flow Sensor is an optional component of Stealthwatch Enterprise and produces telemetry for segments of the
switching and routing infrastructure that can’t generate NetFlow natively. It also provides visibility into the application
layer data. In addition to all the telemetry collected by Stealthwatch, the Flow Sensor provides additional security context
to enhance the Stealthwatch security analytics. And starting with Stealthwatch Software Release 7.1, Flow Sensor is
also able to generate enhanced ETA telemetry to be able to analyze encrypted traffic.
UDP Director
The UDP Director simplifies the collection and distribution of network and security data across the enterprise. It helps
reduce the processing power on network routers and switches by receiving essential network and security information
from multiple locations and then forwarding it to a single data stream to one or more destinations.

45 www.hillstonenet.com
Product Specs – Cisco Stealthwatch Flow Collector
Flow Collector 4210 Flow Collector 5210 46

Engine
Maximum Flows per 200,000 fps* Maximum Flows per 300,000 fps*
Second (fps) Second (fps)
Network/NIC CIMC management port: 1-100Mbps/1Gbps Network/NIC CIMC management port: 1-100Mbps/1Gbps
copper copper
Flow Collector management port: 1 Flow Collector management port: 1
100Mbps/1Gbps/10Gbps copper 100Mbps/1Gbps/10Gbps copper
Additional collection port: 1 - Additional collection port: 1 -
100Mbps/1Gbps/10Gbps copper 100Mbps/1Gbps/10Gbps copper
Reserved ports: 2 Reserved ports: 1
Cross Connect port: 1 - 10Gbps SFP
Processor 2 @ 2.1 GHz 6130/125W 16C/22MB Cache/DDR4
2666MHz Processor 2 @ 2.1 GHz 6130/125W 16C/22MB Cache/DDR4
2666MHz
Memory 32 GB DDR4 (16x) - 512GB total
Memory 16 GB DDR4 (16x) - 256 GB total
Flow Storage 4 TB, RAID 6, Redundant
Storage 600 GB HDD (6x) - 2.4 TB total RAID 6
Addressable Storage 7.2TB
RAID Cache 2 GB
RAID Cache 4 GB
Rack Units 1U
Rack Units 1U
Power Redundant 770W AC 50/60
Power Redundant 770W AC 50/60
Auto Ranging (100v to 240V) Database: 2U, Memory 32 GB DDR4 (16x) - 512GB total, Storage 9.6 TB

46 www.hillstonenet.com
Product Specs – Cisco Stealthwatch Management Console
Stealthwatch Management Console 2210 47

Network/NIC CIMC management port: 1-100Mbps/1Gbps copper

Stealthwatch management port: 1 100Mbps/1Gbps/10Gbps copper
Reserved ports: 3

Processor 2 @ 2.1 GHz 6130/125W 16C/22MB Cache/DDR4 2666MHz

Memory 32 GB DDR4 (16x) - 512GB total

Data Storage 4 TB, RAID 6, Redundant

Addressable Storage 7.2TB

RAID Cache 4 GB

Rack Units 1U

Power Redundant 770W AC 50/60

Auto Ranging (100v to 240V)

47 www.hillstonenet.com
 Product Specs – Cisco Stealthwatch Flow Sensor
Flow Sensor 1210 Flow Sensor 3210 Flow Sensor 4210 48

Network/NIC CIMC management port: 1- Network/NIC CIMC management port: 1- Network/NIC CIMC management port: 1-
100Mbps/1Gbps copper 100Mbps/1Gbps copper 100Mbps/1Gbps copper
Flow Sensor management port: 1 Flow Sensor management port: 1 Flow Sensor management port: 1
100Mbps/1Gbps/10Gbps copper 100Mbps/1Gbps/10Gbps copper 100Mbps/1Gbps/10Gbps copper
Monitoring ports: 5 total Monitoring ports: 7 total Monitoring ports: 4 total
• eth1 (port label "2") - • eth1 (port label "2") - • te0-3 - 10Gbps SFP Fiber (SFP-
100Mbps/1Gbps/10Gbps copper 100Mbps/1Gbps/10Gbps copper 10G-SR-S or SFP-10G-LR-S)
• eth2-5 - 100Mbps/1Gbps copper • eth2-5 - 100Mbps/1Gbps copper
Default Profile https
• eth6-7 - Either 1GB Base-SX SFP or
Default Profile https
10GB SFP. GLC-SX-MMD, SFP- Rated to Monitor 30 Gbps - 4x10G SFP*
Rated to Monitor 3 Gbps* 10G-SR-S or SFP-10G-LR-S are
Processor 2 @ 2.3 GHz 5118/105W
supported.
Processor 1 @ 1.7 GHz 3106/85W 8C/11MB 12C/16.50MB Cache/DDR4 2400MHz
Cache/DDR4 2133MHz Default Profile https
Memory 16 GB DDR4 (16x) - 256 GB total
Memory 16 GB DDR4 Rated to Monitor • 6 Gbps - 2x10G SFP*
Storage 600 GB HDD (6x) - 2.4 TB total RAID 6
• 4.5Gbps - 5x1G copper*
Storage 600 GB HDD (2x) - 600 GB total RAID
Rack Units 1U
1 Processor 2 @ 2.3 5118/105W 12C/16.50MB
Cache/DDR4 2400MHz Power Redundant 770W AC 50/60
Rack Units 1U
Auto Ranging (100v to 240V)
Memory 16 GB DDR4 (16x) - 256 GB total
Power Redundant 770W AC 50/60
Auto Ranging (100v to 240V) Storage 600 GB HDD (6x) - 2.4 TB total RAID 6
Rack Units 1U

48 Power Redundant 770W AC 50/60 www.hillstonenet.com

Auto Ranging (100v to 240V)
Product Specs – Cisco Stealthwatch UDP Director
Stealthwatch UDP Director 2210 49

Network/NIC CIMC management port: 1-100Mbps/1Gbps copper

UDP Director management port: 1 100Mbps/1Gbps/10Gbps copper
HA Cross Connect ports: 2 total
• eth2-3 - 100Mbps/1Gbps copper
Monitoring ports: 3 total
• eth1 (port label “2”) – 100Mbps/1Gbps/10Gbps copper
• eth4-5 – 100Mbps/1000Gbps copper
Processor 2 @ 2.3 GHz 5118/105W 12C/16.50MB Cache/DDR4 2400MHz
Memory 16 GB DDR4 (16x) - 256 GB total
Storage 600 GB HDD (6x) - 2.4 TB total RAID 6
Packet Replication Using the management port @ 1Gbps for ingress/egress:
Rate • Input: 37,500 pps
• Output: 75,000 pps
Using the management port @ 10Gbps for ingress/egress:
• Input: 75,000 pps
• Output: 150,000 pps
RAID Cache 2 GB
Rack Units 1U
Power Redundant 770W AC 50/60
Auto Ranging (100v to 240V)
49 www.hillstonenet.com
Thanks