Host Groups in StealthWatch:
--> By Default, StealthWatch does not know what is the purpose of the host in the network. StealthWatch considers the host as a device that sends and receives the traffic.
--> Placing the hosts into Host Group allows the StealthWatch to detect anomalies in the network.
--> For example we can place the NTP server into the NTP Server Host group to make stealth watch understand that the host is NTP Server.
--> StealthWatch checks all the traffic generated by NTP Server and creates the baseline for it.
--> StealthWatch generates an alert if it sees any misbehavior in the traffic.
--> It is recommended to create the host groups in the StealthWatch based upon:
i) Same Functionality ( Like all the Web Servers can be placed in the Web Server Host Group)
ii) Same Subnet ( Like User Subnet/Wireless Subnet/Internet Subnet)
iii) Behaviour ( NAT Device/Proxy/Anti Virus Server/Email Server)
iv) Location
--> By Default, All the Private IP address hosts are placed in Catch-All host group and Public IP address hosts are placed in the Outside Group.
--> It is recommended to add the Enterprise Public Subnet to the Inside Group to detect activities like DOS and DDOS attacks.
--> We can also create a Host Policy to generate an alarm if the host in the host group sends the traffic to the host in the other group.
--> Host Policy is useful to have visibility if someone is trying to access the disallowed applications/domains.
Best Regards,
Md.Kareem
Question which host group that i should add my Enterprise Public IP to ??
ReplyDeleteYou can create different Group for that
ReplyDelete