July 21, 2005
Mantech International Corp.Product:
- Ease of Use:
- Value for Money:
- Overall Rating:
Powerful network forensics tool.
No answer to encrypted traffic, no remote/web GUI.
Superb tool for capturing and analyzing network behavior.
NetWitness is a network forensics and analysis package available in both software and appliance (really just a preconfigured server) formats.
We tested the appliance. It was easy enough to set up, but we were surprised to have to connect a keyboard and screen in this day of ubiquitous web front ends. You could use terminal services or VNC, but we would have liked a web front end, too.
NetWitness captures all traffic in promiscuous mode, regularly indexing and writing the packets. The traffic is analyzed at every level of the stack up to layer seven, and can then be analyzed using a browser tool, which is where most of the real work with the product is done. Obviously, this sort of packet capture is intensive work, but with a Gigabit interface it should be happy enough on a span port at a choke point like your internet gateway or some strategic internal location. You can easily manage multiple systems, and integrate them into your IDS environment.
The NetWitness Browser consists of a left-hand menu with viewing options for the types of disassembly on offer. These drill down into the captured data by protocol, service (HTTP, IM), time, and so on. Particularly powerful are options to drill down by identified user names (from any service – web mail, IM, Netbios) and by file (email attachments, FTP transfers and others). This enables quick and easy correlation across multiple services. Within each category, a list of specific options is available, and many have further levels of detail.
The right hand side shows a brief overview of the transaction at the top, and a lower pane holds the raw data – which can be displayed in many ways, from the standard hex/text/packet views to more powerful reassembly.
NetWitness can reassemble web pages, email, file attachments, images and even VOIP.
Unfortunately, the stumbling block is network encryption. The device cannot see inside SSL transactions, of course, and as more products are offering built-in crypto, this might become more of a problem.
Additional services such as a geographical location tool help pinpoint where connections start. And powerful query tools round it all out. A comprehensive, but primitive, command line provides access to the internal database.
For traffic analysis, we rate NetWitness highly. It is polished and thorough, and a valuable tool.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry