NetIQ Sentinel v7.3
Strengths: The scalability and integration with other hardware to correlate data.
Weaknesses: None found.
Verdict: The extensive feature set and enterprise-level implementation makes this a great product.
The NetIQ Sentinel may be one of the best SIEM solutions for your network. The vast functionality and comprehensive analysis that this product offers is exceptional measured against how easily it can be integrated into your network. The scalability and wide availability of deployment options makes NetIQ's product stand out, so long as you have the hardware to support the functionality of a large data pool.
Sentinel was simple to set up and integrate with our network with no downtime at all. The product was shipped to us as a preconfigured virtual machine on USB stick. Once we unzipped the OVF server template, we deployed it to our hypervisor to begin testing. The installation took place on the virtual machine and all setup and network configuration was done using the provided Sentinel server GUI. There was a minor hiccup during installation - where DHCP was assigning an IP that was already in use for the Sentinel server machine - so we switched to static IP allocation and the issue was resolved.
Once installation was complete and the OVF template was properly deployed and configured, we accessed the Sentinel Server through a web GUI. The GUI has an intuitive design that allows for ease of access to all functionality that the product offers. The data collection capabilities are extremely scalable allowing for a variety of deployment strategies: all-in-one, one-tier (two-tier or three-tier) distributed deployment and one-tier distributed deployment with high availability. The all-in-one server deployment designates one system to handle all the log data. The one (or two or three) tier distributed deployment options allow for data to be scaled out by adding different software components, such as the collector manager, netflow collector manager and correlation engine to other machines in order to offload processing from the central Sentinel Server. Once data events are collected, they are securely transmitted to the Sentinel Server, parsed, normalized, "tagged" and then routed for correlation and archiving. The log archive works extremely efficiently seeing as the files are compressed as a file-based storage. An interesting functionality of Sentinel is its ability to route information to other Sentinel systems, along with correlating data from IPS or IDS systems against known vulnerabilities on the network to provide analysts with collaborative information.
NetIQ provides its customers with either a basic no-cost or a fee-based support option when purchasing the product. Basic offers access to the product knowledge base and support forums on a 24/7 basis.
Overall, NetIQ provides more than enough functionality to quickly identify and respond to threats and to simplify management and compliance reporting. This product is a huge step forward for any security team seeking to strengthen security on their network. - JV