RSA NetWitness is a network-monitoring system designed to handle a wide range of information. NetWitness comes in three parts: a Concentrator (a Linux-based network appliance), Decoder (a configurable network-recording appliance) and Investigator (an interactive threat analysis application). All three elements are critical to ensure that the product is working properly. Initially, we only had the Concentrator and Decoder activated. The Investigator was lost in the mail. Upon receiving all portions of NetWitness, and getting them to work together, we were finally able to dive into the product.
NetWitness proved to be a difficult product to set up. The installation directions for the software and hardware are minimal, which resulted in our making several mistakes during system configuration. Too, it was difficult to obtain solutions since we received the incorrect key for different clock times between the NetWitness investigator and decoder.
But, once the product was up and running, we found the tool to be compelling. Not only did it capture every packet traveling through the network, but it organized the report in a way that users can quickly reference. Certain functions allow users to implement the packets for risk assessment by way of analyzing all traffic on the network. Furthermore, packets capture is not restricted to LANs, but extends to wireless traffic. The Decoder and Concentrator took some time to grow familiar with, but eventually became fairly easy to navigate. The tool tips were helpful in navigating our way through the application. The investigator was another matter, however. It was slightly confusing to navigate, and the amount of information it provided was overwhelming on occasion. But, after getting used to the immense reports, this tool began to shine.
User documentation, excluding the installation directions, was helpful, presenting solid instructions. The user guide was straightforward and attempted to walk the admin through most of the process, but some sections left us in the dark for certain functions.
Too, the support for RSA NetWitness is spotty. When users navigate through the company's automated phone system, they are placed on hold for quite some time until tech support makes contact. When this happened with us, the service representatives were very accommodating. Not only were they patient with our own network issues, but they continuously offered advice and answers where needed. They were even willing to use immediate means of contact, such as WebEx and remote desktop, for additional assistance.
Overall, NetWitness is a solid product with many useful applications. However, setting it up and the lack of coordination between the user and the company, left something to be desired. Setup time and system cooperation took up a good majority of testing time, consequently leaving little room to resolve some troubleshooting issues. The setup problem is not new. Previous evaluations have experienced similar challenges in recent years.