Imagine Harrison Ford doing traffic analysis on your network.
Hmm – there’s a thought.
The US-based company – Netwitness has been making a lot of noise lately about their “next generation” capability to perform full session reassembly and threat analysis from packet capture. This is a great feature to have for traffic analysis that has been available from other open source tools like Snort, Sguil and NetworkMiner for years. I was doing full session traffic analysis with Snort over 5 years ago – when we had problems in a UDP-based physical security control network that opened and closed doors in a 40 story office building…

NetWitness Investigator is the award-winning interactive threat analysis application of the NextGen product suite. Our patented methods of viewing network session and application data have helped our clients fill in the visibility gaps that exist in their firewall, intrusion detection, SEIM and other security infrastructures. Now, the entire community of security practitioners will have the capability to obtain faster and clearer insight into today’s advanced threats.
Download Investigator and see for yourself using your own data why top government agencies, banks, and Fortune 1000 companies have turned to NetWitness.

Netwitness is exactly what they say it is – a very good network traffic analyzer. However – beware of vendor marketing overshoot – network traffic analyzers are not data loss prevention systems like Fidelis Security Systems XPS or Vontu  (now Symantec) or Websense (formerly Port Authority).

• Recording all the traffic is not the same is producing potential data loss events with a high level of precision and recall
• Netwitness performs session reassembly and extracts meta-data such as hostname and filename BUT – Netwitness doesn’t perform file format independent content analysis. A regex for a keyword might work for a plain-text string an a simple SMTP email but it is totally worthless for URL-encoded text in Webmail, Microsoft Office, PDF, Open Office etc.
• It records all the traffic.  On a 1GB network – that is 100MByte/second.  Do the math regarding disk space, network performance and computing capacity. Recording all the traffic also means that Netwitness users are in 100% violation of EU Privacy laws that specifically prohibit recording of personal information. BTW – the last time I  benchmarked pcap – it maxed out at about 100MB/s,
• Netwitness doesn’t provide rule-based policy capability
• Netwitness doesn’t provide event management,  event analytics database,  central console management, or distributed sensors provisioning andmanagement
• Netwitness doesn’t provide extrusion prevention/ data loss prevention