Re: Sniffer notification

[Doug Sandford <dsandfor () SEEBECK UA EDU>]

Cal,

So are you saying that the decision to begin the sniffer process was
validated due to network load concerns rather than something else?
I'm not saying that that is bad form, mind you.Any action is better
than none at all.  I am however curious about the circumstances that
have led organizations to bite the proverbial bullet and begin
sniffing.

Additionally, do any of you by policy differentiate between sniffing,
monitoring and scanning? They are sometimes lumped in together often,
I suspect, to justify any or all of these processes.

Forwarded by:           dsandfor () seebeck ua edu
Forwarded to:           doug () bama ua edu
Date forwarded:         Tue, 23 Mar 2004 10:29:00 -0500
Date sent:              Tue, 23 Mar 2004 11:28:27 -0500
Send reply to:          The EDUCAUSE Security Discussion Group Listserv              <SECURITY () LISTSERV EDUCAUSE EDU>
From:                   Cal Frye <cjf () CALFRYE COM>
Organization:           Oberlin College
Subject:                Re: [SECURITY] Sniffer notification
To:                     SECURITY () LISTSERV EDUCAUSE EDU

At the moment, we have several dorms complaining of general network
congestion or sluggishness, including the inability to maintain
connections with some of our own servers. We've checked wiring, switch
configuration, errors on the ports, much statistical and aggregate
analysis. We're searching for signs of specific troubles in
client-server connections, which pretty much means we need to sniff
traces and see what's going on. Could be virus-related activity that is
blocked from campus upstream, might be within-dorm P2P activity we're
also not seeing.

We want to work with some of the squeakiest wheels and see what's
interrupting their attempts to contact our servers.

--Cal Frye, Network Administrator, Oberlin College
  www.ouuf.org, www.calfrye.com

   "What a school thinks about libraries is a measure of what it thinks
about education"

Doug Sandford wrote:
> I would be interested to know what circumstances led you and others
> to move forward with the Sniffer project. Several factions here have
> resisted the process because of perceived privacy issues, thus the
> delay/hesitancy. Was your decision driven by the recent spate of
> virus and 'compromised host' issues?

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Doug Sandford
Information Security Officer
University of Alabama
Seebeck Computer Center
doug () ua edu

This email is intended only for the person to whom it is
addressed.  Any review or other use of this information by
persons or entities other than the intended recipient or any
retransmission without the consent of the sender is prohibited.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.