Educause Security Discussion mailing list archives

Re: Sniffer notification

From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: Tue, 23 Mar 2004 09:25:08 -0800

An important corollary question is "how do you define 'monitor'?"  I
have heard that some schools record traffic (complete packets) but
don't look at it in any way unless something untoward happens.  They
feel they need to be able to diagnose problems in retrospect.

In general terms, I believe we should consider our networks "common
carriers" (even if the courts may or may not agree) since that starts
with the assumption that we don't and should not eavesdrop on what is
sent over them.  We only examine content under specific circumstances
as defined by policy and confirmed by an authorized individual.  The
parallel is a wiretap order from a court.

WRT troubleshooting a client/server problem, in most all cases the
parties concerned are involved in the problem resolution process and
therefore could give (tacit?) permission to examine the packets they
send and receive.  The network staff also can look at aggregate
behavior of the network without examining the data content of
packets, as Oberlin describes.  Only if a case can be made that the
data content of other network packets, while not congesting or
affecting the proper operation of the network or being received by
either platform in the client/server situation, are somehow causing
the problem would the relevant campus authority give permission for
broader examination of traffic.

I fear that venturing over this strict line could open up a huge
number of ugly problems.

       David
-----
At 11:11 AM -0500 on 3/23/04, Tracy Mitrano wrote:

Just curious on this thread about a related question:

      How many schools have IT policies that state something to the
effect of:

      "[Name of Institution] does not as a practice monitor its
network for content"

Please note that such a statement does not prevent whatever
technical measures are necessary for security and maintenance, as is
explained by additional policy language.

Thanks!

Tracy


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: Sniffer notification, (continued)
- Re: Sniffer notification Doug Sandford (Mar 23)
- Re: Sniffer notification Matthew Keller (Mar 23)
- Re: Sniffer notification Richard Gadsden (Mar 23)
- Re: Sniffer notification Tracy Mitrano (Mar 23)
- Re: Sniffer notification Brian Reilly (Mar 23)
- Re: Sniffer notification Neil_Sachnoff (Mar 23)
- Re: Sniffer notification Cal Frye (Mar 23)
- Re: Sniffer notification Dan Schneider (Network Administrator) (Mar 23)
- Re: Sniffer notification Doug Sandford (Mar 23)
- Re: Sniffer notification Cal Frye (Mar 23)
- Re: Sniffer notification David L. Wasley (Mar 23)
- Re: Sniffer notification Cal Frye (Mar 23)
- Re: Sniffer notification Carol Myers (Mar 23)
- Re: Sniffer notification Brian Reilly (Mar 23)
- Re: Sniffer notification Brian Kaye (Mar 24)
- Re: Sniffer notification Brian Eckman (Mar 24)
- Re: Sniffer notification Bruggeman, John (Mar 24)