Interesting People mailing list archives
Re: MIT monitoring campus network traffic
From: David Farber <dave () farber net>
Date: Sat, 18 Apr 2009 08:40:01 -0400
Begin forwarded message: From: Michael Collins <mcollins () aleae com> Date: April 17, 2009 10:23:22 PM EDT To: dave () farber net Subject: Re: [IP] Re: MIT monitoring campus network traffic Dave,If it is netflow, than the MIT article is about 10 years too late, since NetFlow has been used for upwards of a decade for monitoring traffic on college campuses. Fullmer and Romig wrote their first paper on using flow-tools for security analysis at OSU in LISA 2000. LISA, FloCon and other conferences regularly include papers that boil down to "we studied netflows on this college campus". QRadar, if I remember correctly, started as a monitoring system for the university of new brunswick and has strong installations in a lot of college campuses.
One of the major advantages of NetFlow in this case is that it doesn't include payload --- flow records in v5 format don't have a payload field, and while it's theoretically possible to include it in v9 (or anything else), flow is generally collected at routers and is a low- priority process (as opposed to, say, routing). Because of that, it's obnoxiously difficult to collect payload and of dubious value - a network MIT's size is probably getting 10-20 Gig of SQLSlammer traffic alone daily. In my personal experience, it's been buckley- amendment friendly as long as the addresses are anonymized.
On Apr 17, 2009, at 7:36 PM, David Farber wrote:
Begin forwarded message: From: Date: April 17, 2009 6:05:06 PM EDT To: dave () farber netSubject: *please anonymize* Re: [IP] MIT monitoring campus network trafficDave, *please anonymize*My day job is as a network architect for a mid-sized Canadian ISP. I'm the top technical person in the company, and I fall between technical staff and management, often working in both worlds. This article reminds me of a tactic once used on me, by an unnamed vendor who was having little success selling us a commercial product which does what was described in the article. We use an open-source version, and though it does not have pretty graphs and Crystal Reports, we like it. The sales person in question inquired about our data retention policies (which I would not disclose to him) and later escalated to senior management, using an argument that they felt bordered on scare tactics. Everyone agreed that we've seen more aggressive sales pitches lately, with the economy the way it is, but that definitely is one of the more memorable ones.I can't help thinking the same of this situation. Perhaps someone is taking a page from the anti-virus vendor's books?Also, for those that are interested, the underlying protocol which I suspect is being used is likely NetFlow, originally developed by Cisco, or a variation.http://www.cisco.com/go/netflowThe protocol is configured on key network routers, and traffic is sampled at a configured rate, with the results sent to a collection server. The data can then be analyzed for a wide variety of information, including virus infections, DoS attacks, routing analysis and trending, etc. We typically use it for determining traffic patterns, and on occasion, for denial of service attacks. The information is stored in an off-net, hardened server, with an encrypted file system. That's sufficient for us.------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- MIT monitoring campus network traffic David Farber (Apr 17)
- <Possible follow-ups>
- Re: MIT monitoring campus network traffic David Farber (Apr 17)
- Re: MIT monitoring campus network traffic David Farber (Apr 18)
- Re: MIT monitoring campus network traffic David Farber (Apr 18)
- Re: MIT monitoring campus network traffic David Farber (Apr 18)
- Re: MIT monitoring campus network traffic David Farber (Apr 21)