Educause Security Discussion mailing list archives
Re: Network IPS Information Security Policy
From: Gary Dobbins <dobbins () ND EDU>
Date: Fri, 13 Nov 2009 15:09:34 -0500
Our Responsible Use Policy reminds all users of the Institution's right to inspect its equipment and networks for purposes of maintaining their proper function, investigate issues, etc. Since it's not a human reading the stream, privacy is not necessarily automatically at-risk - no one is there to interpret what Alice is saying to Bob, unless it includes an attack script. All personnel authorized to operate the IPS gear (who could theoretically view content), just as those who operate enterprise storage, have signed an explicit document indicating they will not use that access to view anything other than as assigned.
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany Sent: Friday, November 13, 2009 2:54 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Network IPS Information Security Policy This is an interesting thread and I have another question to ask. Given the nature of IPS and it's ability to basically read any email, chat, or any data sent through the wire, how are institutions dealing with the potential public relations nightmare of explaining to your constituents that this device and its keepers have that ability? Does anyone have a stock answer of "balancing security of the infrastructure with the ability for transmissions to be monitored"? Has anyone run into this situation? I can see spinning the answer to say that "encryption" is the best way to go but then that will start to limit the ability of the IPS to detect attack payloads. Just wondering. -Randy Marchany VA Tech IT Security Office & Lab
Current thread:
- Network IPS Information Security Policy Kris Monroe (Nov 13)
- <Possible follow-ups>
- Re: Network IPS Information Security Policy Gary Dobbins (Nov 13)
- Re: Network IPS Information Security Policy randy marchany (Nov 13)
- Re: Network IPS Information Security Policy Gary Dobbins (Nov 13)
- Re: Network IPS Information Security Policy Joel Rosenblatt (Nov 13)
- Re: Network IPS Information Security Policy Basgen, Brian (Nov 13)
- Re: Network IPS Information Security Policy Alex (Nov 13)
- Re: Network IPS Information Security Policy Gary Dobbins (Nov 13)
- Re: Network IPS Information Security Policy randy marchany (Nov 13)
- Re: Network IPS Information Security Policy randy marchany (Nov 13)
- Re: Network IPS Information Security Policy Basgen, Brian (Nov 13)
- Re: Network IPS Information Security Policy Willis Marti (Nov 14)
- Re: Network IPS Information Security Policy Pete Hickey (Nov 14)
- Re: Network IPS Information Security Policy Thomas R. Davis (Nov 18)