Re: Network IPS Information Security Policy

[Gary Dobbins <dobbins () ND EDU>]

Our Responsible Use Policy reminds all users of the Institution's right to inspect its equipment and networks for 
purposes of maintaining their proper function, investigate issues, etc.

Since it's not a human reading the stream, privacy is not necessarily automatically at-risk - no one is there to 
interpret what Alice is saying to Bob, unless it includes an attack script.

All personnel authorized to operate the IPS gear (who could theoretically view content), just as those who operate 
enterprise storage, have signed an explicit document indicating they will not use that access to view anything other 
than as assigned.


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
> Sent: Friday, November 13, 2009 2:54 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Network IPS Information Security Policy
>
> This is an interesting thread and I have another question to ask.
> Given the nature of IPS and it's ability to basically read any
> email,
> chat, or any data sent through the wire, how are institutions
> dealing
> with the potential public relations nightmare of explaining to your
> constituents that this device and its keepers have that ability?
> Does
> anyone have a stock answer of "balancing security of the
> infrastructure with the ability for transmissions to be monitored"?
> Has anyone run into this situation? I can see spinning the answer
> to
> say that "encryption" is the best way to go but then that will
> start
> to limit the ability of the IPS to detect attack payloads.
>
> Just wondering.
>
> -Randy Marchany
> VA Tech IT Security Office & Lab