Re: MIT monitoring campus network traffic

[David Farber <dave () farber net>]

Begin forwarded message:

From: Michael Collins <mcollins () aleae com>
Date: April 17, 2009 10:23:22 PM EDT
To: dave () farber net
Subject: Re: [IP] Re:   MIT monitoring campus network traffic

Dave,

If it is netflow, than the MIT article is about 10 years too late,  
since NetFlow has been used for upwards of a decade for monitoring  
traffic on college campuses.  Fullmer and Romig wrote their first  
paper on using flow-tools for security analysis at OSU in LISA 2000.   
LISA, FloCon and other conferences regularly include papers that boil  
down to "we studied netflows on this college campus".  QRadar, if I  
remember correctly, started as a monitoring system for the university  
of new brunswick and has strong installations in a lot of college  
campuses.

One of the major advantages of NetFlow in this case is that it doesn't  
include payload --- flow records in v5 format don't have a payload  
field, and while it's theoretically possible to include it in v9 (or  
anything else), flow is generally collected at routers and is a low- 
priority process (as opposed to, say, routing).  Because of that, it's  
obnoxiously difficult to collect payload and of dubious value - a  
network MIT's size is probably getting 10-20 Gig of SQLSlammer traffic  
alone daily.      In my personal experience, it's been buckley- 
amendment friendly as long as the addresses are anonymized.

On Apr 17, 2009, at 7:36 PM, David Farber wrote:

> Begin forwarded message:
>
> From:
> Date: April 17, 2009 6:05:06 PM EDT
> To: dave () farber net
> Subject: *please anonymize* Re: [IP] MIT monitoring campus network  
> traffic
>
> Dave,
>
> *please anonymize*
>
> My day job is as a network architect for a mid-sized Canadian ISP.   
> I'm the top technical person in the company, and I fall between  
> technical staff and management, often working in both worlds.  This  
> article reminds me of a tactic once used on me, by an unnamed vendor  
> who was having little success selling us a commercial product which  
> does what was described in the article.  We use an open-source  
> version, and though it does not have pretty graphs and Crystal  
> Reports, we like it.  The sales person in question inquired about  
> our data retention policies (which I would not disclose to him) and  
> later escalated to senior management, using an argument that they  
> felt bordered on scare tactics. Everyone agreed that we've seen more  
> aggressive sales pitches lately, with the economy the way it is, but  
> that definitely is one of the more memorable ones.
>
> I can't help thinking the same of this situation.  Perhaps someone  
> is taking a page from the anti-virus vendor's books?
>
> Also, for those that are interested, the underlying protocol which I  
> suspect is being used is likely NetFlow, originally developed by  
> Cisco, or a variation.
>
> http://www.cisco.com/go/netflow
>
> The protocol is configured on key network routers, and traffic is  
> sampled at a configured rate, with the results sent to a collection  
> server.  The data can then be analyzed for a wide variety of  
> information, including virus infections, DoS attacks, routing  
> analysis and trending, etc.  We typically use it for determining  
> traffic patterns, and on occasion, for denial of service attacks.  
> The information is stored in an off-net, hardened server, with an  
> encrypted file system.  That's sufficient for us.
>
>
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com