Re: MIT monitoring campus network traffic

[David Farber <dave () farber net>]

Begin forwarded message:

From: Michael Sinatra <michael () rancid berkeley edu>
Date: April 17, 2009 8:47:54 PM EDT
To: dave () farber net
Subject: Re: [IP] Re:   MIT monitoring campus network traffic

If it is indeed netflow (and I agree that it certainly sounds like it),
then it's also being used all over the Internet for billing purposes,
and for estimating aggregate bandwidth usage.  The fact that MIT is
retaining it for three days seems like relatively non-invasive use of
netflow, to be quite honest.

It may be of concern that there is no policy governing the use of the
data, but that would seem to be more of a campus- or university-wide
issue.  Some universities have privacy policies that actually allow such
transactional data (source/dest IP address, length of flow, number of
bytes, but no content) to be retained for a certain amount of time.
Notifying users that this is happening is important; the fact that some
of them are surprised at such retention is a bit scary considering that
this sort of thing is done all over the Internet.

Frankly, it doesn't seem like a big issue.  More information is kept in
the average web server log (and I am just talking about apache logs, not
more substantial stuff like Google Analytics) than in netflow.

michael

On 04/17/09 16:36, David Farber wrote:
> Begin forwarded message:
>
> From:
> Date: April 17, 2009 6:05:06 PM EDT
> To: dave () farber net
> Subject: *please anonymize* Re: [IP] MIT monitoring campus network  
> traffic
>
> Dave,
>
> *please anonymize*
>
> My day job is as a network architect for a mid-sized Canadian ISP.   
> I'm
> the top technical person in the company, and I fall between technical
> staff and management, often working in both worlds.  This article
> reminds me of a tactic once used on me, by an unnamed vendor who was
> having little success selling us a commercial product which does what
> was described in the article.  We use an open-source version, and  
> though
> it does not have pretty graphs and Crystal Reports, we like it.  The
> sales person in question inquired about our data retention policies
> (which I would not disclose to him) and later escalated to senior
> management, using an argument that they felt bordered on scare  
> tactics.
> Everyone agreed that we've seen more aggressive sales pitches lately,
> with the economy the way it is, but that definitely is one of the more
> memorable ones.
>
> I can't help thinking the same of this situation.  Perhaps someone is
> taking a page from the anti-virus vendor's books?
>
> Also, for those that are interested, the underlying protocol which I
> suspect is being used is likely NetFlow, originally developed by  
> Cisco,
> or a variation.
>
> http://www.cisco.com/go/netflow
>
> The protocol is configured on key network routers, and traffic is
> sampled at a configured rate, with the results sent to a collection
> server.  The data can then be analyzed for a wide variety of
> information, including virus infections, DoS attacks, routing analysis
> and trending, etc.  We typically use it for determining traffic
> patterns, and on occasion, for denial of service attacks. The
> information is stored in an off-net, hardened server, with an  
> encrypted
> file system.  That's sufficient for us.
>
>
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com