Technical Details of IS&T Monitoring
IS&T is collecting two data feeds that contain information about network traffic. Pages on IS&T’s web site show that one data feed comes from external-rtr-2, one of four routers that are responsible for handling network traffic that is entering or leaving the campus. The device uses a SPAN port, which is Cisco’s system for making a copy of all traffic on a router.
McGovern said that the raw packet data is sent to a Snort Intrusion Detection System that matches it against “signatures” that check for compromised machines. Signatures that match the data cause log entries to be generated, but no raw data is ever stored.
Halsall, Information and Network Security Analyst, described for The Tech what the IDS was set up to look for. He said that the signatures are designed to look for “the most indicative telltale signs of compromise,” and they fall into these general categories:
¶ “Illegitimate bot communication signatures
¶ Malware threats of significant impact
¶ Scanning preprocessors
¶ Malicious Command and Control hosts”
The other data feed, about all TCP/IP connections that cross subnet boundaries, is collected by Cisco’s NetFlow network traffic monitoring system. NetFlow data contains information about the source and destination of each connection, the amount of data exchanged, and routing information. It is primarily used internally by the router to optimize routing, but a copy of the data is sent to the I/T Security Support Team for logging.