Network Backbone Monitoring and Logging

May 5, 2000

Currently at the University of Utah, network backbone routers at the Eccles Broadcast Center, Merrill Engineering Building, and INSCC building are exporting network traffic flow information from their Core 2 interfaces to the flow collector. As the Network Backbone Strategic Plan is deployed, flows will be collected from all routers on the Network Backbone. The flow data includes source address, destination address, source and destination port, time, length, and associated AS numbers.

The information is collected by the flow collector and stored in a raw data format. This data is used for performance, historical, and utilization graphs. It is also used for intrusion detection, locating Denial of Service (DoS) signatures, and detecting other signatures of compromise and attack.

The data will be encrypted and archived for a period of 30 days. There are no backups generated of the data, and after 30 days, the data is deleted and unrecoverable. Outside of the uses described above, the data is not needed for or by any other process. The data will not customarily be used to track individual users, but may be used to identify networked devices that are generating anomalous traffic or thought to be compromised.

Access to the flow collection machine will be limited to authorized Telecommunications personnel and ISO members only. Local security will be provided by standard UNIX services and internal firewalls. Network security will be provided by Cisco access lists allowing a set of known machines to access the data, which will be user name- and password-allowed, and DSO/ISO certified. Security of systems and networks in the netflow monitoring and logging process will be implemented at the Department of Defense Class B2 Structured Protection level. Further security information will be forthcoming.

At any time that either entity (DSO or ISO) believes the data integrity is in jeopardy, the data can be deemed invalid and will be destroyed and unrecoverable. If the data is deemed invalid, a written record will be filed with the Data Steward, signed by both the DSO and ISO, indicating the time period and reason for destruction.

For resolution of a security issue, e.g., network Denial of service or ongoing threatening activity on the campus, or, use of campus resources for the attack of other entities, a minimum of one ISO member and one authorized Telecommunications member must agree that the log data is needed.

External requests to access to a subset of the data require a Form ___ (to be determined) to be completed, signed, and filed with the Data Steward (Director of Telecommunications). Form ___ will be completed by the Telecommunications DSO and cognizant Vice President as detailed in the Network Monitoring policy.

Personnel issues and employee monitoring (See PPM 1-15) requests will be processed through the Data Steward.