IDS vs. Privacy

E. Larry Lidz ellidz at
Mon Feb 2 20:33:10 GMT 2004


I was asked, as moderator, to pose this question to the group from
someone at an institution who wished to remain anonymous. They fear that
if this message was public their institution might be the target of
unwanted attention from the underground.

The institution has about 25,000 machines on their network, and had been
running an IDS system which received a copy of all traffic across the
network's gateway to the Internet/I2. The IDS system had a track record
of being successful -- it detected most of the viruses, worms, port
scans, spam relays, proxies, rogue FTP sites, rogue IRC bots, and so

IT management then changed. The IDS system was shut off with no advance
notice over the concern that it might lead to a compromise of privacy
policies. The new management believes that people having access raw
packets is an unacceptable risk. They felt that technologies that
summarize information (Cisco Flows from a router/switch, mirroring
traffic to an IDS system that has no ability to sniff, etc.) about the
traffic is acceptable, however.

They would like to know: has anyone been in a similar situation? If so,
were you able to bring back your IDS? What arguments were compelling to
management? Are other institutions similarly concerned about the privacy
issues involved? Why or why not?

Any other advice?


More information about the unisog mailing list