[unisog] IDS vs. Privacy

John Kristoff jtk at northwestern.edu
Wed Feb 4 17:23:47 GMT 2004

On Mon, 02 Feb 2004 14:33:10 -0600
"E. Larry Lidz" <ellidz at uchicago.edu> wrote:

> The institution has about 25,000 machines on their network, and had been
> running an IDS system which received a copy of all traffic across the
> network's gateway to the Internet/I2. The IDS system had a track record
> of being successful -- it detected most of the viruses, worms, port
> scans, spam relays, proxies, rogue FTP sites, rogue IRC bots, and so
> forth.

Someone most of us all know at least in name once described the problem
to me in a very simple way.  Watching all traffic is in effect a wiretap.
The law may or may not allow the institution to perform these functions,
but this institution obviously argued that it did not want to be in the
business of administering a 24x7 all network traffic wire tap.  I think
this is a decision to be commended assuming that they are making up for
the loss of visibility in other ways in the area of information security.

> IT management then changed. The IDS system was shut off with no advance
> notice over the concern that it might lead to a compromise of privacy
> policies. The new management believes that people having access raw
> packets is an unacceptable risk. They felt that technologies that
> summarize information (Cisco Flows from a router/switch, mirroring
> traffic to an IDS system that has no ability to sniff, etc.) about the
> traffic is acceptable, however.

In general I think so too.  From an infrastructure perspective you can
often see most of what you need to see by using more aggregate-based
detection methods as well as monitoring specific networks (e.g. bogons
and sinkholes), hosts (remote access to switches, routers) and central
application services (web server logs, tripwire/aide monitoring).
Certainly in some cases you need to do the equivalent of a wiretap on
specific traffic, but generally not for everything all the time and even
then only after there is evidence to do so.  When something slips by
the aggregate-based views that is often a call for stronger security
solutions at the edge (e.g. authentication, system logs).  It is a
trade-off.  What the institution gains in a big IDS it may lose in
edge security expertise and vice versa.

> They would like to know: has anyone been in a similar situation? If so,
> were you able to bring back your IDS? What arguments were compelling to
> management? Are other institutions similarly concerned about the privacy
> issues involved? Why or why not?

I'd like to know the opposite.  How were people able to get rid of it.
That seems like an equally interesting challenge.


More information about the unisog mailing list