[unisog] IDS vs. Privacy

E. Larry Lidz ellidz at uchicago.edu
Thu Feb 5 17:17:59 GMT 2004


Well, this thread seems to have brought a significant number of
responses, both publically and privately. I've summarized the private
responses (those that I could) below in order to keep them anonymous as
well.

Two schools admitted to being in the same or a very similar situation.

                       Other Things Done by Institutions

One school doesn't look at packets, only at flows. They currently have
an unclear privacy policy so it isn't clear if they can look at
packets. They're hoping to change it so that authorized employees can
access information as their jobs require. 

One school has privacy policies in place which state that the
institution trusts people with access to the network traffic. Anyone
who violates it is subject to disciplinary action.

One institution relies on everyone signing confidentiality agreements and
then audits usage thoroughly. They have found this extremely useful in
tracking things like Mydoom. 

One institution was working on rewriting their AUP in order to allow
for an automated, signature-based IDS. 

                                General Comments

How is this different than people having root on mail servers?
Handcuffing technical staff does not seem like a wise idea. If you
don't trust your security folk, what type of signal does that send to
people at large? 

State institutions should look at state laws -- some state laws either
require or prohibit this sort of thing. 

Issues become trickier when things are decentralized -- what if there
isn't any central department to handle looking at "all traffic." Do
departments have access to the traffic? Are policies different for
departments than they are for the central IT/security group?

Preach a holistic approach to security. If this is done, perhaps management
will understand the issues better and reconsider.

Policies are important, but not the only thing that comes into play here
-- make sure that there are written codes of conduct and procedures for
access the data. 

You might try explaining to management that the bad guys all have this
information already -- sniffers are easy to install, etc.

Have you tried comparing the detection time for a compromise: how long
does it take to find a compromise now? How about before?

Do dorms result in similar problems? If it is their place of residence,
shouldn't they be able to do what they want?

One state's Attorney General had advised that a full packet capture
might qualify as a wiretap -- capturing headers probably wouldn't. They
didn't know of any case law as a precedent. They recommended having
policy and banners in place notifying users of the possibility. Also
they recommend that full captures should only be done as part of
maintenance or when necessary as a technical troubleshooting tool.

The whole "academic freedom" thing probably contributes a great deal to
management's misunderstanding of the situation. They need to be taught
how a good IDS is tuned only to pick up threats and not Joe Schmoe's
e-mail or web browsing history.

There are three issues that management needs to address: Policy, trust,
and accountability.

Not having an IDS is naive and hopefully the people who made the
decision are the same as those with whom the buck stops when things go
awry.

-Larry



More information about the unisog mailing list