TST Implementation of the Network Inspection Policy

  1. Network traffic collection may be done via a mirror port on our main network switch, or using other methods to intercept the data. The data collection is done on the research side of the research firewalls.
  2. We collect:
    1. the source and destination address and ports, duration of connection and number of bytes transferred
    2. URL contents and header information passed to and from servers
    3. envelope information of mail relayed in the clear using SMTP
    4. contents of IRC messages sent in the clear to servers
    5. DNS lookups, zone transfer attempts
    6. ICMP traffic
    7. POP3 command exchanges in the clear
    8. passwords sent in the clear (SMTP, HTTP, POP3 etc)
    9. out of spec/suspicious traffic which may be attempts to evade the intrusion detection system
    10. from time to time we may log all the content of a connection or all the traffic going to and from a computer for analysis. This may occur, for example, in response to a request from a law enforcement agency such as the RCMP. Any such complete logging for analysis must first be approved by the Department Chair.
  3. We will use an application to analyze the collected packets to:
    1. detect anomalous network traffic which could indicate a potential security problem with a computer or a violation of the department's Conditions of Use,
    2. detect attacks against our web servers and potentially malicious attacks from our clients against remote servers (indicating compromise),
    3. detect spam bots,
    4. detect botnet command and control,
    5. detect attacks and signature based matching of suspicious lookups (known command and control servers for botnets, servers containing malware etc),
    6. detect port scans and back channel communications
    7. detect password brute force attacks
    8. In addition the applications may take lower level bits of data and construct a profile of other suspicious behaviour such as stepping attacks (ssh-ing into our hosts and then ssh-ing back out in quick succession).
  4. The network data is retained for 1 month and then deleted from the system, unless there is an ongoing investigation. In the event of an investigation, once the investigation is complete the data will be deleted from the system. Network traffic collected for troubleshooting is not retained.
  5. Data will only be accessible to the security team in TST. Only the security team will have login access to the machines collecting and storing the data.
  6. The Security team in TST will advise our customers of any security issues (like unencrypted passwords) which the team finds in the course of detecting anomalous network traffic which would indicate a potential security problem.
  7. Reporting of all network monitoring activity:
    1. TST will receive daily reports of any anomalous behaviour found by the analysis application. The analysis used to produce these reports will be previously agreed to by DOEC.
    2. DOEC will be informed through bi-weekly reports of how much data was collected and any activity which the analysis application found to be anomalous. The analysis used to produce these reports will be previously agreed to by DOEC.
    3. Results of investigations will only be sent to the Department Chair and to the investigator from the law enforcement agency and only those TST personnel involved in the investigation will know.
    4. All information and reports if sent in electronic form will be encrypted.
  8. This implementation of the network traffic inspection policy will be reviewed each year by DOEC to ensure the security of the data, the content and security of all reports produced and that FOIPP guidelines and University guidelines for data protection are followed.

Created January 7, 2011.