Policy on Port Monitoring
Network/Server administrators providing support for large server clusters.
Practical use of an Intrusion Detection System (IDS) requires that a switch echo traffic from some number of ports to the port where the IDS is attached. Because of the security implications of passing data to a user-accessible port, Data Network Operations will consider requests to do so only if the head of IT for the Division or School has approved the petition in writing. IT Services will allow port monitoring only if the monitored and monitoring ports reside on a single switch.
IT Security must approve the concept and implementation of the IDS placement and use. It is their prerogative to reject a request if the anticipated benefits are inadequate; for example, if there are too few servers, the servers monitored are not widely used, or the monitoring would be superfluous with other monitoring already in place. A monitored port will be re-evaluated bi-monthly to guarantee that the port is still in use for its intended purpose.
Output of the monitoring port shall be made available to IT Security if requested. Output of the monitoring port shall not be shared in whole or in part with any entity other than IT Security, nor used for any purpose other than Intrusion Detection as described in the approved design. Information derived from output of the monitoring port is subject to the same restrictions. The output shall be retained for only so long a period as required to meet the design objectives.
The allowance of an IDS on the campus network does not alter privileges or the department’s responsibilities with regard to the network and networked hosts. Specifically, IT Services retains the right, as with any network port, to disable the monitoring port without notice should we determine that the monitoring device interferes in any way with the network. The department is still obliged to manage networked hosts in accordance with proper and secure practices. Requests for assistance with network problems (such as blocking an attacking host, resolving IP conflicts or similar) are granted no higher priority than those of any network citizen.