Click here to receive your FREE subscription to Campus Technology
Security Focus
The Super Powers of Layer 7 Traffic Analysis at Wayne State
9/26/2008
The six-person information security office at Wayne State University faces the same challenge common to most institutions of higher education: limited resources and unlimited problems--especially when it comes to identifying problematic network traffic."We had so many different systems reporting so many different events, no one could really keep up with it," said Graydon Huffman, senior systems security specialist. "You'd have to have a dedicated security force with people reviewing these logs all the time."
With 33,000 students and 5,800 faculty and staff, 50,000 to 60,000 concurrent hosts with inbound connections to the campus, and an estimated 10,000 concurrent internal hosts hitting the network at any given moment, the firewalls themselves were generating between 600 and 700 events per second--each possibly a signal that something malicious was going on. "That sheer volume is humanly impossible to go through and correlate," said Huffman.
So, as IT Director Morris Reynolds explained, the university set about looking for a security information and event management tool that would act as the "eyes" of the security team "to help us make quick and informed decisions on the various traffic that was moving throughout the institution's network."
The evaluation process was managed by somebody no longer with the school, but Huffman said he believes products from ArcSight, Cisco, and Q1 Labs were under consideration. Attracted by the ability of Q1's QRadar to perform layer 7 application analysis and event correlation, the university purchased and deployed the system in June 2007. The purchase included hardware, software licensing, a maintenance contract, and support services. The applications run on Linux-based appliances. Although Wayne State declined to say what it paid, Huffman estimated the total in the six figures.
How QRadar Works
That original installation, done before Huffman joined the university, was deployed as a stand-alone model, which consisted of a console and a QFlow Collector. The console is a 2U server that provides the main interface for users. The collector is a 1U device that performs layer 7 network data flow analysis, by collecting traffic via a tap or mirror port on customer specified segments of their network. A QFlow is Q1's flow format, akin to Cisco's NetFlow and Juniper's JFlow.
Soon after he started, in November 2007, Huffman moved the school to QRadar 6.1 and reinstalled the system from scratch with the same basic setup. "Within the first half hour of being online with version 6.1," said Huffman, "We were able to detect upwards of 10 bot-controlled hosts. They're very difficult to detect because it looks like bona fide traffic, and the control hosts rapidly change."
Recommended Reading
- Georgia Tech Helps Develop Web-based Tool To Improve Blood Supply
The Georgia Tech College of Computing, working in partnership with the Centers for Disease Control and Prevention, has developed a Web-based tool for tracking blood safety. The program is expected to help developing countries improve the adequacy and safety of their national blood supplies through better monitoring and evaluation.
- Mississippi State Implements Reflex Virtual Management Center
Mississippi State University has implemented Reflex VMC (Virtual Management Center) from Reflex Systems. The application allows IT administrators to monitor a virtual infrastructure and enforce business and IT policies.
- Stanford Law School Launches IP Litigation Clearinghouse
The Law, Science & Technology Program at Stanford Law School has launched the Intellectual Property Litigation Clearinghouse (IPLC), an online database that offers comprehensive information about intellectual property (IP) disputes within the United States.
- Texas A&M Health Science Center Adopts Banner Administrative Management
The Texas A&M Health Science Center has selected the Banner Unified Digital Campus (UDC) from Sungard Higher Education to help unify its geographically-dispersed community and to enhance and expand services and communications to its growing student enrollment.
- NCCC: Data Cleansing Key To Managing Growth
Community colleges are in a good spot in some ways during the economic downturn, as tight family budgets drive up the appeal of the community college option. But along with the rest of higher education, most community colleges also face shrinking IT budgets and tighter resources. That makes it that much harder to handle the growing enrollment numbers that some community colleges are seeing.
- Finjan: Layoffs Could Drive IT People To Become Cyber-Criminals
Security vendor Finjan predicts that the current economic downturn could herald a sharp rise in cybercrime during 2009--driven by the rise in the number of IT people being laid off. According to a report from the company's Malicious Code Research Center (MCRC), more unemployed IT personnel will be tempted to seek "new and easy income by purchasing and using crimeware toolkits that are sold by professional hackers."
