Network Monitoring

1.0 Overview

It is frequently necessary to monitor network traffic to ensure the continued safety and proper operation of hosts on the Clarkson network.  Part of the monitoring may include capturing and analyzing traffic.

2.0 Purpose

This policy is designed to provide specific guidelines to be used in monitoring the network.

3.0 Scope

This policy impacts any individual who passes traffic on the Clarkson University computer network.

4.0  Policy

a. External Threat Detection

To assist in the detection and remediation of intrusions from outside sources, a system may be utilized to monitor network traffic originating from and destined for the Clarkson University network.  This system may store full content data, full session data and statistical data for appropriate periods of time.  This data shall only be used for the purposes of troubleshooting network issues and/or remediation of a network intrusion.  Other uses are explicitly forbidden, unless approved by the CIO and/or the President of the University or as applicable by law.

Given the potentially sensitive nature of this data, it will only be intentionally released after approved by the CIO and/or the President of the University or as applicable by law.  The system itself will be protected by all of the guidelines set forth in the Server Security Policy.  When any data collected has reached the end of its useful life or it is impractical to continue retaining it, the data shall be removed from the system disks.  Following the data’s removal from the system disks, it will be expired from the backup system after a period of two weeks.

b.  Bandwidth Utilization

A system shall be used to monitor the percentage utilization of critical network links.  These links should include all inter-building links, core to closet links, and WAN links.  The system used to monitor these links should be configured to generate alarms based on appropriate warning and critical utilization thresholds.  For ease of use, the data collected by this monitoring system should be displayed graphically for appropriate time intervals.  This data shall be used to adjust network settings to optimize performance.

c.  Communications Equipment Monitoring

A system shall be used to monitor the operational status of all network communications equipment attached to the Clarkson network.  The system used to monitor this equipment should be configured to generate alarms based on appropriate warning and critical thresholds.  A record of alarm generations should also be kept.

d.  Network/System Auditing

The Network Engineer may periodically perform network security audits to ensure the security of all network devices on 128.153.0.0/17 (non-dorm network).  These audits may include but should not necessarily be limited to scans for known vulnerabilities, scans for weak passwords, scans for incorrectly configured devices, etc.  Should a problem be detected as a result of a network security audit, the owner of the device in question will be contacted by both email and phone as soon as practically possible.  Resolution of the problem will follow the standard HelpDesk metric.

e.  VoIP Equipment Monitoring
A system shall be used to monitor the operational status of all voice communications equipment attached to the Clarkson network.  This data shall be used for billing purposes and to adjust settings to optimize performance.  This system may be used to intercept voice communications if approved by the CIO and/or the President of the University or as applicable by law.

5.0 Enforcement

Failure to follow this policy will result in the offender(s) being subject to disciplinary action up to and including a formal written letter of corrective action.  Individuals who gain access to the data collected by the network monitoring system by means other than those outlined in this document will be considered in violation of this policy and will be referred to Human Resources, the Dean of Students or local law enforcement as appropriate.

6.0 Definitions

Full Content Data – a record of packet headers and payload data (libpcap traffic)

Full Session Data – a summary of flows between hosts

Statistical Data – a long-term summary of session data

7.0 Revision History

Draft Policy v0.1 – 19 April 2005 – jfiske

Draft Policy v0.2 – 05 May 2005 – jfiske

Draft Policy v0.3 – 10 February 2006 – jfiske

Approved Policy v1.0 – 4 November 2013 – jfiske