Click here to receive your FREE subscription to Campus Technology
Security Focus
The Super Powers of Layer 7 Traffic Analysis at Wayne State
9/26/2008
The six-person information security office at Wayne State University faces the same challenge common to most institutions of higher education: limited resources and unlimited problems--especially when it comes to identifying problematic network traffic."We had so many different systems reporting so many different events, no one could really keep up with it," said Graydon Huffman, senior systems security specialist. "You'd have to have a dedicated security force with people reviewing these logs all the time."
With 33,000 students and 5,800 faculty and staff, 50,000 to 60,000 concurrent hosts with inbound connections to the campus, and an estimated 10,000 concurrent internal hosts hitting the network at any given moment, the firewalls themselves were generating between 600 and 700 events per second--each possibly a signal that something malicious was going on. "That sheer volume is humanly impossible to go through and correlate," said Huffman.
So, as IT Director Morris Reynolds explained, the university set about looking for a security information and event management tool that would act as the "eyes" of the security team "to help us make quick and informed decisions on the various traffic that was moving throughout the institution's network."
The evaluation process was managed by somebody no longer with the school, but Huffman said he believes products from ArcSight, Cisco, and Q1 Labs were under consideration. Attracted by the ability of Q1's QRadar to perform layer 7 application analysis and event correlation, the university purchased and deployed the system in June 2007. The purchase included hardware, software licensing, a maintenance contract, and support services. The applications run on Linux-based appliances. Although Wayne State declined to say what it paid, Huffman estimated the total in the six figures.
How QRadar Works
That original installation, done before Huffman joined the university, was deployed as a stand-alone model, which consisted of a console and a QFlow Collector. The console is a 2U server that provides the main interface for users. The collector is a 1U device that performs layer 7 network data flow analysis, by collecting traffic via a tap or mirror port on customer specified segments of their network. A QFlow is Q1's flow format, akin to Cisco's NetFlow and Juniper's JFlow.
Soon after he started, in November 2007, Huffman moved the school to QRadar 6.1 and reinstalled the system from scratch with the same basic setup. "Within the first half hour of being online with version 6.1," said Huffman, "We were able to detect upwards of 10 bot-controlled hosts. They're very difficult to detect because it looks like bona fide traffic, and the control hosts rapidly change."
Recommended Reading
- UNLV Hospitality Students Learn on Micros Opera
The William F. Harrah College of Hotel Administration at the University of Nevada, Las Vegas (UNLV) has received a donation from Micros Systems that will allow the college's students to use its Opera hospitality software in classes.
- Cambridge Reduces Support Needs in Move to New Wireless System
The University of Cambridge is deploying Aruba Networks' wireless LAN equipment to replace a legacy network that had become unmanageable and a drain on resources. Since early 2008, about 100 Aruba AP-65 access points have been deployed, along with dual MMC-6000 Multi-Service Mobility Controllers.
- iKnow Social Learning Platform Expands Language Support
Cerego has released new content creation tools for its iKnow social learning platform, adding support for creating learning modules in any of 188 languages. The company has also expanded language support for the text-to-speech technology used in the iKnow platform.
- Smart Debuts Updated Whiteboard Lineup
Smart Technologies last week unveiled updates to its Smart Board 600i interactive whiteboard system. The new lineup includes both a standard 4:3 and a widescreen 16:10 model, each featuring new boom-mounted, short-throw projectors.
- SUNY's Binghamton Monitors Network with Lancope's StealthWatch
Binghamton University, part of the State University of New York (SUNY) system, is using StealthWatch from Lancope to help streamline network management, control, and security with visibility of network behavior. Binghamton has an IT network that spans 20,000 client endpoints and six geographic locations. After contending with worm propagation and other security threats that affected network performance, the university's network management team sought a way to increase visibility of network traffic and analyze network behavior for potential threats.
- Tufts Grants Rights for Mileage-Increasing Transportation Technology to Electric Truck
Tufts University has optioned rights to a technology that can recharge the batteries of any hybrid electric and electric-powered vehicle while it is driven. The Tufts-developed technology could increase by 20 percent to 70 percent the miles per gallon or total driving range performance of vehicles like the Honda Civic, Ford Escape, and Toyota Prius hybrids and the Tesla Motors and Phoenix Motorcars electric vehicles.
