Network visibility thwarts crime, identifies unwanted traffic |
 |
By Andrew R. Hickey, News Writer
22 Aug 2006 | SearchNetworking.com |
|
|
Daniel Bachrach doesn't roam the courtyards and halls of Vanderbilt University with a badge and handcuffs. He's not a police officer or a security guard. But he has become somewhat of a crime fighter.
Bachrach, Vanderbilt's network design and engineering manager, uses his network and its tools to find illegal traffic and criminal activity. And when he finds it, he alerts the authorities.
For the past few months, the university has used Sniffer InfiniStream from Network General, a tool that monitors and captures network traffic to pinpoint anomalies, performance problems and the occasional crime.
"We have a lot of things that [traverse] our network that are suspicious or questionable behavior," he said.
Security and legal considerations bar Bachrach from discussing specific crimes InfiniStream has helped him uncover, but it does happen, he said. And when it does, he can print out detailed reports to turn over to law enforcement.
Aside from thwarting budding criminal masterminds, Bachrach said, he monitors the network for a host of other troubles and traffic that could degrade performance or that just shouldn't be there. He's found IRC bots installed from the outside, picked up on dropped packets, found out where pieces of hardware have failed, and uncovered several peer-to-peer sessions.
"We were lacking any sort of capability to watch traffic ingress and egress our network and the perimeter and internally," he said.
Vanderbilt has more than 30,000 end users on the network, 10 schools and a medical center. Bachrach said that the network needs high performance and strong security, but a university environment can make that difficult.
"A university environment is much different in that it's an open network," he said, adding that the network pretty much has to be ready for "any device, anytime, anywhere."
Openness is key but can sometimes lead to trouble. Bachrach said he has to be on watch for cyber crimes and mischief makers. Sniffer InfiniStream, coupled with Sniffer Distributed, lets Bachrach and his team address network performance and security issues swiftly and accurately.
"In a lot of cases, when we see anomalies on the network, the user is unaware [the] machine is sending out broadcast traffic," he said.
But with InfiniStream, Bachrach said, he can determine what time the problem occurred, filter through the stored traffic, and use it to track down the specific device or user responsible. From there, he can print detailed reports. In some cases, those reports are evidence enough to have students or researchers blocked from the network.
On one occasion, for example, throughput dropped by 75%. Bachrach was able to use InfiniStream to pinpoint the problem and find the end user, who was improperly using the network. Another recent example, Bachrach said, was an occasion when a group of end users called and said their servers were running slow. InfiniStream helped him discover that the NIC on the server had failed and flooded the network with bad packets.
"Just on a troubleshooting platform, it's been very helpful," he said.
In the past, Bachrach and his team would have to navigate through "five, six or seven screens" to drill down deep enough to inspect traffic, he said. With InfiniStream, which stores around four terabytes, the customized filters can be launched from one screen.
The university uses two large distributed Sniffers and four of the InfiniStream 1600s. One drawback is having to dive into each separate machine to locate data. Bachrach said that Vanderbilt is now considering deploying a Sniffer Enterprise Visualizer, which will aggregate the information from each tool into one report-generating interface. The university also has plans to deploy Network General's AppIntell, an application monitoring tool that gives a view into an application's performance and alerts administrators to performance problems and their causes.
|
|
|
|
