Network Security Memo
May 2003

In these times of tight budgets we need to make sure that we manage our computer network use effectively. We need assistance from everybody in IAS to ensure that we conserve our resources and maintain a safe network. I look forward to hearing from you if you have comments or suggestions.

Things you can do:
Not host Websites on workstations
Not use peer-to-peer file sharing programs (such as Kazaa or Gnutella) to download music and videos for personal use
Not use on-line radios or games or Internet chat
Log off your machine when you're not using it
Turn off your computer when you leave for the weekend, vacation, or holidays
Let us know if your machine suddenly begins to run extra slowly

What we're going to do:
ISS accepts responsibility to make all reasonable efforts to maintain the security of the networks used by IAS. As a tool in this process ISS is beginning to receive network usage information for IAS machines. We will use this information to identify problems and follow up with users. Please see Network Monitoring below, for more information.

Summary of the issues
********************************
Network and Information Security
The Dean of IAS and all users are responsible for the security and proper use of the IAS network. See the Campus Information Technology Security Policy: http://security.berkeley.edu:2002/IT.sec.policy.html.

Currently there are several major issues regarding the campus network being discussed by campus IT managers. These include:
· hacking - potentially disastrous for campus operations and intellectual property
· misuse - can cause legal and financial problems
· privacy - as a component of free speech and inquiry must be protected
· copyright protection - Proper use of copyrighted materials is a recently hot topic

See BCC article by Jack McCredie on these issues: http://istpub.berkeley.edu:4201/bcc/Winter2003/cio.privacy.html
And UC Regents briefing on copyright protection: http://nac.berkeley.edu/handouts/regent_lansing_briefing.shtml

ISS is a network security contact for all IAS workstations. The campus network security office directs the effort to avoid and recover from hacking for the entire campus. They periodically scan computers to look for known weakness and evidence of hacked machines. And, they maintain a network security contact database for assigning and sharing network security responsibility with campus departments. See: http://istpub.berkeley.edu:4201/bcc/Spring2003/news.security.html

Network Bandwidth Usage
Cost - We pay a lot of money for the campus Internet connection. Each year the cost of bandwidth goes down, but the demand for bandwidth grows at a faster rate. See the campus Network Advisory Committee report on Bandwidth: http://nac.berkeley.edu/bandwidth/. However, in these days of shrinking budgets we have to make sure we are using our bandwidth efficiently before we ask for increases.

Misuse - In analyzing the network usage of the campus (NOT including the dorms) we have found very strange patterns. There is a lot more outgoing traffic than incoming traffic. OK, maybe we have good websites….. However, a lot more of the traffic is in the middle of the night than in the day. I don't think our major website clientele is in Asia, so what can this mean. If you'd like to see an example of the network usage pattern, see:
http://www.net.berkeley.edu:8885/~cricket/cricket/grapher.cgi?target=%2Frouter-interfaces-highspeed%2Finr-666-interfaces%2Fgigabitethernet6_0_0&ranges=d%3Aw&view=Octets

On inspection it appears that the campus is a major provider of music and movies to peer-to-peer file sharing systems. This problem has also been brought to our attention by complaints from music and media companies that UC is hosting and providing copyrighted materials illegally.

We don't have a campus policy against the use of file sharing systems since there are legitimate educational and research uses for these systems. However, we do have policies against personal use of campus computers and networks that impacts campus resources and (as indicated in the UC Regents briefing above) policies for upholding U.S. copyright law.

Some of this activity may be without the workstation users knowledge. Hacked machines are often used to host illegal content for file sharing systems.

Network Usage Monitoring
The campus network management group, CNS, is beginning to provide campus system administrators with network usage information for their local networks. Draft guidelines for departmental use of this information can be seen at: http://itpolicy.berkeley.edu:7015/DRAFTS/Gdlns.network.data.htm

IAS ISS receives daily reports on bandwidth usage for IAS network connections. These reports show the amount of network traffic to and from each machine though each computer port. They DO NOT include information on the content of the information. The only content implication is that certain ports are traditionally used for specific functions, e.g. port 80 for web servers, port 1214 for Kazaa. See example below:

ID DNS_name IP SourcePort DestPort TotalFlows InPkts InBytes OutPkts OutBytes TotPkts TotBytes
1 www.IAS 128.32.... 80/http * 12173 0 0 256551 291725844 256551 291725844

IAS Network Troubleshooting
The primary reasons for reviewing the network usage data is to track down virus attacks/hacked machines and secondarily for managing bandwidth usage. Therefore, we will be looking for large bandwidth usage, large changes in bandwidth usage, and specific known risk patterns of usage on individual workstations.

1) When a potential problem is spotted we will discuss the usage with the owner/user of the machine. We will attempt to determine if the machine may be hacked or compromised and what the probable cause of the net usage is. If the machine may be compromised we will investigate and propose next steps including possibly rebuilding the machine.

2) Users are requested to make sure that they are not:
· engaging in peer to peer file sharing of copyrighted materials
· using large amounts of network bandwidth for personal use
· using real-time services such as radios or games for extended periods of time
· leaving their computers logged on when they are not present

3) If workstations appear to be functioning as web servers or file sharing machines we may also ask the unit manager if these uses are intended and discuss probable security risks.

4) Daily usage statistics will be kept for only a few months. Long-term statistics will not be maintained on individual machines. General usage summaries for units or subnets may be maintained. Documentation of past problems will be kept for future debugging as it is for any other computer problem.

ISS will also continue its general security operations including:
· Investigating known security risks
· Continually updating system software and virus checking software
· Working to develop more secure systems and configurations

Privacy and Free Speech
Privacy of computer and network usage is a very high priority for ISS. We understand that we must be vigilant in supporting the ability of IAS to encourage dialogue and provide a secure environment for not only our own staff and faculty but also our foreign visitors to participate in this discussion. We therefore hope for your cooperation in making this a successful system without being intrusive.