UC Merced

Information Technology

• Home
• MyUCMerced
• Web Services
  • MyUCMerced
  • UCM Share
  • UCM Calendar
  • UCM Directory
  • UC Mailman
  • UCMID Services
  • IDCLAIM
• User Services
  • Students
  • Faculty
  • Staff
• Support
  • Guides & FAQs
  • Service Centers
  • Policies
• Security
  • Best Practices
  • Safe Computing
• About
  • Office of the CIO
  • Org Chart
  • Vision
  • Projects
  • Accomplishments

Information Technology Strategic Planning

Projects

Project Title:

Network Intrusion Detection and Prevention System

Project Advocate:

Richard Kogut

Project Manager:

Nicholas Hansard

Project Overview:

The current network environment lacks tools and processes to efficiently and continuously monitor, detect and react to intrusive and/or disruptive network traffic.
To address the above issues, the following system is proposed which will provide us with tools to accurately, efficiently monitor, detect and react to intrusive and/or disruptive network traffic.

The requirements for this system are:
• monitor edge and internal network traffic
• detect traffic patterns based on known signatures and notify appropriate staff and/or systems
• capability to make dynamic or manual changes to modify (stop or limit) unwanted traffic for a variable length of time
• capability of real-time change notifications
• capability of keeping history of traffic patterns and changes which could be easily used for further analysis, troubleshooting and forensics

The following will meet all of the requirements listed above:
• implementation of Snort open-source IDPS
• integration of Extreme Networks’ existing Sentriant devices to
o capture traffic
o feed raw details to other IDS Decision Support Systems (DSS)
o make dynamic network traffic rules on Extreme hardware
• implementation of Oracle RDBMS to store traffic data and history of dynamic and/or manual changes by IDS’s DSS (Sentriant and/or customized application)

Key Stakeholders:

NSPT
ITOC
IT
UCM Campus Community

Benefits:

The ability to automatically monitor traffic on the UCM network edge will allow UCMIT staff to protect services utilizing the network resources. The ability to automatically prevent or limit unwanted (e.g. malicious) incoming network traffic will allow IT (Networking Group) to keep UCM network resources efficiently utilized and secure.

Historical record keeping of network traffic patterns and access control changes will serve forensic analysis needs, capacity planning, network change tracking and trend analysis. An RDBMS will provide an easily accessible repository for high-level reporting of network activity patterns.

These benefits apply to the edge and the core network. UCM internal network will be protected from unwanted internal traffic such as virus infected hosts, compromised systems or traffic spawned by human error.

Project Deliverables:

1. Installation of Snort IDPS hardware and software
2. Implementation of 2 Sentriant appliances (1 at the edge and one on internal network core)
3. Integration of 2 Sentriant appliances with a DSS and RDBMS
4. Implementation of notification procedures
5. IDPS system documentation

Initiative(s) Supported:

• Network Infrastructure and Security

Related Projects:

Milestones:

1. Initial proof-of -concept implementation using 1 unutilized Sentriant, existing server(s) for DSS and Snort IDPS, RDBMS— to be completed by end of Spring 2007
2. Production trial testing – limited to a few hours to be done during non-business hours— to be completed by mid-summer 2007
3. Training for helpdesk— to be completed by mid- to later summer 2007
4. Live production system cut-over—to be completed by end of summer 2007

Costs & Funding (Capital & Operational):

2 servers (1 IDPS & DSS + 1 RDBMS) ~ $5,000
Storage for historical data—initial none, after 1 year—unknown, there is no current baseline to estimate amounts of data generated, most likely $0 to $10,000 per year

Project Team:

1. Network Engineer (Dean Lawson)—Sentriant implementation & integration; integration with IDPS & DSS
2. UNIX Systems Administrator —installation, configuration and integration of IDPS (Snort) and DSS with Sentriants and notification systems
3. Database Administrator (Stan Stavitsky)—installation, design and integration of an RDBMS
4. Helpdesk Representative (Bobby Bliatout)—will need training on network change monitoring tool for potential troubleshooting

Issues/Risks:

Risks of not implementing:
1. UCM network is exposed to unknown external and internal network threats which cannot be automatically identified, prevented nor logged
2. Legal ramifications due to abuse of network resources
Potential difficulties:
1. Sentriant compatibility and integration with open-source systems
2. Lack of equipment similar to production for testing (test network)
3. Lack of funding for servers and storage
4. Keeping downtime and testing on production network to a minimum

University of California, Merced | 5200 North Lake Road, Merced, CA 95343 | (209) 228-4400 | itweb@ucmerced.edu | Privacy/Legal Notice | © 2009 UC Regents