Center for Information Technology Services

Security Upgrades

Recent upgrades to campus security include the following new appliances:

Cisco MARS (Monitoring, Analysis and Response System)

An appliance-based, all-inclusive solution that allows the CITS networking group to monitor, identify, isolate, and counter security threats.  Cisco MARS can monitor security events and information from a wide variety of sources, including third-party devices and hosts. We use it to monitor our core routers, firewalls and all campus building switches that we are responsible for maintaining. With its correlation engine, vector analysis, and hotspot identification, Cisco Security MARS can not only identify anomalous behavior and security threats, but can also recommend precision removal of those elements, leading to rapid threat mitigation.

TippingPoint (Intrusion Prevention System)

This device is similar to the IDS (Intrusion Detection System), but instead of only identifying and notifying us of events, the IPS actively identifies and drops any packets that are known to contain spyware, viruses and Trojan horses.  Day zero attacks can be mitigated by the presence of the IPS.  This appliance will detect and drop packets either trying to enter or leave the campus.  This device will allow our network staff to be more efficient in handling issues since they won’t be reacting to events after the fact.  The IPS allows us to be proactive in dealing with security issues and not be tied to a machine monitoring gigabytes of IDS log data.

NFSEN and NFDUMP

We are currently evaluating the open source packages NFSEN and NFDUMP.  The security data produced by our switches and routers is known as netflow, NFSEN is a web-based graphical front-end to NFDUMP, which is a netflow collector.  NFSEN displays graphs of data collected from netflow, and it also allows you to create very precise queries on large amounts of data.  This is a great tool for netflow-based forensics and for quickly identifying traffic patterns that stand-out from the baseline.  This will allow us another level of detail to monitor systems and traffic flow on our network and be able to respond more quickly to various threats.