Network Service, Systems and Data Communications Monitoring Policy

Transcription

1 Network Service, Systems and Data Communications Monitoring Policy Purpose This Policy defines the environment and circumstances under which Network Service, Systems and Data Communications Monitoring activities will be performed, i.e., Informs users of the extent that network activities; interactions, services, systems and communications methods may be monitored Identifies what personnel may be authorised to perform monitoring functions Highlights the ethics, procedures and safeguards authorised personnel must employ prior to, during and after performing monitoring functions Identifies what information the monitoring processes may gather Identifies how long recorded information may be retained Outlines the purposes 'monitored information' may be used for, including any actions that may follow e.g., anti virus measures, anti spam measures, system blocks, protocol blocks etc Monitoring is an essential tool for gathering information, which may be used for a variety of purposes, e.g., Capacity planning for Network expansion and Service upgrades Fault investigations Incident handling Conformance testing against other PWC policies Law enforcement requests Scope The Committee of Poynton Workmens Club has granted the IT Administrator, and other persons in the Management involved in IT infrastructure support, the following authority: To authorise members of (their) staff to perform Network, Systems, Applications and Data Communications monitoring procedures that conform to this Policy and all relevant UK laws and regulations. From a legal perspective the Regulation of Investigatory Powers Act (RIPA) and the companion Telecommunications regulations 2000, covering lawful business practice and interception of communications, requires that all users of Poynton Workmens Club's Information Technology resources be made aware of the following: Users are hereby informed that their use of Poynton Workmens Club's data communications infrastructure, services, systems and applications may be monitored by authorised personnel as permitted by UK legislation. UK legislation allows the monitoring of systems and network traffic without consent for legitimate purposes such as: Recording evidence of transactions Policing regulatory compliance Detecting crime or unauthorised use Safeguarding the integrity of Poynton Workmens Club's Information Technology Infrastructure Policy Authorised personnel may monitor and analyse network services, systems, data (including file systems), applications and data communications facilities pertaining to Poynton Workmens Club's research and administration functions. This policy will also apply to Sponsored or Proxy licensees directly connected to Poynton Workmens Club's networks. Sponsored or proxy licensees will be monitored for compliance with the terms of their license and compliance with our acceptable use policy. Authorised Personnel

2 In accordance with current UK legislation, IT Administrators and persons in the Managment require delegated authority from the Committee before they may authorise personnel to engage in monitoring activities. It is important to note that the Director of the Computing Service (IT Administrator) has the 'delegated' authority' to authorise appropriate personnel to monitor Poynton Workmens Club's network wide data communications infrastructure and all centrally supported systems, services and applications. Other persons of the Management may obtain 'delegated' authority to authorise appropriate personnel to monitor only those service elements for which the Department or Service has complete responsibility. It will be considered a disciplinary offence for anyone to engage in monitoring activities without proper authorisation or monitor areas out with their areas of responsibility. Furthermore it is likely that any individual who violates this policy will be breaking the law. Ethics Authorised personnel including network and system administrators must execute their duties in accordance with Poynton Workmens Club's 'System and Network administrators Guidelines', in particular authorised personnel must: Respect the privacy of others Not use or disclose information realised in the monitoring process for purposes other than those for which the process was approved. Safeguard information collected in the monitoring process Destroy information collected in the monitoring process when it is no longer required Network services and Applications General All networked systems providing network services or applications are monitored where relevant for: CPU utilisation Active processes File store utilisation, anomalies, file types and file sizes Network statistics e.g., peak and average bandwidth utilisation and errors System and security log anomalies Successful access attempts user account, date/time stamp, session duration Unsuccessful access attempts Unusual network traffic This information is used to help determine whether or not Poynton Workmens Club s systems are operating as intended. System logs and other metrics are retained for as short a period as possible. Poynton Workmens Club reserves the right to examine any file residing on any server or workstation owned by Poynton Workmens Club, connected to Poynton Workmens Club's networks or located on Poynton Workmens Club s premises. This Policy includes Poynton Workmens Club s owned machines used at home and personal systems that are connected to Poynton Workmens Club's flexible access networks. Physical monitoring Poynton Workmens Club has installed video surveillance equipment in open access cluster locations. Video recordings of these areas are kept for two weeks, however if an incident is under investigation then recordings will be kept for as long as necessary to help resolve the incident. All Incoming processed via the central mail systems is subject to the following: Virus prevention measures, which include blocks resulting from: Tests for executable file extensions including bat, exe, vbs etc

3 Tests for the initial byte sequence conserved across Microsoft Windows executables Signature based anti-virus scanning Blocking occurs at the SMTP transaction level giving a 'permanent failure' response to the SMTP DATA command. This approach results in: Genuine senders get a meaningfull error report from their message transport agent (MTA) Our servers do not compose and deliver 'bogus virus alert' messages to innocent users who have had their e- mail sender details counterfeited Spam delivery prevention measures. Spam is defined as unsolicited bulk , which can range from the relatively innocuous but annoying receipt of unwanted communications to a denial of service attack through a concerted attempt to flood a network or overload and crash a server. Sites are blocked according to the RBL (Real-time Black hole List), which is a blacklist of networks known to be originators of Spam. RBL is served via 1and1 Internet Services AG and Poynton Workmens Club. Additional measures to help prevent the delivery of spam have been implemented and these are documented on the PWC Intranet Unauthorised mail relaying is not permitted. This prevents external attempts to use Poynton Workmens Club mail systems to relay Spam or other messages. Mail from specific sources may be blocked on receipt of valid complaints Mail logs are used to follow up problems reported to Postmaster. These logs are kept for 1 month then deleted. The length of time that the logs are kept reflects the fact that problems can take some time to come to light if the recipient is absent. Mail logs record the following information: Time stamp; sender address & mail system ip address; recipient address & mail system ip address; message id; message size Certain SMTP protocol information associated with the initial and final SMTP dialogues Note that no content information, not even the mail subject field, is held. Web access All Web access, with very few specific exceptions, is forced through Poynton Workmens Club's Web cache service. At present certain content filtering settings are enforced. These filters have been applied to deny users access to sites deemed innapropriate by Poynton Workmens Club and the Management. It is also possible to apply filters or block access to sites on request, or for security or defensive reasons. For example as part of the measures taken to protect against the NIMDA and CodeRed viruses, content filters were applied on the Caches. Cache logs are used primarily to produce statistics on the service. They are also used to investigate any cases of suspected unauthorised use, or illegal activity that are reported. To support trend analysis, daily logs are aggregated into monthly logs, which in turn are aggregated into annual logs. The daily raw log file records the following information Ip address of requestor; time stamp; time to download page; status code; size, URL; Hardware (MAC) Address; Username The daily raw data is compressed into three separate daily files for ease in producing statistics. In addition the raw data is aggregated into the current monthly log file in an anonymised fashion. Daily files are retained for 240 days; this figure maximises the number of days that log files are stored within the confines of available disc space. Monthly log files: These files are anonymised and retained for 1 year.

4 Yearly log: Aggregated from monthly log files; anonymised; No yearly data has been disposed of to date. System Inspection As a condition of connection to Poynton Workmens Club's network; Staff and Committee users must agree that The Committee and/ or its Authorized Persons may inspect their systems on request and at any reasonable times. Infrastructure records and Associations The data communications infrastructure consists of many components i.e., Fibre optic cabling systems Building premises distribution schemes Backbone and edge routers Ethernet hubs and switches Remote access devices Detailed records and inventories are maintained for all infrastructure components and these are used to support the following: Fault investigations Maintenance contracts Capacity planning Risk analysis A key feature of all centrally supported active components, (Routers, hubs, switches etc) is manageability via native TCP/IP stacks supporting IP applications including SNMP agents. This manageability is used extensively for the following purposes: To monitor active components for failure or error conditions To associate a particular active port with a specific system MAC address, IP address, DNS name and network connection point. To track changes in any associations To assist in fault investigations and incident handling To check compliance with other Poynton Workmens Club Policies Network monitoring Internet Traffic Incoming traffic from our appointed ISP(s) is subject to the following restrictions; implemented at the boundary router connecting Poynton Workmens Club s network to the Wired and Wireless access system: Specific IP ports, which are associated with services that present serious vulnerabilities, are blocked. The actual 'port block' list is derived from local knowledge, experience and national CERT advice. Filters are in place to block sites from which Poynton Workmens Club has previously been attacked. On occasion filters are used to block specific sites in response to a specific request Poynton Workmens Club boundary Router maintains extensive network flow information, which is transferred periodically to flow collectors. The collectors store flow information in log files, which are then processed and used for the following purposes: Fault investigations Incident Handling Traffic profiling Alerts on unusual activity e.g., DoS attacks, potentially malicious traffic

5 Flow logs do not record application data content; they merely record certain IP fields and volume data i.e., Source ip address, destination ip address, port numbers, volume, and time stamp Due to disc space considerations the flow log files are kept for a maximum of 14 days Traffic Monitoring Authorised personnel may monitor Poynton Workmens Club s backbone or specific segments for the following: Protocols and applications in use Sources and Destinations traffic patterns Performance metrics Bytes sent and received per Router and switch interface Errors per Router and switch interface Failure conditions Statistical records are retained for as long as they are deemed useful. Under exceptional circumstances i.e., to help investigate incidents or fault conditions, specific interactions between endpoints maybe monitored and recorded for analysis. Records are retained for as long as the incident or fault is active after which time all records are destroyed. Intrusion Detection Systems Poynton Workmens Club s backbone network incorporates several Intrusion Detection Systems (IDS) that are used to identify malicious activity, including local compromised hosts, and derive additional backbone router security filters. These systems continually look for recognisable signatures of common attack profiles e.g., CodeRed, Nimda etc. When a signature is recognised an event is logged providing details of the signature, e.g., Source IP address, destination IP address, source port, destination port and suspect payload. Intrusion Detection Systems produce extensive logs, which require detailed scrutiny to reliably identify malicious activity. IDS logs are retained for short periods. Active scanning Authorised personnel may perform active scanning of network segments to identify vulnerabilities and or compromised hosts. Authorised personnel must exercise due diligence when performing any scanning activity: in particular authorised personnel must: Inform the network and systems administrators responsible for the systems on a segment of the planned scan activity and provide the following: Schedules including Time and duration of scans Systems performing the scan, (IP addresses) Object of the scan i.e., vulnerabilities to be tested Take reasonable steps to ensure the continued operation or functionality of any system being scanned Identify systems with vulnerabilities to the relevant system administrators Records from active scans will be kept to help identify areas where actions associated with other Poynton Workmens Club Policies may be required. Users of the flexible access facilities should note that active scanning would apply to any personal system connected to those facilities. Any user who considers this condition unacceptable should not connect their system to the flexible access facilities.