UNIVERSITY of GLASGOW

IT Services
home > services > IT Services > Regulations, committees and policies > General > IT Services IT Monitoring

IT Services IT monitoring

1. E-Mail

Incoming mail via the central systems is subject to the following:

  • blocking of ?active attachments? as an anti-virus measure. The list of active attachments comprises all those which have been abused in recent attacks and includes bat, exe, vbs. Since July, some 1000 viruses per week have been blocked and this number is rising commensurate with virus activity on the Internet.
  • blocking of spam e-mail. Spam is unsolicited e-mail which can range from the relatively innocuous but annoying receipt of unwanted communications to a denial of service attack through a concerted attempt to flood a network or overload and crash a server. Sites are blocked according to the RBL (Realtime Blackhole List) which is a blacklist of networks known to be originators of spam. RBL is served via JANET and the RBL service funded by UKERNA for JANET. Around 1000 spams a day are blocked.
  • blocking of unauthorised mail relaying. This prevents external attempts to use University of Glasgow mail systems to relay spam messages.
  • on occasion mail from specific originators is blocked on receipt of complaints

Mail logs are used to follow up problems reported to Postmaster. These logs are kept for 1 month then deleted. The length of time that the logs are kept reflects the fact that problems can take some time to come to light if the recipient is absent.

Mail log contents:
Time stamp; sender e-mail address & mail system ip address; recipient e-mail address & mail system ip address; message id; message size
Note that no content information, not even mail subject, is held.

2. Web access

All Web access, with very few specific exceptions for particular reasons associated with the site, is forced through the Web cache service. At present we do not block any site or filter on site or content. We will, however, apply filters or block access to sites on specific request, or for security or defensive reasons. For example as part of the measures taken to protect Campus against the recent NIMDA virus, a filter was applied at the cache on the advice of UKERNA.

Cache logs are used primarily to produce statistics on the service. They are also used to investigate any cases of suspected unauthorised use, or indeed illegal activity, that are reported. In order that we can view trends, daily logs are aggregated into monthly logs which in turn are aggregated into annual logs.

Daily raw log file contents:
Ip address of requestor; time stamp; time to download page; status code; size, URL

As part of the processing of the daily log to produce daily statistics, the raw data file is compressed, three separate daily files are created for ease in producing statistics and the raw data aggregated into the current monthly log file in an anonymised fashion. Daily files are retained for 240 days; this figure maximises the number of days that we store the data within the confines of available disc space. Initial advice from the police was to retain this information for as long as possible.

Monthly log files:
These files are anonymised and retained for 1 year.

Yearly log:
Aggregated from monthly log files; anonymised; no yearly data has been disposed of to date.

3. Network monitoring

Incoming traffic from JANET is subject to the following restrictions at the router which connects the University network to JANET:

  • Certain ip ports are blocked which host services that are known security loopholes. CERT provides general advice in this area.
  • Filters are in place to block sites from which the University has been attacked previously.
  • On occasion filters are used to block specific sites in response to a specific request

Network logs are used for a variety of purposes including following up JANET access problems, profiling of traffic, identifying unusual or malicious activity and for billing purposes. Billing or flow logs do not record the content of communicated data but merely record IP and volume data.

Log contents:
Source ip address, destination ip address, port number, volume, time stamp

Due to disc space considerations these raw log files are kept for a maximum of 6 days. The raw information is consolidated for billing purposes and these logs retained.

Note that under system or network fault conditions within the University network we may be required to log all data for the purpose of fault diagnosis and rectification. These logs are seldom kept for any length of time after the fault has been rectified. Operation of a complex and pervasive networked computing environment would be impossible without this ability.

4. Intrusion Detection Systems

We operate Intrusion Detection Systems (IDS) for the purpose of identifying malicious activity. These systems work by looking for recognisable signatures of common attack profiles. An example of such use was the identification of systems on Campus which had been compromised by the CodeRed virus. In certain cases where our internal systems are under attack (e.g. Denial Of Service attacks, Bulk network Scanning), automatic action can be taken to deny the attacking/hostile site access to the University Network. Note that this also means that University systems are also unable to communicate with the hostile site.