CNS Data Collection and Retention Current Practice

Cliff Frost

April 2004

IST Communication & Network Services (CNS) manages the campus network with the aid of several network-based traffic monitoring and logging systems. These systems automatically monitor, collect, and analyze data that pass through the campus network for various management purposes, some in real time, some for problem detection and resolution, and some for long term planning.

Consistent with University policy, CNS does not routinely monitor or collect the contents of electronic transmissions. Rather, the data collected by the CNS monitoring systems is "transactional" as defined by the University of California Electronic Communication Policy (ECP). These data, however, do include information that can be associated with an individual computer. Because this information may be sensitive or critical as defined by Business and Finance Bulletin IS-3 Electronic Information Security, strategies for protecting these data are required. CNS staff is well versed in the privacy provisions of the ECP. CNS procedures require the approval of the CNS Director for any release of data from CNS to other campus departments.

The purpose of CNS's monitoring and data collection is to manage the campus network activity as a whole, consistent with IS-3 Section VI "Logical Security." IS-3 requires the collection of system logs to assist in monitoring access to electronic information resources and to data retained within such resources.

Analysis of the data collected by these systems alerts CNS staff to patterns of usage between computers or from specific computers which require further investigation. If the investigation reveals unusual spikes or anomalies inconsistent with standard campus network traffic, selected logs may be made available to departments so they can investigate the activity locally.

What follows is a list of different types of data that CNS might collect, how the data are used, and the length of retention of the data. There is no guarantee that these data will be kept or collected at all.

Following the list of different data types is a summary of what will be shared with departmental managers and under what circumstances.

Netflow Data

This is the record of the transactional data for every flow that traverses a router.

The main purpose is to understand the volume and characteristics (such as times of day, size of packets, type of applications) of the traffic flowing through various points in the network.

Of particular interest are the netflow data that relate to the campus' usage of the Internet outside the campus network boundaries. Data referring to the Internet are the only netflow data that CNS is regularly collecting. As a result of consultations between the Network Advisory Committee (NAC) members and CNS, the following guidelines govern the retention of netflow data by CNS:

• CNS shall not store raw Netflow data for more than one month after its collection

• CNS may store Netflow data longer than one month if and only if a privacy filter is applied to the data to prevent the detailed characterization of network activities of specific UC Berkeley IP addresses
•  Within each Netflow record, UC Berkeley IP addresses shall be made anonymous so that only the local network (subnet) of the IP can be identified. In the case of IP addresses configured on small networks, the 6 least significant bits of the IP address shall be discarded.
• CNS may store anonymous Netflow records indefinitely

• CNS shall maintain a high standard of security on all machines that store or process Netflow data and shall maintain appropriate restrictions on the availability of such data.

ARP Cache Data

For several years, CNS has collected and published on the World Wide Web, information about which IP addresses are being used by which Ethernet ("MAC") card addresses. Anyone can query this database for this information at http://nak.berkeley.edu/cgi-bin/getarp/arpquery and it is an extremely useful tool for system administrators.

Device Specific Logs

Modems, DHCP servers, and Wireless Access Points all record logs that map a registered user to an IP address for the period of time that address is in use. These logs help track down individuals who violate the law and/or policy while using a dynamically assigned IP address. These logs are kept on disk for months or even years depending on the volume of data. These data are shared only with appropriate authorities (such as the campus' System and Network Security group (SNS), or campus disciplinary authorities), only as needed for analysis of specific events.

Other Incident Data

In addition to the above sources of data, there are many other sources, such as third party logs. In the course of investigating an incident, all of this data is collected and turned over to SNS or other appropriate authorities. SNS will save, and carefully protect all data pertaining to confirmed security incidents. However, SNS makes an effort to delete all other sensitive data.

Sharing of Data

1. CNS will provide any data it possesses that relates to a specific violation of law or policy incident, or suspected incident. CNS will do so only at the request of appropriate campus authorities.

2. For a department interested in understanding the traffic patterns with respect to equipment that it manages, CNS can provide summary data based upon IP address and port number (a pointer to the protocol or application being used). These summaries are based upon either the local campus IP address or the off-campus IP address but not both. These summary data are collected only at the border of the campus and the Internet.

3. CNS currently provides netflow data as follows:
1. Summary information is provided to other IST departments and the Haas School of Business only with respect to usage of the kazaa port on systems on their networks.
2. In addition, CNS provides complete netflow data for the Residence Halls to the Housing and Dining network managers.

4. CNS can produce usage reports for departments, on the condition that the departmental authorizing official agrees to follow appropriate steps with respect to notification of the affected population, confidentiality of the data, and appropriate use of the data. Guidelines for appropriate treatment of this data will be made available to the department with the release of the data.