Security Focus
The Super Powers of Layer 7 Traffic Analysis at Wayne State
- By Dian Schaffhauser
- 09/26/08
The six-person information security office at
Wayne State University
faces the same challenge common to most institutions of higher education: limited resources and unlimited problems--especially when it comes to identifying problematic network traffic.
"We had so many different systems reporting so many different events, no one could really keep up with it," said Graydon Huffman, senior systems security specialist. "You'd have to have a dedicated security force with people reviewing these logs all the time."
With 33,000 students and 5,800 faculty and staff, 50,000 to 60,000 concurrent hosts with inbound connections to the campus, and an estimated 10,000 concurrent internal hosts hitting the network at any given moment, the firewalls themselves were generating between 600 and 700 events per second--each possibly a signal that something malicious was going on. "That sheer volume is humanly impossible to go through and correlate," said Huffman.
So, as IT Director Morris Reynolds explained, the university set about looking for a security information and event management tool that would act as the "eyes" of the security team "to help us make quick and informed decisions on the various traffic that was moving throughout the institution's network."
The evaluation process was managed by somebody no longer with the school, but Huffman said he believes products from
ArcSight
,
Cisco
, and
Q1 Labs
were under consideration. Attracted by the ability of Q1's QRadar to perform layer 7 application analysis and event correlation, the university purchased and deployed the system in June 2007. The purchase included hardware, software licensing, a maintenance contract, and support services. The applications run on Linux-based appliances. Although Wayne State declined to say what it paid, Huffman estimated the total in the six figures.
How QRadar Works
That original installation, done before Huffman joined the university, was deployed as a stand-alone model, which consisted of a console and a QFlow Collector. The console is a 2U server that provides the main interface for users. The collector is a 1U device that performs layer 7 network data flow analysis, by collecting traffic via a tap or mirror port on customer specified segments of their network. A QFlow is Q1's flow format, akin to Cisco's NetFlow and Juniper's JFlow.