Overview
The purpose of Intrusion Detection and Prevention (IDP) is to help
protect resources on the UCSB network without interrupting network
service for students, staff, and faculty. Our IDP solutions provide
the UCSB network with a means to secure intellectual property,
minimize the number of cyber attacks originating from our network,
and significantly reduce the amount of cyber attacks against our
network. This system allows the University to know when an attack is
taking place, and ensure that appropriate and effective actions are
taken proactively.
Details
We use a combination of various hardware and software solutions in our
IDP infrastructure. The end result is that we reduce malicious
traffic two different ways.
Null Routing
Null routing involves telling our core routers to
effectively drop all traffic involving a given IP. This causes non-UCSB
null-routed hosts to have their traffic dropped at our border gateway, and
UCSB null-routed hosts to have their traffic isolated to
their subnet. We alert an official UCSB NOC networking contact whenever
we null-route a UCSB host. This type of filtering is in response to a
specific problem, such as a known
compromise, and is intended to halt ongoing malicious activity.
The NOC maintains a current list of null routed hosts.
Real-time Analysis of Traffic
We conduct real-time analysis of traffic in order to block specific traffic
prior to delivery. The NOC generates a report summary for these blocks at regular intervals. These reports are not available to off-campus users.
If you suspect legitimate traffic may have been blocked, please contact
noc@ucsb.edu and supply the date and time, relevant source and
destination IP addresses, and ports and/or application names.
ETA
