JANET(UK) uses flow monitoring on JANET for a range of purposes from helping engineer the network to provide the best performance to detecting attacks and anomalous traffic behaviour. Flow data is gathered from JANET external peering routers and increasingly from the core routers.
There are significant limitations on what can and cannot be done with flow data. On a network the size of JANET there are technical limitations, e.g. due to the number of new flows created per second ( >60,000), and legal limitations in the guise of the Regulation of Investigatory Powers act (RIP) and the Data Protection Act (DPA).
Anyone gathering flow data should be aware of the limitations imposed by these acts otherwise they may accidentally be commiting a criminal offense.
JANET(UK) uses two systems for gathering and processing flow data. Flow-tools is used to archive data and provide a feed of data to JANET CERT who detect anomalous and intrusion behaviours, and Crannog's Netflow Tracker is used to provide a live view of the network in case of incidents that require immediate visibility into the data.
These systems will be updated during 2008 with a system that should allow JANET(UK) to offer additional services to the community - such as being able to view your own site's traffic in the network if you are an authorized person, or providing summary information such as which protocols and traffic types are most used.
For further information please contact Rina Samani.