This paper describes a series of security incidents on a large academic network, and the gradual evolution of measures to deal with emerging threats. I describe various techniques used and give an honest evaluation of them as implemented on a real network with tens of thousands of active users. Thanks to the relatively open nature of academic computing environments, the reader may notice that significant emphasis is given to detection and response capabilities; obviously, preventative measures are preferable when this is possible. I hope this information will be valuable when system administrators and IT security managers are evaluating preventative measures to deploy, and when they are responding to ongoing incidents.
The link for this article located at InfoSec Writers is no longer available.
