Janet CSIRT use of NetFlow data

Download as PDFDownload as PDF

Janet processes netflow data collected on various routers within the Janet network. This netflow data is used in planning, network operations, research and security incident response, and is considered necessary to effectively complete some of the tasks involved in these areas.

Netflow describes the source and destinations of network traffic and some of the IP layer attributes of the data. It can be thought of as similar to an itemized phone bill, and is considered to be communications data. Janet is not able to link an IP address to the person using it. We may be required to disclose this data to law enforcement and other authorities in response to a notice under the Regulation of Investigatory Powers Act 2000.

The netflow data is collected at a number of points on the network; within the core, regional networks, and at external connectivity. With the permission of a connected organization, netflow data may be collected from the edge of their network or Janet managed router. This coverage may not provide a complete view of all traffic on Janet. In many instances the collection of netflow on a router is resource intensive, and the routing of IP traffic takes priority and the data collected may only be a sample of the actual data. Janet collect large volumes of data and storage facilities are typically limited to 90 days of netflow data. Due to configuration changes, network and equipment failure, the stored records of netflow may not be complete within that period.

Information is processed in accordance with the Data Protection Act 1998. Under particular circumstances it will be necessary to process this information independently and share this information with third parties. Where possible this will take the form of a statistical analysis or anonymised data, but in some cases (e.g. security incidents) this will not be possible if the information is to be of use to the third party.

If you are exporting netflow data to us from your network, there is a risk that a misconfiguration or error at the point where the netflow is exported may result in netflow data pertaining to traffic not destined for Janet being sent to us. If we become aware of this, we will delete the data as soon as possible.

Further information on the policies on research use of Janet traffic data is available, for any other questions please contact us.