Educause Security Discussion mailing list archives
Re: PAT address user identification: methods?
From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 7 Feb 2006 10:49:08 -0600
We also have ran into the problem of PAT translation obscuring the original internal IP addresses. We are in the process of installing a Cisco MARS device, which we believe will automatically keep track of PAT translations.
That's great if the complaint comes with an accurate timestamp. Otherwise you're no better off. Stick to 1:1 NAT if you can't use real IPs. And if you're using DHCP, tie the IP to the MAC as an approximation of issuing static IPs. Even long leases don't work if the clients can force a new ip with a dhcp release command. Having the switch learn the IP and not accept a new one is a useful trick too. If your students are deliberately up to no good they will find ways to obfuscate their IP. Changing their Netbios name and faking a different MAC address to fool the DHCP logs for example. Stealing someone's IP who is offline. You need to use the switch as well as the DHCP server to be sure. Do you use anything like 802.1x at your site? G
Current thread:
- PAT address user identification: methods? Bill Cotter (Jan 26)
- <Possible follow-ups>
- Re: PAT address user identification: methods? John Ladwig (Jan 26)
- Re: PAT address user identification: methods? Tristan RHODES (Jan 27)
- Re: PAT address user identification: methods? Gary Flynn (Jan 27)
- Re: PAT address user identification: methods? Graham Toal (Feb 07)