Educause Security Discussion mailing list archives

Re: HEOA Question

From: Dave Inman <dave.inman () VISTAONE COM>
Date: Thu, 3 Feb 2011 09:35:49 -0500

I'm not sure that this would do the trick for the initial scenario as Mr.
Derwostyp (it may depend on where the appliance were to sit relative to
where the NAT takes place), but there are traffic shaping solutions that are
able to integrate with user-agents like Active Directory, RADIUS, and NAC
solutions--which might alleviate the pain of having to track down end-users
by IP and or MAC.

My sense is that if the NAT is being done at the firewall or some other edge
device, then such a solution could be viable--as it would see all of the
internal IP addresses and/or user names before the NAT took place.
_____________________________________________________________

*Dave Inman*
VistaOne Corporation
10001 Patterson Avenue, Suite 101
Richmond, VA 23238
804.972.3622 (phone)
804.497.5889 (fax)
edu.vistaone.com | *internet performance, compliance, & secuirty for edu™*
______________________________________________________________


On Wed, Feb 2, 2011 at 5:03 PM, Harry E Flowers (flowers) <
flowers () memphis edu> wrote:

I think this is the most robust answer; if you have enough public addresses
to do 1:1 NAT, it’s a lot easier to track down versus overloaded addresses
with port mapping (PAT) and chasing ports.  And just because you now get
port info from RIAA doesn’t mean that someone else won’t send you a “
someone.yourplace.edu” was doing x suspicious or nefarious deed on my
network…



Anyway, I was over the networks at the last college where I worked several
years ago, and we used the 1:1 NAT to make it easier to track down the
source of problems.  We had plenty of address space for concurrent access,
though, so it was an easy choice for us to make.  If you’re forced to use
PAT because you have more systems accessing the Internet at a given time
than you have public addresses, then that’s obviously a different story.

--

Harry Flowers



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Bulanda, Dave G
*Sent:* Monday, January 31, 2011 10:40 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] HEOA Question



Works well in the 1:1 Nat… which I am running but yes I have some overflow
into PAT which yes is a problem without the source port in the notice.
Sometimes you have to throw it back and say “Go Fish.” J



I do use some scripts to breakdown the logs for the request… Got a little
annoying building a grep and pipe statement to get what was needed, then
forgetting a step and not getting anything or too much logs.





David Bulanda
Network Services Manager
dgbulanda () indianatech edu

Indiana Tech <http://www.indianatech.edu/>



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Gioia, Matthew P.
*Sent:* Monday, January 31, 2011 11:14 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] HEOA Question



This is similar to what we do as well – things get dicey and when the
complaint doesn’t include the source port though – usually you can pin it
down throwing in netflow and/or application layer data as well though. So
you’ll be going through logs or reports from the firewall + dhcp server
(which you could also throw at syslog) + netflow + whatever traffic shaping
device in the roughest circumstances. Having some application or scripts to
search through the logs will really speed up the process.





*Matthew Gioia, **CISSP*

*Network Security Analyst*

St. Louis Community College

(314) 539-5075







*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Bulanda, Dave G
*Sent:* Monday, January 31, 2011 9:25 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] HEOA Question



Bill,

I have been using NAT on my perimeter for about 10 years…  I logged the
translations to a syslog server. Then match outside to inside addresses for
the time. All my students are registered with PacketFence NAC. Just look up
the inside translation address to the Packetfence logs/interface (sometime
against DHCP logs to verify). The process can suck… but I can usually
process a notice fairly quickly. I don’t have to handle very many notices
since we lay it on the Freshman about using file-sharing. Plus the small
fine for violation helps a bit.



David Bulanda
Network Services Manager
dgbulanda () indianatech edu

Indiana Tech <http://www.indianatech.edu/>



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *William Derwostyp
*Sent:* Monday, January 31, 2011 9:44 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] HEOA Question



I need some input.

Here at USM the students are segregated to a wireless network that is now
behind a single address(NAT). This has caused a problem with responding to
RIAA notices as we cannot tie the notice to a specific user on the network
which in turn affect the compliance to the “Higher Education Opportunity
Act” (HEOA).



I am going to assume that there are other universities that use the NAT
process to control traffic on their perimeter and use non-routable addresses
on the internal network. Is there any tool or application I can use that
will help to tie the notices back to the person without having to go back to
public addressing?



William (Bill) Derwostyp,

*CISSP, G7799, GCIH, GSNA, GSLC, GSPA, GSEC, CCNA, CCSE*

Technology Security Officer University of Southern Mississippi

william.derwostyp () usm edu

Office: 601-266-5416



[image: Description: Description: cid:image001.jpg@01CB3E13.82661520][image:
Description: Description: Description: CCNA_security_sm]

Confidentiality Note: The information contained in this e-mail and/or
document(s) attached is for the exclusive use of the individual named above
and may contain confidential, privileged, and non- disclosable information.
If you are not the intended recipient, you are hereby notified that you are
strictly prohibited from reading, photocopying, distributing or otherwise
using this e-mail or contents in any way. If you have received this
transmission in error, please notify me immediately.

Current thread:

HEOA Question William Derwostyp (Jan 31)
- Re: HEOA Question Matthew Gracie (Jan 31)
  - Re: HEOA Question Eme Ejike (Jan 31)
  - Re: HEOA Question Kevin Wilcox (Jan 31)
  - Re: HEOA Question SCHALIP, MICHAEL (Jan 31)
    - Re: HEOA Question Steve Worona (Feb 01)
- Re: HEOA Question Bulanda, Dave G (Jan 31)
  - Re: HEOA Question Gioia, Matthew P. (Jan 31)
    - Re: HEOA Question Bulanda, Dave G (Jan 31)
    - Re: HEOA Question Harry E Flowers (flowers) (Feb 02)
    - Re: HEOA Question Dave Inman (Feb 03)
- Re: HEOA Question Dexter Caldwell (Jan 31)
  - Re: HEOA Question Cal Frye (Jan 31)
    - Re: HEOA Question Jacobson, Dick (Jan 31)
    - Re: HEOA Question Dexter Caldwell (Jan 31)
    - Re: HEOA Question Jacobson, Dick (Jan 31)
    - Re: HEOA Question Cal Frye (Jan 31)
- Re: HEOA Question Tracy Mitrano (Jan 31)
- Re: HEOA Question Gibson, Nathan J. (HSC) (Jan 31)
- Re: HEOA Question William C. Moore (Feb 01)