Re: Static vs. dynamic dhcp assigned addresses

[Charles Seitz <cseitz () UTM EDU>]

If you have a SIEM of any flavor, it should also be able to accept DHCP
syslog and provide you an easy way to search through them. Makes life easy
around here.
UTISO


________________________________________
Charles A. Seitz
Senior Security Analyst
University of Tennessee Information Security Office
Martin Campus
cseitz () tennessee edu
(731) 881-7966
Mobile (615) 948-3641



On 12/12/11 2:59 PM, "Steven Tardy" <sjt5 () ITS MSSTATE EDU> wrote:

> On 12/12/11 10:08, Jim Mayne wrote:
> > TCU has always provided user's with static ip addresses using dhcp
> > reservations. However with the flood of new mobile devices it is
> > straining our ability to efficiently assign these types of ip addresses.
> > In discussing a movement to dynamic addresses the issue of incident
> > response and troubleshooting comes up.
> >
> > Would others using dynamic addresses share their tactics and any
> > estimate of added effort involved when tracking down issues identified
> > by ip addresses, whether they be from external complaints, IDS logs,
> > firewall logs etc.
>
>
> DHCP server syslog to a file.
> write a hundred line perl script to parse entries to insert into a
> database.
> (perl File::Tail for near realtime parsing.)
> write web page for security officer to query database.
>
> ... should be an afternoons work.
> producing:
>    DHCP logs. (dynamic ip + time stamp -=> mac address)
>
> data collection can also be done with:
>    NAT logs. (outside ip:port -=> inside ip)
>    routers ARP tables. (ip -=> mac address)
>    switch CAM tables. (mac address -=> switchport/AP)
>
> guess a pile of awesome coworkers had setup most of this years ago...
> (hard to imaging people NOT have this kind of easy
> visibility/tracking/history.)
>
>
>
> -- 
> Steven Tardy
> Systems Analyst
> Information Technology Infrastructure
> Information Technology Services
> Mississippi State University
> sjt5 () its msstate edu