nanog mailing list archives
Re: Dynamic IP log retention = 0?
From: Mike Lewinski <mike () rockynet com>
Date: Thu, 12 Mar 2009 10:52:48 -0600
Valdis.Kletnieks () vt edu wrote:
You *do* realize that "has a public address" does not actually mean that the machine is reachable from random addresses, right? There *are* these nice utilities called iptables and ipf - even Windows and Macs can be configured to say "bugger off" to unwanted traffic. And you can put a firewall appliance inline without using NAT as well.
The other big benefit to using real public IPs is abuse related. There's a scenario we encounter on a semi-regular basis where we forward a report of an apparently infected host to a customer who responds back: "How can I tell which one of our hosts is infected? We've got 200 workstations inside our NAT and this abuse report only has our single public address."
So I recommend a packet sniffer inside their LAN or accounting on their firewall. But sometimes the source is a salesperson's laptop, and they've gone on a business trip. So no new reports come in and everyone decides it must have been a false alarm. Now imagine that salesperson only stops back in the office once a month, at random undocumented intervals to make backups. How do we ever track him down? The abuse report cycle just doesn't turn around fast enough - often we don't even get reports for a day or two.
So I find myself advising customers in this situation to give every user a public IP. Even if they still do 1:1 NAT, the problem is mostly resolved provided they faithfully document MAC addresses and keep DHCP logs for a suitable length of time.
Mike
Current thread:
- Re: Dynamic IP log retention = 0?, (continued)
- Re: Dynamic IP log retention = 0? Brett Charbeneau (Mar 11)
- Re: Dynamic IP log retention = 0? Marcus Reid (Mar 11)
- Re: Dynamic IP log retention = 0? Joe Abley (Mar 11)
- Re: Dynamic IP log retention = 0? Brett Charbeneau (Mar 11)
- Re: Dynamic IP log retention = 0? Joe Greco (Mar 11)
- Re: Dynamic IP log retention = 0? Mike Lewinski (Mar 11)
- Re: Dynamic IP log retention = 0? Peter Beckman (Mar 11)
- Re: Dynamic IP log retention = 0? Joe Greco (Mar 11)
- Re: Dynamic IP log retention = 0? William Herrin (Mar 11)
- Re: Dynamic IP log retention = 0? Brett Charbeneau (Mar 11)
- Re: Dynamic IP log retention = 0? Valdis . Kletnieks (Mar 12)
- Re: Dynamic IP log retention = 0? Mike Lewinski (Mar 12)
- Re: Dynamic IP log retention = 0? J. Oquendo (Mar 12)
- Re: Dynamic IP log retention = 0? William Allen Simpson (Mar 12)
- Re: Dynamic IP log retention = 0? Steven M. Bellovin (Mar 11)
- Re: Dynamic IP log retention = 0? Brett Watson (Mar 12)
- Re: Dynamic IP log retention = 0? JC Dill (Mar 12)
- Re: Dynamic IP log retention = 0? N. Yaakov Ziskind (Mar 12)
- Re: Dynamic IP log retention = 0? Mark Andrews (Mar 12)