Educause Security Discussion mailing list archives
Re: PAT address user identification: methods?
From: Tristan RHODES <TristanRhodes () WEBER EDU>
Date: Fri, 27 Jan 2006 14:07:10 -0700
Greetings, We also have ran into the problem of PAT translation obscuring the original internal IP addresses. We are in the process of installing a Cisco MARS device, which we believe will automatically keep track of PAT translations. Has anyone else deployed MARS (formerly Protego Networks)? Tristan Rhodes Weber State University
bcotter () POP UKY EDU 01/26/06 12:34 PM >>>
Here at the University of Kentucky we are slowly moving towards PAT'ing more and more of our class-B addresses, in an effort to ease the continuous expansion of our network. One of the problems that comes with this architectural direction is the loss of positive identification of interior users (private address) on the pAT'ed addresses, as viewed from outside (public address). With one-to-one addressing (ie: 128.163.x.x = 128.163.x.x) or NAT'ing (128.163.x.x = 10.10.x.x and 1hr lease), our network security team is able to identify a user from an external complaint where the 128.x.x.x address and timestamp are supplied. On the other hand, when we receive a complaint from an external source referencing one of our PAT addresses, unless the complaint is received while the activity persists (ie: Spamming, scanning, etc), the identity is lost. For example: A DMCA complaint is received for a user at 128.163.x.x at 10:37am (no source address given) for sharing a copyrighted file. The address 128.163.x.x is the PAT address for 6,000 resnet users on a private range of 10.x.x.x. A syslog server that records PAT transactions lists 235 possible private addresses that had that translation for 10:37am. With no source address given, who is the bad guy? For those of you who use PAT'ing extensively and log transactions, what methods/technologies have you employed to track user identity, AND provide an accurate results? Thanks, Bill Cotter UK IT Security
Current thread:
- PAT address user identification: methods? Bill Cotter (Jan 26)
- <Possible follow-ups>
- Re: PAT address user identification: methods? John Ladwig (Jan 26)
- Re: PAT address user identification: methods? Tristan RHODES (Jan 27)
- Re: PAT address user identification: methods? Gary Flynn (Jan 27)
- Re: PAT address user identification: methods? Graham Toal (Feb 07)