Re: "many to one NAT" or PAT and RIAA

["Schoenefeld, Keith" <schoenk () UTULSA EDU>]

I don't believe that the RIAA has any say in how you monitor your
networks.  If you're determining routing of your users to three
different ISPs, CALEA may be quite a different story.  If you don't know
what your University's official response to CALEA is/was, I'd talk to
legal and find out.  If you are not CALEA exempt (and I'd be interested
in hearing your argument as to why you are CALEA exempt if you are
routing to three different ISPs), then I'd review the requirements in
CALEA:

Pursuant to a court order or other lawful authorization, carriers must
be able to: (1) expeditiously isolate all wire and electronic
communications of a target transmitted by the carrier within its service
area; (2) expeditiously isolate call-identifying information of a
target; (3) provide intercepted communications and call-identifying
information to law enforcement; and (4) carry out intercepts
unobtrusively, so targets are not made aware of the electronic
surveillance, and in a manner that does not compromise the privacy and
security of other communications.

(from http://www.askcalea.net/capability.html)

A "target" could either be an IP address or an individual, a VoIP phone
number, or some other identifying information, which makes it seem like
you might need to refine your processes.

-- KS

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John LaPrad
Sent: Tuesday, September 02, 2008 12:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] "many to one NAT" or PAT and RIAA

 

     We have put in place a system to load balance our ISP connections.
It uses a dynamic "many to one NAT" to do this. Its very effective at
load balancing, but I am having a hard time getting enough log
information to uniquely identify internal users. There are typically
thousands of users on a given IP address at one time, and to make it
worse a single users Internet session may bounce between three different
ISP connections.

          I can, and do keep netflow data, so I can look up an internal
IP and see their Internet traffic. But if I get a communication saying
that such an IP at such a time did something wrong. I have no idea who
that was. If they give me a destination address, sometimes I can find
one user that was there at that time, but sometimes there are more then
one, and because of the PAT, I do not know which one they are referring
to. 

     What I am wondering is, regarding the RIAA and perhaps homeland
security, what are our obligations as far as logging our users Internet
activity? Do we have to be able to un-ambiguously connect an inside user
to a outside IP. Are the Netflow logs (showing the inside address--but
not the public address which would be logged at the other site)
sufficient for this? 

 

 

 

 

______________________________________________________________________
John LaPrad 

CISSP, CNE, CCNA, CCDA
Manager of Network Services
Saginaw Valley State University
Phone: 989-964-7134
Fax: 989-964-7446