Educause Security Discussion mailing list archives
Re: "many to one NAT" or PAT and RIAA
From: "Schoenefeld, Keith" <schoenk () UTULSA EDU>
Date: Tue, 2 Sep 2008 12:44:03 -0500
I don't believe that the RIAA has any say in how you monitor your networks. If you're determining routing of your users to three different ISPs, CALEA may be quite a different story. If you don't know what your University's official response to CALEA is/was, I'd talk to legal and find out. If you are not CALEA exempt (and I'd be interested in hearing your argument as to why you are CALEA exempt if you are routing to three different ISPs), then I'd review the requirements in CALEA: Pursuant to a court order or other lawful authorization, carriers must be able to: (1) expeditiously isolate all wire and electronic communications of a target transmitted by the carrier within its service area; (2) expeditiously isolate call-identifying information of a target; (3) provide intercepted communications and call-identifying information to law enforcement; and (4) carry out intercepts unobtrusively, so targets are not made aware of the electronic surveillance, and in a manner that does not compromise the privacy and security of other communications. (from http://www.askcalea.net/capability.html) A "target" could either be an IP address or an individual, a VoIP phone number, or some other identifying information, which makes it seem like you might need to refine your processes. -- KS From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John LaPrad Sent: Tuesday, September 02, 2008 12:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] "many to one NAT" or PAT and RIAA We have put in place a system to load balance our ISP connections. It uses a dynamic "many to one NAT" to do this. Its very effective at load balancing, but I am having a hard time getting enough log information to uniquely identify internal users. There are typically thousands of users on a given IP address at one time, and to make it worse a single users Internet session may bounce between three different ISP connections. I can, and do keep netflow data, so I can look up an internal IP and see their Internet traffic. But if I get a communication saying that such an IP at such a time did something wrong. I have no idea who that was. If they give me a destination address, sometimes I can find one user that was there at that time, but sometimes there are more then one, and because of the PAT, I do not know which one they are referring to. What I am wondering is, regarding the RIAA and perhaps homeland security, what are our obligations as far as logging our users Internet activity? Do we have to be able to un-ambiguously connect an inside user to a outside IP. Are the Netflow logs (showing the inside address--but not the public address which would be logged at the other site) sufficient for this? ______________________________________________________________________ John LaPrad CISSP, CNE, CCNA, CCDA Manager of Network Services Saginaw Valley State University Phone: 989-964-7134 Fax: 989-964-7446
Current thread:
- "many to one NAT" or PAT and RIAA John LaPrad (Sep 02)
- <Possible follow-ups>
- Re: "many to one NAT" or PAT and RIAA Schoenefeld, Keith (Sep 02)