Re: HEOA Question

["Bulanda, Dave G" <DGBulanda () INDIANATECH EDU>]

Works well in the 1:1 Nat... which I am running but yes I have some overflow into PAT which yes is a problem without 
the source port in the notice. Sometimes you have to throw it back and say "Go Fish." :)

I do use some scripts to breakdown the logs for the request... Got a little annoying building a grep and pipe statement 
to get what was needed, then forgetting a step and not getting anything or too much logs.


David Bulanda
Network Services Manager
dgbulanda () indianatech edu<mailto:dgbulanda () indianatech edu>
Indiana Tech<http://www.indianatech.edu/>


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gioia, 
Matthew P.
Sent: Monday, January 31, 2011 11:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HEOA Question

This is similar to what we do as well - things get dicey and when the complaint doesn't include the source port though 
- usually you can pin it down throwing in netflow and/or application layer data as well though. So you'll be going 
through logs or reports from the firewall + dhcp server (which you could also throw at syslog) + netflow + whatever 
traffic shaping device in the roughest circumstances. Having some application or scripts to search through the logs 
will really speed up the process.


Matthew Gioia, CISSP
Network Security Analyst
St. Louis Community College
(314) 539-5075



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bulanda, 
Dave G
Sent: Monday, January 31, 2011 9:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HEOA Question

Bill,

I have been using NAT on my perimeter for about 10 years...  I logged the translations to a syslog server. Then match 
outside to inside addresses for the time. All my students are registered with PacketFence NAC. Just look up the inside 
translation address to the Packetfence logs/interface (sometime against DHCP logs to verify). The process can suck... 
but I can usually process a notice fairly quickly. I don't have to handle very many notices since we lay it on the 
Freshman about using file-sharing. Plus the small fine for violation helps a bit.

David Bulanda
Network Services Manager
dgbulanda () indianatech edu<mailto:dgbulanda () indianatech edu>
Indiana Tech<http://www.indianatech.edu/>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of William 
Derwostyp
Sent: Monday, January 31, 2011 9:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HEOA Question

I need some input.
Here at USM the students are segregated to a wireless network that is now behind a single address(NAT). This has caused 
a problem with responding to RIAA notices as we cannot tie the notice to a specific user on the network which in turn 
affect the compliance to the "Higher Education Opportunity Act" (HEOA).

I am going to assume that there are other universities that use the NAT process to control traffic on their perimeter 
and use non-routable addresses on the internal network. Is there any tool or application I can use that will help to 
tie the notices back to the person without having to go back to public addressing?

William (Bill) Derwostyp,
CISSP, G7799, GCIH, GSNA, GSLC, GSPA, GSEC, CCNA, CCSE
Technology Security Officer University of Southern Mississippi
william.derwostyp () usm edu<mailto:william.derwostyp () usm edu>
Office: 601-266-5416

[cid:image001.jpg@01CBC13B.6392AFE0][cid:image002.jpg@01CBC13B.6392AFE0]
Confidentiality Note: The information contained in this e-mail and/or document(s) attached is for the exclusive use of 
the individual named above and may contain confidential, privileged, and non- disclosable information. If you are not 
the intended recipient, you are hereby notified that you are strictly prohibited from reading, photocopying, 
distributing or otherwise using this e-mail or contents in any way. If you have received this transmission in error, 
please notify me immediately.