Re: HEOA Question

["William C. Moore" <wcmoore () VALDOSTA EDU>]

Bill,

If your network is like our network once was I never found a viable solution beyond netflows.  The main hurdle for me 
was the single NAT'ed address and a few hundred users authenticated and active (using the same single IP) at the time 
the RIAA noted the alleged infringement (from that single IP).  We moved away from that architecture which allowed our 
guys to pinpoint users reported by the RIAA/MPAA but more importantly to track reports from REN-ISAC.  The issue we had 
with netflows was the volume of log data  over periods of time and at the time RIAA notices were not as quick.

We did not choose this option but one that I think is possible is to set aside a range of addresses and do a one-to-one 
translation.  This will most likely require you to determine what your highest number of "online" users are at peak 
times and set your range a little beyond that.  Of course you will also need to determine your address lease times and 
negotiate what is acceptable.  The trick here though is to log the authentication / address / (I also suggest MAC 
addresses) date / time stamps so when you receive an abuse report you can tell which private IP was associated to the 
public IP at a given time and then which user was authenticated and provided the associated public/private IP pair (MAC 
to determine if it was the user's desktop or laptop).


Best of luck.


Bill




William C. Moore II, CISSP, MEd, MLIS
Chief Information Security Officer
Division of Information Technology
Valdosta State University
Valdosta, GA 31698
Phone:(229)333-5974
Fax:  (229)245-4349



***********************************************************************
The information transmitted is intended only for the person addressed.
Any unauthorized review, distribution or other use of or the taking of
any action in reliance upon this information is prohibited. If you
received this message in error, please contact the sender and delete or
destroy this message and any copies.
***********************************************************************

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of William 
Derwostyp
Sent: Monday, January 31, 2011 9:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HEOA Question

I need some input.
Here at USM the students are segregated to a wireless network that is now behind a single address(NAT). This has caused 
a problem with responding to RIAA notices as we cannot tie the notice to a specific user on the network which in turn 
affect the compliance to the "Higher Education Opportunity Act" (HEOA).

I am going to assume that there are other universities that use the NAT process to control traffic on their perimeter 
and use non-routable addresses on the internal network. Is there any tool or application I can use that will help to 
tie the notices back to the person without having to go back to public addressing?

William (Bill) Derwostyp,
CISSP, G7799, GCIH, GSNA, GSLC, GSPA, GSEC, CCNA, CCSE
Technology Security Officer University of Southern Mississippi
william.derwostyp () usm edu<mailto:william.derwostyp () usm edu>
Office: 601-266-5416

[Description: Description: cid:image001.jpg@01CB3E13.82661520][Description: Description: Description: CCNA_security_sm]
Confidentiality Note: The information contained in this e-mail and/or document(s) attached is for the exclusive use of 
the individual named above and may contain confidential, privileged, and non- disclosable information. If you are not 
the intended recipient, you are hereby notified that you are strictly prohibited from reading, photocopying, 
distributing or otherwise using this e-mail or contents in any way. If you have received this transmission in error, 
please notify me immediately.