Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Static vs. dynamic dhcp assigned addresses

From: Steven Tardy <sjt5 () ITS MSSTATE EDU>
Date: Mon, 12 Dec 2011 14:59:22 -0600
On 12/12/11 10:08, Jim Mayne wrote:

TCU has always provided user's with static ip addresses using dhcp reservations. However with the flood of new mobile 
devices it is straining our ability to efficiently assign these types of ip addresses. In discussing a movement to dynamic 
addresses the issue of incident response and troubleshooting comes up.

Would others using dynamic addresses share their tactics and any estimate of added effort involved when tracking down 
issues identified by ip addresses, whether they be from external complaints, IDS logs, firewall logs etc.



DHCP server syslog to a file.
write a hundred line perl script to parse entries to insert into a database.
(perl File::Tail for near realtime parsing.)
write web page for security officer to query database.

... should be an afternoons work.
producing:
   DHCP logs. (dynamic ip + time stamp -=> mac address)

data collection can also be done with:
   NAT logs. (outside ip:port -=> inside ip)
   routers ARP tables. (ip -=> mac address)
   switch CAM tables. (mac address -=> switchport/AP)

guess a pile of awesome coworkers had setup most of this years ago...
(hard to imaging people NOT have this kind of easy visibility/tracking/history.)



--
Steven Tardy
Systems Analyst
Information Technology Infrastructure
Information Technology Services
Mississippi State University
sjt5 () its msstate edu
Previous By Date Next
Previous By Thread Next

Current thread: