Educause Security Discussion mailing list archives
Re: Retention of NAT translations and Connections
From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Fri, 6 Jan 2012 18:52:44 +0000
I like how University of Iowa's published their guidelines, and they match up well with about a decade and a half of incident-handling work by and around me. Most incidents hit your radar within 30 days, and better than 95% will hit within 180 days. At the moment, I can't recall any time when I've seen a reasonable request for log data that stretched back more than one year. That said, US-DoJ keeps asking for 2 years, and I believe a couple of the EU nations have 2 year retention mandates for ISPs, at least. -jml From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jane E Drews Sent: Friday, January 06, 2012 8:13 AM To: The EDUCAUSE Security Constituent Group Listserv; John Ladwig Subject: Re: [SECURITY] Retention of NAT translations and Connections Andy, A group of security officers in Iowa developed a guideline a few years ago to assist with log retention decision making for three general categories of logs. We suggest minimum retention of 30 days for NAT logs, with maximum retention of one year. See http://itsecurity.uiowa.edu/bestprac/borlogguide.shtml<http://itsecurityuiowa.edu/bestprac/borlogguide.shtml> for the full guideline. I would echo that keeping logs no longer than for what their intended purpose is, is a best practice. Jane Drews University of Iowa From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSEEDU] On Behalf Of HOGGATT, ANDY F. Sent: Thursday, January 05, 2012 4:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Retention of NAT translations and Connections Greetings all, We have been reviewing our current process for logging Internet use of students/faculty/staff. One aspect we've been debating is how long to store the firewall logs for Internet use of our users. This includes building and teardown of connections, as well as NAT translation records. Our perimeter firewall generates a copious amount of logs per day and we are trying to determine how long "long enough" is. Would anyone be willing to share their input as to how long they store this type of information. Any and all input is greatly appreciated. Thank You, Andy Hoggatt Ozarks Technical Community College Network Security Systems Administrator hoggatta () otc edu<mailto:hoggatta () otc edu> 417.447.7535
Current thread:
- Retention of NAT translations and Connections HOGGATT, ANDY F. (Jan 05)
- Re: Retention of NAT translations and Connections Nathaniel Hall (Jan 05)
- Re: Retention of NAT translations and Connections Dave Koontz (Jan 05)
- Re: Retention of NAT translations and Connections Mike Iglesias (Jan 05)
- Re: Retention of NAT translations and Connections Valdis Kletnieks (Jan 05)
- Re: Retention of NAT translations and Connections Dave Koontz (Jan 05)
- Re: Retention of NAT translations and Connections leo song (Jan 06)
- Re: Retention of NAT translations and Connections Nathaniel Hall (Jan 05)
- Re: Retention of NAT translations and Connections Drews, Jane E (Jan 06)
- Re: Retention of NAT translations and Connections John Ladwig (Jan 06)
- Re: Retention of NAT translations and Connections Kalal, Robert (Bob) (Jan 06)
- Re: Retention of NAT translations and Connections HOGGATT, ANDY F. (Jan 10)
- Re: Retention of NAT translations and Connections John Ladwig (Jan 06)