Educause Security Discussion mailing list archives

Re: Retention of NAT translations and Connections

From: "HOGGATT, ANDY F." <hoggatta () OTC EDU>
Date: Tue, 10 Jan 2012 09:58:55 -0600



Thanks to everyone who put their two cents in on log retention.  Your input has been very helpful.

Regards,

Andy

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Ladwig
Sent: Friday, January 06, 2012 12:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Retention of NAT translations and Connections

I like how University of Iowa's published their guidelines, and they match up well with about a decade and a half of 
incident-handling work by and around me.  Most incidents hit your radar within 30 days, and better than 95% will hit 
within 180 days.  At the moment, I can't recall any time when I've seen a reasonable request for log data that 
stretched back more than one year.

That said, US-DoJ keeps asking for 2 years,  and I believe a couple of the EU nations have 2 year retention mandates 
for ISPs, at least.

   -jml

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jane E 
Drews
Sent: Friday, January 06, 2012 8:13 AM
To: The EDUCAUSE Security Constituent Group Listserv; John Ladwig
Subject: Re: [SECURITY] Retention of NAT translations and Connections

Andy,
A group of security officers in Iowa developed a guideline a few years ago to assist with log retention decision making 
for three general categories of logs. We suggest minimum retention of 30 days for NAT logs, with maximum retention of 
one year.  See 
http://itsecurity.uiowa.edu/bestprac/borlogguide.shtml<http://itsecurityuiowa.edu/bestprac/borlogguide.shtml> for the 
full guideline.  I would echo that keeping logs no longer than for what their intended purpose is, is a best practice.

Jane Drews
University of Iowa


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSEEDU] On Behalf Of HOGGATT, 
ANDY F.
Sent: Thursday, January 05, 2012 4:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Retention of NAT translations and Connections

Greetings all,

We have been reviewing our current process for logging Internet use of students/faculty/staff.  One aspect we've been 
debating is how long to store the firewall logs for Internet use of our users.  This includes building and teardown of 
connections, as well as NAT translation records.  Our perimeter firewall generates a copious amount of logs per day and 
we are trying to determine how long "long enough" is.

Would anyone be willing to share their input as to how long they store this type of information.  Any and all input is 
greatly appreciated.

Thank You,

Andy Hoggatt
Ozarks Technical Community College
Network Security Systems Administrator
hoggatta () otc edu<mailto:hoggatta () otc edu>
417.447.7535

Current thread:

Retention of NAT translations and Connections HOGGATT, ANDY F. (Jan 05)
- Re: Retention of NAT translations and Connections Nathaniel Hall (Jan 05)
  - Re: Retention of NAT translations and Connections Dave Koontz (Jan 05)
    - Re: Retention of NAT translations and Connections Mike Iglesias (Jan 05)
    - Re: Retention of NAT translations and Connections Valdis Kletnieks (Jan 05)
  - Re: Retention of NAT translations and Connections leo song (Jan 06)
- Re: Retention of NAT translations and Connections Drews, Jane E (Jan 06)
  - Re: Retention of NAT translations and Connections John Ladwig (Jan 06)
    - Re: Retention of NAT translations and Connections Kalal, Robert (Bob) (Jan 06)
    - Re: Retention of NAT translations and Connections HOGGATT, ANDY F. (Jan 10)