[112653] in North American Network Operators' Group
Re: Dynamic IP log retention = 0?
daemon@ATHENA.MIT.EDU (Mike Lewinski)
Thu Mar 12 12:53:34 2009
Date: Thu, 12 Mar 2009 10:52:48 -0600
From: Mike Lewinski <mike@rockynet.com>
To: nanog@nanog.org
In-Reply-To: <50821.1236875463@turing-police.cc.vt.edu>
Errors-To: nanog-bounces@nanog.org
Valdis.Kletnieks@vt.edu wrote:
> You *do* realize that "has a public address" does not actually mean that
> the machine is reachable from random addresses, right? There *are* these
> nice utilities called iptables and ipf - even Windows and Macs can be configured
> to say "bugger off" to unwanted traffic. And you can put a firewall appliance
> inline without using NAT as well.
The other big benefit to using real public IPs is abuse related. There's
a scenario we encounter on a semi-regular basis where we forward a
report of an apparently infected host to a customer who responds back:
"How can I tell which one of our hosts is infected? We've got 200
workstations inside our NAT and this abuse report only has our single
public address."
So I recommend a packet sniffer inside their LAN or accounting on their
firewall. But sometimes the source is a salesperson's laptop, and
they've gone on a business trip. So no new reports come in and everyone
decides it must have been a false alarm. Now imagine that salesperson
only stops back in the office once a month, at random undocumented
intervals to make backups. How do we ever track him down? The abuse
report cycle just doesn't turn around fast enough - often we don't even
get reports for a day or two.
So I find myself advising customers in this situation to give every user
a public IP. Even if they still do 1:1 NAT, the problem is mostly
resolved provided they faithfully document MAC addresses and keep DHCP
logs for a suitable length of time.
Mike
