[780] in resnet
NAT tracking/accountability
daemon@ATHENA.MIT.EDU (Curtis Kline)
Wed Feb 6 19:41:17 2002
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <EF6375215231544B87FD58A965410B8A96561F@exchange.housing.ucsb.edu>
Date: Wed, 6 Feb 2002 16:31:05 -0800
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Curtis Kline <ckline@HOUSING.UCSB.EDU>
To: RESNET-L@listserv.nd.edu
I've read the archived messages from early in 2001 regarding network address translation (NAT), but I'm looking for a bit more info on just one specific part of that discussion: tracking.
We are considering putting a Microsoft ISA Server in front of our administrative network. Not in front of our students, just our staff. ISA is the successor to MS Proxy Server 2.0 and does network address translation tracking based on source port (I believe). It maps all the internal IP addresses to a single, valid external IP (I am certain about this). Please no general Microsoft-bashing.. the ISA was not my choice.
Since some of our administrative computers are in areas that are sometimes accessible to our student residents, I am concerned about being able to respond to DMCA violations, hacking complaints, or other types of network abuse (our staff would never do anything like that, of course!). Right now that would be easy. We get the IP address of the abusive host, and we shut it down. Case closed pending further investigation.
Here's my question:
How would a person go about tracking down a machine that has been creating problems, when the complaint would typically contain only our one external IP address, an application port, and a timestamp?
I've looked at the ISA logs, and they look something like this:
10.10.0.3 2002-02-03 00:26:39 myPC http GET http://www.yahoo.com/r/m1 Inet 200
There could be many, many users hitting yahoo.com at any given time, so how could we possibly differentiate between them? There has been mention of translation logs, but I can't see that ISA has anything like this. If other products do, can someone explain what that log looks like, and how they use it to track down problem users?
No need to warn me against all the other dangers of NAT in general, I am well aware of them. I am just looking for information about tracking down problems right now.
Thanks in advance for any info,
Curtis Kline
______________________________________
Curtis Kline
Residential Network Coordinator
UC Santa Barbara
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________