Re: Accountability with NAT
- From: "Curtis Kline" <ckline@xxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 6 Feb 2002 12:22:15 -0700
Jim,
Thanks for the good advice. I tend to agree with your statement that using
NAT is more secure. However, I am not so much in agreement that
accountability becomes even stronger. Let me pose this scenario:
Our university Chancellor receives a threatening email through a Yahoo (or
other free provider) account. The Provider provides our Network Security
folks with a log containing the originating IP of the email, and Network
Security calls us to track down who sent the email.
Now we have an IP, an application port (in this case 80), and a timestamp.
We go to the ISA Server logs, and we see this line that I have mocked up
and edited for brevity:
10.10.0.3 2002-02-03 00:26:39 myPC http GET http://www.yahoo.com/r/m1 Inet
200
The only problem is that with our 250 users behind the ISA Server, we also
see about 30 other users who were in Yahoo Mail at the same time. I'm not
quite sure how we use this information to nail the offender. You say that
ISA logs every packet, but it is my impression that it only logs the above
information for each packet. It does not log packet contents, right? That
would be a bit unwieldy.
If we were using public IP space that wasn't translated, like we are
today, then the info we got from Yahoo would include the originating IP
address, which would not be the external address of our ISA Server but the
actual user's IP address.
I guess I am going over the fundamental argument between NAT and public IP
space. My impression is that using NAT provides generally more security,
but less accountability. And that the ISA Server _requires_ that you use
NAT.
Checkpoint FW-1, on the other hand, is just a stateful packet-filtering
router. It can't do the Proxy Server application-level stuff as well as
ISA, but it is more flexible in that it allows you to turn off NAT
altogether if you want to.
Am I missing anything here?
Thanks!
Curtis
> NAT shouldn't affect accountability if you're auditing the logs properly.
> ISA logs every packet that it sees, so accountability becomes even stronger.
> Better that you use private IPs through NAT for two reasons:
> 1. no one can directly access your internal network from the Internet as
> it's not routable.
> 2. no one in the LAN can communicate with the Internet without NAT for
> the same reason
> ..no; you can't place ISA between your LAN and the Internet without using
> NAT.
> Even if you use public IPs internally, ISA will still translate between
> them.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the books!
>
> ----- Original Message -----
> From: "Curtis Kline" <ckline@xxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, February 06, 2002 10:33
> Subject: [isalist] Accountability with NAT
>
>
> http://www.ISAserver.org
>
>
> Here's my implementation scenario:
>
> In our higher education environment, network traffic accountability is
> important. We currently do not use Network Address Translation (NAT) for
> that reason... If someone is bad on someone's computer, we can determine
> quickly and easily (by IP address) whose computer it was and shut it down.
>
> SO, I have two questions:
>
> 1. Can we run ISA without NAT, and use public IP space inside (the
> internal public space would obviously be in the LAT.) ? If so, then we
> maintain accountability as we do today.
>
> 2. If we have to use NAT, and someone is bad, how do we match up some
> network traffic out on the Internet that appears to be coming from our
> ISA's external IP with an internal machine? Is there some kind of
> translation log that will help us with this?
>
> Let me know if these questions aren't clear.. I'd be happy to clarify.
>
>
> Thanks in advance for any help!
>
> Curtis Kline
> UC Santa Barbara
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
