Re: Accountability with NAT
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 6 Feb 2002 14:31:14 -0800
OK, for the sake of argument, let's say that Joe Schmuckatelli does send a
threatening email to the Chancellor.
The timestamp of the mail and the Yahoo logs can be compared to the ISA
traffic logs to say who made what connection to yahoo at what time and what
pages and the dynamic data that was passed to the "send it" forms Yahoo
provides. If you have user authentication in effect, you not only know the
originating IP, you also know the user account that was used. This is
something the FW-1 can't do; associate an event with a person's account.
As far as packet contents, yes; ISA can log that, but as you stated, that
would require an incredible amount of storage and FW-1 isn't doing that
either, anyway.
You haven't stated what you use other than an IP to nab the offender. An IP
only identifies the machine, not the person and unless you're
statically-assigning IPs (and the users can't change them), this is
questionable as evidence.
With ISA forcing user auth for outside access, you have one more nail on
Joe's coffin; either he was the culprit, or worse yet, he allowed someone to
use his credentials to send the mail. Either way, he's violated the College
Internet usage policy. Now you have two folks to look into (and maybe drop
into the waiting arms of the cold, cruel world) and the ISA logging made it
all possible.
<thank you, thank you; no applause, just throw money>
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Curtis Kline" <ckline@xxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 06, 2002 11:22
Subject: [isalist] Re: Accountability with NAT
http://www.ISAserver.org
Jim,
Thanks for the good advice. I tend to agree with your statement that using
NAT is more secure. However, I am not so much in agreement that
accountability becomes even stronger. Let me pose this scenario:
Our university Chancellor receives a threatening email through a Yahoo (or
other free provider) account. The Provider provides our Network Security
folks with a log containing the originating IP of the email, and Network
Security calls us to track down who sent the email.
Now we have an IP, an application port (in this case 80), and a timestamp.
We go to the ISA Server logs, and we see this line that I have mocked up
and edited for brevity:
10.10.0.3 2002-02-03 00:26:39 myPC http GET http://www.yahoo.com/r/m1 Inet
200
The only problem is that with our 250 users behind the ISA Server, we also
see about 30 other users who were in Yahoo Mail at the same time. I'm not
quite sure how we use this information to nail the offender. You say that
ISA logs every packet, but it is my impression that it only logs the above
information for each packet. It does not log packet contents, right? That
would be a bit unwieldy.
If we were using public IP space that wasn't translated, like we are
today, then the info we got from Yahoo would include the originating IP
address, which would not be the external address of our ISA Server but the
actual user's IP address.
I guess I am going over the fundamental argument between NAT and public IP
space. My impression is that using NAT provides generally more security,
but less accountability. And that the ISA Server _requires_ that you use
NAT.
Checkpoint FW-1, on the other hand, is just a stateful packet-filtering
router. It can't do the Proxy Server application-level stuff as well as
ISA, but it is more flexible in that it allows you to turn off NAT
altogether if you want to.
Am I missing anything here?
Thanks!
Curtis
> NAT shouldn't affect accountability if you're auditing the logs properly.
> ISA logs every packet that it sees, so accountability becomes even
stronger.
> Better that you use private IPs through NAT for two reasons:
> 1. no one can directly access your internal network from the Internet
as
> it's not routable.
> 2. no one in the LAN can communicate with the Internet without NAT for
> the same reason
> ..no; you can't place ISA between your LAN and the Internet without using
> NAT.
> Even if you use public IPs internally, ISA will still translate between
> them.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the books!
>
> ----- Original Message -----
> From: "Curtis Kline" <ckline@xxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, February 06, 2002 10:33
> Subject: [isalist] Accountability with NAT
>
>
> http://www.ISAserver.org
>
>
> Here's my implementation scenario:
>
> In our higher education environment, network traffic accountability is
> important. We currently do not use Network Address Translation (NAT) for
> that reason... If someone is bad on someone's computer, we can determine
> quickly and easily (by IP address) whose computer it was and shut it down.
>
> SO, I have two questions:
>
> 1. Can we run ISA without NAT, and use public IP space inside (the
> internal public space would obviously be in the LAT.) ? If so, then we
> maintain accountability as we do today.
>
> 2. If we have to use NAT, and someone is bad, how do we match up some
> network traffic out on the Internet that appears to be coming from our
> ISA's external IP with an internal machine? Is there some kind of
> translation log that will help us with this?
>
> Let me know if these questions aren't clear.. I'd be happy to clarify.
>
>
> Thanks in advance for any help!
>
> Curtis Kline
> UC Santa Barbara
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
