Re: Accountability with NAT

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 6 Feb 2002 11:11:14 -0800

NAT shouldn't affect accountability if you're auditing the logs properly.
ISA logs every packet that it sees, so accountability becomes even stronger.
Better that you use private IPs through NAT for two reasons:
    1. no one can directly access your internal network from the Internet as
it's not routable.
    2. no one in the LAN can communicate with the Internet without NAT for
the same reason
..no; you can't place ISA between your LAN and the Internet without using
NAT.
Even if you use public IPs internally, ISA will still translate between
them.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!

----- Original Message -----
From: "Curtis Kline" <ckline@xxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 06, 2002 10:33
Subject: [isalist] Accountability with NAT


http://www.ISAserver.org


Here's my implementation scenario:

In our higher education environment, network traffic accountability is
important. We currently do not use Network Address Translation (NAT) for
that reason... If someone is bad on someone's computer, we can determine
quickly and easily (by IP address) whose computer it was and shut it down.

SO, I have two questions:

1. Can we run ISA without NAT, and use public IP space inside (the
internal public space would obviously be in the LAT.) ? If so, then we
maintain accountability as we do today.

2. If we have to use NAT, and someone is bad, how do we match up some
network traffic out on the Internet that appears to be coming from our
ISA's external IP with an internal machine? Is there some kind of
translation log that will help us with this?

Let me know if these questions aren't clear.. I'd be happy to clarify.


Thanks in advance for any help!

Curtis Kline
UC Santa Barbara

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Accountability with NAT
• » Re: Accountability with NAT
• » Re: Accountability with NAT
• » Re: Accountability with NAT

1. Home
2. isalist
3. Archive
4. 02-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---