Dynamic IP log retention = 0?
Mike Lewinski
mike at rockynet.com
Thu Mar 12 16:52:48 UTC 2009
Valdis.Kletnieks at vt.edu wrote:
> You *do* realize that "has a public address" does not actually mean that
> the machine is reachable from random addresses, right? There *are* these
> nice utilities called iptables and ipf - even Windows and Macs can be configured
> to say "bugger off" to unwanted traffic. And you can put a firewall appliance
> inline without using NAT as well.
The other big benefit to using real public IPs is abuse related. There's
a scenario we encounter on a semi-regular basis where we forward a
report of an apparently infected host to a customer who responds back:
"How can I tell which one of our hosts is infected? We've got 200
workstations inside our NAT and this abuse report only has our single
public address."
So I recommend a packet sniffer inside their LAN or accounting on their
firewall. But sometimes the source is a salesperson's laptop, and
they've gone on a business trip. So no new reports come in and everyone
decides it must have been a false alarm. Now imagine that salesperson
only stops back in the office once a month, at random undocumented
intervals to make backups. How do we ever track him down? The abuse
report cycle just doesn't turn around fast enough - often we don't even
get reports for a day or two.
So I find myself advising customers in this situation to give every user
a public IP. Even if they still do 1:1 NAT, the problem is mostly
resolved provided they faithfully document MAC addresses and keep DHCP
logs for a suitable length of time.
Mike
More information about the NANOG
mailing list