Dynamic IP log retention = 0?

Mike Lewinski mike at rockynet.com
Thu Mar 12 16:52:48 UTC 2009


Valdis.Kletnieks at vt.edu wrote:

> You *do* realize that "has a public address" does not actually mean that
> the machine is reachable from random addresses, right?  There *are* these
> nice utilities called iptables and ipf - even Windows and Macs can be configured
> to say "bugger off" to unwanted traffic.  And you can put a firewall appliance
> inline without using NAT as well.

The other big benefit to using real public IPs is abuse related. There's 
a scenario we encounter on a semi-regular basis where we forward a 
report of an apparently infected host to a customer who responds back: 
"How can I tell which one of our hosts is infected? We've got 200 
workstations inside our NAT and this abuse report only has our single 
public address."

So I recommend a packet sniffer inside their LAN or accounting on their 
firewall. But sometimes the source is a salesperson's laptop, and 
they've gone on a business trip. So no new reports come in and everyone 
decides it must have been a false alarm. Now imagine that salesperson 
only stops back in the office once a month, at random undocumented 
intervals to make backups. How do we ever track him down? The abuse 
report cycle just doesn't turn around fast enough - often we don't even 
get reports for a day or two.

So I find myself advising customers in this situation to give every user 
a public IP. Even if they still do 1:1 NAT, the problem is mostly 
resolved provided they faithfully document MAC addresses and keep DHCP 
logs for a suitable length of time.

Mike




More information about the NANOG mailing list