Argus on multiple interfaces with NAT
Peter Van Epp
vanepp at sfu.ca
Wed Mar 20 11:38:04 EST 2002
This is what the Vernier does too. An incoming IP/source
gets mapped to an output IP (the Vernier box's) and unique source port. It
then syslogs the result (although we are mostly DHCP with valid addresses
behind the vernier so it is only "odd" addresses that get nated which is why
I had to go back a ways to get an example):
Mar 10 20:14:20 auth1.sfu.ca 69106194 79 00:00:21:2c:f7:b6 tcp 192.168.2.40:1677 63.236.54.31:80 142.58.51.253:1677 63.236.54.31:80 1979 2532 xxxx
This is telling me that user "xxxx" (blanked) using source IP
192.168.2.40 and source port 1677 connected to 63.236.54.32 port 80 and on
the Internet side was sourced from 142.58.51.253 port 1677 (the vernier box's
IP and a unique source port). I'd expect most NAT implementations to be able
to syslog this information (whether you can support the syslog data stream
may be another matter, but disk is cheap these days :-)) for security reasons.
I'd be tempted to explore the NAT box's logging capabilities (as much as I
like argus of course :-) before turning to argus just because it would be
less work if the logging can be done.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> Hi Peter,
>
> > On my equivelent (a Vernier box for wireless authentication) I use
> > argus on the output (routable) side and the NAT logs (which associate
> > routable IP / source port with NATed machine behind the box) to solve this
> > problem. If your firewall has such logs (which I would assume it
> > does) they are your best bet.
>
> I wish it was so easy. Our firewall does overloaded (many-to-one) SNAT
> (whereby the source IP / port are rewritten for outgoing packets) and DNAT
> (whereby the destination IP / port are rewritten for incoming packets).
> Essentially, hundreds of hosts share one routeable IP. The firewall stores
> only a transient NAT table; when a connection is closed, the external IP /
> port are freed for another host to use, and the record of the internal host
> to external ip / port mapping is lost. Our network is heavily used, so
> keeping these logs (if it was possible at all) would be a big deal.
>
> Essentially, argus _is_ the tool we use to log NATed connections - I'm just
> trying to tweak it so it shows pre-NATed header information most of the
> time.
>
> Thanks for your suggestion,
>
> Christian
>
> --
> Christian Martin
> IT Department
> Jesus College, Cambridge
> e-mail: c.martin at jesus.cam.ac.uk
> telephone: 01223-(7)64101
>
>
More information about the argus
mailing list