AirWave and Network Management

Reply
New Contributor
Posts: 3
Registered: ‎03-17-2011

Identifying users post src-nat

We periodically receive copyright notifications from the RIAA/MPAA about students on our network bittorrenting illegal stuff. We have our controller setup to src-nat user traffic (via Configuration->IP->Edit the VLAN->Enable source NAT for this VLAN, *not* via a firewall rule). When we get the notice it gives us src-natted IP/port (ie, the controller's IP address). Example:

Evidentiary Information:
> Notice ID: abignumber
> Asset: GLEE
> Protocol: BitTorrent
> IP Address: xx.xx.xx.xx
> DNS: aruba-master.domain.com
> Port ID: 3382
> File Name: Glee.S02E02.HDTV.XviD-LOL.avi
> File Size: 366752408
> Timestamp: 2010-11-01 01:14:45.560 GMT
> Last Seen Date: 2010-11-01 01:14:45.560 GMT

where xx.xx.xx.xx is the public IP of aruba-master.domain.com. What we need to be able to do is correlate that natted IP/port to the original user that committed the offense. Does anyone know how to do that? Complicating the issue is that we often receive the notice several days after the actual offense. We have AirWave setup and running if that helps anything.

Thanks for the help.
Aruba
Posts: 349
Registered: ‎04-14-2009

Re: Identifying users post src-nat

There's no way to tell today who the user was.
Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Identifying users post src-nat

If instead of the "ip nat inside" method of natting users, you make the firewall policy to nat user traffic to a pool and log it. Once you do that, we log the NAT like this:



If you send these logs to a syslog server, it is indeed searchable. You can search the logs for that destination ip address (in this case 209.85.133.190) and it will reveal the time and ip address of the user. You can search airwave for the ip address and it will tell what user had the ip address at the time. Cumbersome, possibly, but hopefully you do not have to do it often.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎03-17-2011

Re: Identifying users post src-nat

The problem is we don't get a dest-ip with the notice (I assume they want to keep the IP's they use at least somewhat secret). The only usable thing to search for would be src-port since nat will (if at all possible) not change that. The problem is, sometimes that src-port will change if there would otherwise be a conflict making the process cumbersome and unreliable. Another issue is that the timestamp in syslog would be from the initial connection while the timestamp in the notice would be from sometime during the transaction. We would need to search for the most recent occurrence of the src-port before the timestamp in the notice (again, doable but cumbersome and hardly reliable).

Maybe a better way to solve this is to block bittorrent as best we can. Anyone have a suggestion on how to do that? In the past when I've tried the clients just start using SSL on port 443 and then I can't do anything about it. Ideas?
Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Identifying users post src-nat

The log message has the port:

action=src-nat 192.168.254.16/54569

If you want to block bittorrent, you should have a packet shaper do that specific function and the Natting if you want increased visibility.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎03-17-2011

Re: Identifying users post src-nat

It has the pre-nat src-port. Normally that will be the same but the natting rules will change the src-port if they need to in order to avoid port collisions.
Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Identifying users post src-nat

You are right. Without a destination address, how can they even expect you to determine who did what and when?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: