Re: [WIRELESS-LAN] NAT recording
I will be out of the office until Thursday June 27th. Please direct all tech needs to the Tech Helpdesk. Thank you! GO BEYOND! Founded in 1821, New Hampton School is a coeducational, independent, college preparatory boarding and day school for students in grades 9-12 and postgraduate. www.newhampton.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Problems with new Apple Laptops
I've started to see rumors of wireless connection issues with refreshed Apple laptops. As most of you know, Apple included AC cards in the MacBooks with this refresh. I was curious if anyone has seen any trouble with the brand new MacBooks. If there are problems, I'd like to start squashing them, and potentially putting pressure on Apple before the new school year starts. Charles Rumford Network Engineer ISC Network Operations University of Pennsylvania (p) 215-746-2808 (c) 267-398-7939 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] NAT recording
Our NAT is performed by our firewalls (Cisco ASAs) at the last hop before the border router. Everything inside (packet shaping, IPS/IDS, etc) is dealing with the internal addresses, the only use of the external IPs is when we receive external reports. We have adequate NAT pools to do 1-to-1 dynamic NAT, with some room for overload overflow. This simplifies the outside-to-inside translation by just looking at the IPs of the connections, or when feasible, just looking at the 1-to-1 assignment and release log messages (if you have persistently active inside clients, you won't get these messages with any regularity). We send the ASA logs to a generic syslog server at the moment. We've tried throwing it into various log correlation systems (ArcSight, Splunk, etc) but the sheer volume will make your life miserable for what you really want SIEM integration to be doing. So we only refer to the bulk logs for inside-to-outside correlation and deal with everything else on an internal IP basis (which we can correlate comfortably). Jeff On 6/20/2013 11:25 PM, Charles Rumford wrote: We are currently investigating different NAT solutions and deployments, and I would be curious how other schools handle the legal aspects of connection tracking, and keeping users accountable for their actions. We are starting from scratch, and open to trying and investigating different solutions. -Charles On Jun 19, 2013, at 11:43 AM, Michael Hulko mihu...@uwo.ca wrote: This subject was introduced a year ago, and several schools had varying methods of recording NAT'd communications for legal requirements. Several schools use the same process as we do, using a combination of Airwave, LanGuardian, and Netflow. We had avoided using Connection tracking local on the box as we feel that this would greatly impact service. I am interested to know what other schools are doing in this arena, if anything? Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] NAT recording
We use Juniper SRX5800 firewalls at the border, and NAT turnover is extremely quick. The STRM software makes identifying private IPs for a specific day/time very easy (query public IP at X time, and it IDs the private for you). Then, we use ISC for DHCP, so just query the logs for that private IP). Connected by Motorola Charles Rumford charl...@isc.upenn.edu wrote: We are currently investigating different NAT solutions and deployments, and I would be curious how other schools handle the legal aspects of connection tracking, and keeping users accountable for their actions. We are starting from scratch, and open to trying and investigating different solutions. -Charles On Jun 19, 2013, at 11:43 AM, Michael Hulko mihu...@uwo.ca wrote: This subject was introduced a year ago, and several schools had varying methods of recording NAT'd communications for legal requirements. Several schools use the same process as we do, using a combination of Airwave, LanGuardian, and Netflow. We had avoided using Connection tracking local on the box as we feel that this would greatly impact service. I am interested to know what other schools are doing in this arena, if anything? Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,51c3c7b2148776620581884!
Re: [WIRELESS-LAN] Problems with new Apple Laptops
Hi, What sort of issues are you seeing? Could you give us some insight as to what infrastructure you're running, any debugs/client traces collected etc? I have yet to get my hands on the new hardware - but if there's anything we can do on the infrastructure to determine if we have any of these clients, that might help! Cheers, Tristan --- Tristan Gulyas tristan.gul...@monash.edu Wireless Network Engineer M: +61 403224484 eSolutions divisionP: +61 3 9902 9092 Building 205 Monash University 3800 Australia On 21/06/2013, at 1:28 PM, Charles Rumford charl...@isc.upenn.edu wrote: I've started to see rumors of wireless connection issues with refreshed Apple laptops. As most of you know, Apple included AC cards in the MacBooks with this refresh. I was curious if anyone has seen any trouble with the brand new MacBooks. If there are problems, I'd like to start squashing them, and potentially putting pressure on Apple before the new school year starts. Charles Rumford Network Engineer ISC Network Operations University of Pennsylvania (p) 215-746-2808 (c) 267-398-7939 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Problems with new Apple Laptops
I will be out of the office until Thursday June 27th. Please direct all tech needs to the Tech Helpdesk. Thank you! GO BEYOND! Founded in 1821, New Hampton School is a coeducational, independent, college preparatory boarding and day school for students in grades 9-12 and postgraduate. www.newhampton.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
