[log in to unmask][log in to unmask]] On Behalf Of Fishel Erps
Sent: Thursday, February 6, 2014 12:23 PM
To: [log in to unmask]
Subject: [NETMAN] Network IP Tracking
We are looking for a way to track a user's MAC to IP, and we want it
to get updated dynamically, and we want to know what others out there, are
using. [...]42_6Feb201413:16:[log in to unmask]
29097 30 23_Re: Network IP Tracking14_Chuck [log in to unmask], 6 Feb 2014 13:50:23 -0500443_us-ascii On Thu, Feb 06, 2014 at 11:48:20AM -0600, Tim Tyler wrote:
> It will be curious to me to see how this works when we start
> supporing ipv6 since many use routing advertisement to give out ip's
> instead of dhcp. Tim
Once we have RFC6939 support, we can log the MAC of a DHCPv6 client
the same way we do with IPv4 today. The latest version 4.3.0 of ISC
DHCP supports the "on commit" functionality with IPv6. [...]32_6Feb201413:50:[log in to unmask]
29128 88 23_Re: Network IP Tracking15_Vlade [log in to unmask], 6 Feb 2014 13:54:37 -0500289_ISO-8859-1 There are alot of ways to skin this cat. Keep in mind that it's pretty
easy to change your mac address but for most cases it won't be an issue.
To log the username to mac-address you can use NetReg. To see a history
of every IP the user gets, log DHCP leases. [...]40_6Feb201413:54:[log in to unmask]
29217 111 23_Re: Network IP Tracking15_Vlade [log in to unmask], 6 Feb 2014 14:01:28 -0500565_ISO-8859-1 Not sure how I left this out, but Netflow with nfdump also helps
tracking down and corroborating violations with actual traffic that
happened on your network.
On 2/6/2014 1:54 PM, Vlade Ristevski wrote:
> There are alot of ways to skin this cat. Keep in mind that it's pretty
> easy to change your mac address but for most cases it won't be an issue.
> To log the username to mac-address you can use NetReg. To see a
> history of every IP the user gets, log DHCP leases.
> To get the switch/port info you could [...]40_6Feb201414:01:[log in to unmask]
29329 306 23_Re: Network IP Tracking12_Ian [log in to unmask], 6 Feb 2014 19:16:00 +0000328_windows-1256 As far as 802.1x wired, everything newer than XP SP3 supports it ok, macos 10.7 and newer are pretty trivial with the .mobileconfig files. You do need a portal in the guest vlan for onboarding unknown devices. We've been distributing wired profiles with our wireless for some time, which eases setup somewhat. [...]41_6Feb201419:16:[log in to unmask]
29636 92 23_Re: Network IP Tracking14_Heath [log in to unmask], 6 Feb 2014 22:59:17 +0000175_utf-8 We are doing NetReg and logging the DHCP leases. These get tossed to a syslog server. We also log NAT translations as well for the purpose of tracking down DMCA notices.48_6Feb201422:59:[log in to unmask]
29729 25 23_Re: Network IP Tracking9_Jeff [log in to unmask], 6 Feb 2014 18:02:51 -0500360_UTF-8 We just run Bradford. Connections are tracked by MAC / IP / switchport
/ userID / connect time / disconnect time and searchable on any field.
(Had to roll our own piecemeal tracking/auditing before and don't want
to do that again...)
It doesn't track wireless locations however, we pull that from Airwave
once we get the MAC. [...]38_6Feb201418:02:[log in to unmask]
29755 77 23_Re: Network IP Tracking10_Jason [log in to unmask], 6 Feb 2014 23:08:00 +0000544_us-ascii For wireless we track the information using dot1x logs from our radius servers. For wired it's not so easy without dot1x but we do have logs from active directory, email and other authenticated systems.
We also feed that information into our firewalls to help identify users there.
All logs then feed into Splunk which is an extremely powerful and excellent correlation tool, it's been great for following up security incidŠV