View previous topic :: View next topic |
Author |
Message |
narong
Joined: 20 Nov 2004 Posts: 1 Location: Thailand
|
Posted: Mon Nov 10, 2008 5:06 pm Post subject: logging SourceIP username DestinationIPS |
|
|
Hi
you product is quite easy to config. However Is it possible to enable logging internal IP with username and destination IPs users are visting ?
This data (SourceIP username DestinationIPS) is mandatory to comply with Cyber Crime Law in my country.
THank you. |
|
Back to top |
|
|
alan Forum facilitator
Joined: 26 Sep 2003 Posts: 4435
|
Posted: Tue Nov 11, 2008 3:58 am Post subject: |
|
|
You can take advantage of our "URL Tracking" feature (under Access Control). _________________ ~ Patronsoft Limited ~ |
|
Back to top |
|
|
werkof
Joined: 27 Feb 2009 Posts: 6
|
Posted: Fri Feb 27, 2009 12:18 pm Post subject: session loggin is crucial! |
|
|
Hi Alan
I have enabled URL logging and can see the hostname part of the URLs in the configured ODBC database.
The main problem with logging from my point of view is that there is way too less data logged. As narong mentioned for his country also here in Italy it is crucial to be always able to track back which user has initiaded a certain TCP/UDP session.
For HTTP-traffic this is solved nearly perfect with the FSUrl table (URl tracking) But what happens if an user makes a connection to another port then standard port 80 ? I haven't found any trace of successfull connection attempts for the following cases:
1.) http-connection to remote host on not standard port 8080 (or any else)
This http (!) connection seems not showing up in the FSUrl table.
2.) any other type of connection like smtp, pop3, ftp, p2p, and many many more.
If I give access to hotspot users connecting within a private network to my the firstspot gateway, then ANY connection to remote servers would appear coming from the public IP of the firstspot (NAT mode enabled)
So if any user behind my gateway sometime will do something illegal (file sharing, offending messages, hacking, ...) the investigation will come to me as I'm the provider of this service.
So the ability to have all this information (any UDP/TCP-connection from any client to any destination host paired with an exact datetime value and ths username) in logfiles seems very crucial for me.
As Firstspot is already handling the NAT-functionality it shouldn't be a problem to write out this data to a logfile too...? |
|
Back to top |
|
|
dominic Forum facilitator
Joined: 23 Oct 2007 Posts: 103
|
Posted: Tue Mar 03, 2009 12:26 pm Post subject: |
|
|
To werkof:
2) As far as I know, there're no standard ports for P2P traffic. I wonder if directly displaying the destination port numbers for those traffic using non-standard ports will suit your need. |
|
Back to top |
|
|
werkof
Joined: 27 Feb 2009 Posts: 6
|
Posted: Tue Mar 03, 2009 1:04 pm Post subject: logging session traffic |
|
|
In this case it's not important to identify the traffic in realtime for example to limit the bandwith on this port.
The important thing is to have a trace and all information to answer any question durring a legal investigation. If one of the hotspot users does something illegal (posting offending messages on websites, hack-attempts, ftp of illegal software, email spam-campaigns, DOS-attacks...) and firstspot translates the internal private IP-adresses to the one public IP of the firstpot gateway, then any of this actions will show up on the destination side with the public IP.
Then if a legal investigation does ask the "owner" of this public IP (us) who has made this connection it would be very important to have a logfile containing a date, time, username, internal source IP, public destination IP, port-number and optional if possible some protocol-specific data like a HTTP host header name, SMTP servername, ... to answer the question and identify the culprit. |
|
Back to top |
|
|
werkof
Joined: 27 Feb 2009 Posts: 6
|
Posted: Wed Mar 25, 2009 3:47 pm Post subject: Real IP Address mapping |
|
|
is this possible?
one month later and without any further info from Patronsoft I still try to find a way to use this piece of software in accordance with existing european laws.
One possible solution would be to use real ip address mapping (NAT)
I have enabled it and it looks working as it should: The user does appear on the remote server with his assigned "real IP"
But again it looks like firstspot is not logging the real important data. After analyzing all available logfiles there is no trace of the "real IP" assigned at a certain day-time to a certain user after his login. I wonder what sense real IP mapping could make if not to track back activity of a certain user.
again: is this possible?
any idea, any news (newer then the 2007-news on www.patronsoft.com homepage) ? |
|
Back to top |
|
|
werkof
Joined: 27 Feb 2009 Posts: 6
|
Posted: Wed Mar 25, 2009 4:09 pm Post subject: found it |
|
|
real ip mapping must be enabled also for each user.
How performant is real IP mapping? Can I assign 1 to 5 class C networks in order to give 254 to 1270 users the ability to surf with their own public IP address? |
|
Back to top |
|
|
alan Forum facilitator
Joined: 26 Sep 2003 Posts: 4435
|
Posted: Thu Mar 26, 2009 10:19 am Post subject: |
|
|
Real IP is designed for giving individual username real IP (i.e. someone can ping that client from the Internet). This feature is designed with FirtsSpot NAT on so that FirstSpot administrator can control which subset of users will get real IP. This is quite useful if you don't have enough real IP for all users (e.g. cost reasons).
If you have enough real IP for users, you can just turn off NAT within FirstSpot.
BTW, real IP is designed for client applications that needs real IP for access (e.g. some VPN, peer-to-peer). It does not enhance the tracking feature.
Just to give you a sneak preview, we will enhance the URL Tracking which call track all the ports in the upcoming v6. We are putting final touch on another interesting feature though. The first beta should be ready within a month... _________________ ~ Patronsoft Limited ~ |
|
Back to top |
|
|
werkof
Joined: 27 Feb 2009 Posts: 6
|
Posted: Thu Mar 26, 2009 8:55 pm Post subject: real IP |
|
|
hi Alan, thank you for the info.
Please let me know as soon as v6 is ready for a first test. We're currently preparing anything to start with our project and maybe it would be very helpfull to know what features will be available in the new version. |
|
Back to top |
|
|
werkof
Joined: 27 Feb 2009 Posts: 6
|
Posted: Fri Mar 27, 2009 9:38 am Post subject: Real IP assigment handling |
|
|
Hi Alan,
for our purposes it would be absolutely necessary that each user has assigned his own real IP address. our network behind the firstspot has private IP-adresses VPN-tunnels and Access points on different locations. So we can't assign static public IP-Adresses to all of this networks. This would requiere way too much public IP's.
On the other side we aren't able to track each users traffic action in logfiles. This is not a problem as long as we can ensure that each user does appear with his own real IP in the internet and we have logged which user has used this IP in a certain time range.
We've tested this now with real IP address mapping and it looks like our way to go. The last question remained is how the assignment of the real IP pool does work. We've tried and seen that if the available pool is assigned to users, any further user does appear with the Firstspot's primary public IP. So we have to ensure that all users have always available a free real IP.
Now the question: how is the real IP assignment designed? let#s assume that IP1 and IP2 from the pool are assigned. Now IP1 does disconnect. what IP will be assigned to the next user? From what we can see in our first tests it will receive IP3 and IP1 does remain unused. |
|
Back to top |
|
|
|