RSS

IP Address to User??

Fri, Jun 29, 2007

Security

The first time I had to investigate an incident that required looking in the firewall logs was sometime around 1994. What I remember most is that I had to find out whose computer on our LAN was behaving and having only an IP address to do it. Not a very easy thing when you have 100’s or 1000’s of nodes. Fast forward 13 years and guess what, we are still doing it the same way for the most part. Take the IP, do a “ping -a” / dig to get the hostname then consult that horribly outdated spreadsheet or text file with the hostname / user mappings….if you have one. Maybe your IP ranges are in configured so that you can tell what floor / group / building a particular IP is in. Everyone has their own method.

Think about how arcane that process is. Your goal is probably to discover WHO is generating the alert and potentially where the offending device is. But how do you do that? The network devices (firewall, IPS, etc.) only see your IP / MAC. You can’t get your DHCP server to cough up a username. If you are lucky enough to have NAC or some other endpoint security technology you may have the IP / username mapping from an agent. Even then it may or may not be accurate depending on factors like is it a persistent agent or was it a dissolvable agent that scanned the host 3 days ago. By now the DHCP lease may have expired and some other username is associated with the IP. If you have SIEM technology you may be able to create some magic if you are collecting the data required to determine IP / username mapping. Even if you can write such a query would the SIEM product be able to handle such a query? From personal experience I would say the answer is no.

Let’s say you can determine this information, there is no integration between the source of this information and the firewall / IPS / incident response console. We are back to flipping between consoles. At the end of the day I would like my ACID console to tell me the username and hostname for the offending LAN IP address. If it could then tell me what switch / port the IP is on I would be one happy camper.

Am I asking for too much here???? Probably…….

–Chris

Technorati Tags: , , , , ,

This post was written by:

Chris Harrington - who has written 153 posts on InfoSecPodcast.com.


Contact the author

1 Comments For This Post

  1. Dom Wilde Says:
    June 29th, 2007 at 2:43 pm

    Chris,

    I think I may have the answer to your problem. Come on over to our blog where I’ve written a response to your conundrum:

    http://www.nevis-blog.com/2007/06/re-ip-address-t.html

    Cheers, Dom

Leave a Reply

Related Posts from the Past:



Bad Behavior has blocked 1347 access attempts in the last 7 days.

Rodney's 404 Handler Plugin plugged in.