[c-nsp] NAT Detection with netflow or anything.
Roland Dobbins
rdobbins at cisco.com
Tue Feb 5 05:35:26 EST 2008
On Feb 5, 2008, at 5:08 PM, Joseph Jackson wrote:
> Anyone have any solutions to this?
NetFlow-based anomaly-detection systems should potentially be able to
infer NAT or proxy behavior due to analysis of source/dest IPs/
protocols/port pairings, port incrementalization, and so forth. I
don't know if any of them explicitly do this and alert on it or not,
but it shouldn't be hard to do.
If you're using an open-source NetFlow collection system which has the
ability to take flow records and output them as text and/or insert
them into a database, you could probably hack something up with Simple
Event Correlator (SEC), depending upon volume/scale.
But I'd suggest pinging Arbor/Lancope/Mazu/Narus/Q1 about this; if
they don't do it now, it should be relatively easy for them to add.
If you can look at actual packets via SPAN/RPSAN or copy/capture VACLs
(speed/scale/asymmetry not being an issue), p0f can often detect
NATting/proxying via analysis of packet characteristics.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
More information about the cisco-nsp
mailing list