CGNAT and User-Aware Logging for Universities (A10 LightTalk 101)
April 15, 2019
In this video we look at implementing Carrier-Grade NAT (CGNAT) with user-aware logging in an enterprise deployment with focus on universities.CGNAT solves the problem of IPv4 address exhaustion by translating private IP addresses assigned to users to a limited set of public IPv4 addresses, along with other key technologies that are not provided by simple NAT devices, making it essential for deployment in universities with a large number of students.Additionally, universities are required to keep track of network activity of users by maintaining logs of mapping from a user's private IP address to public IP address. However, this is not sufficient to trace malicious network activity to the real user and the process of doing so involves going through different sets of logs which can take a long time.A10's solution of CGNAT with user-aware logging resolves this challenge by logging a single unified message with all the user details along with CGNAT mapping. This greatly reduces the time to trace network activity to the actual user as well enables consolidation of multiple log databases.
Transcription
Transcript
Hello, today we will look at deploying Carrier-grade NAT in an enterprise scenario, especially universities, and how you can increase network activity of the users who are accessing the internet with the A10 solution.
So let us look at why do you need Carrier-grade NAT in a university scenario.
Typically, universities have large student bodies and the IT department would be offering them internet access, both on the campus as well as off-campus.
So you have the students and the faculty accessing the network of the campus, over Wi-Fi and over wired networks. Then they would be going through the A10 CGNAT device for NAT translation.
And then they would access the internet. So why do you need a CGNAT solution? Well, you typically have a much larger number of people who are trying to access the internet as compared to the number of available public IPv4 addresses.
So, you typically do a translation for your private IP to public IPv4 addresses. However, simple NAT is not enough because students could also be doing a lot of other cool stuff like Xbox and PS4 gaming, which will cause them to not only access the servers on the internet but also be able to play the games with other peers who are on the internet.
And this kind of requires other technologies, which are built in to the A10 CGNAT device, which can enable this kind of communication between the gamers and other activities. So, when the users access the internet, what happens is you have your user who are allocated a private IP and this could be through a DHCP mechanism.
And then they will be translated to a public IP by the Carrier-grade NAT device. Now, what will the other challenges when you do this kind of a translation?
Well, the thing is that you have a private to public IP translation, so when the users access the server on the internet, the server sees the public IP.
Now, suppose something bad happens to that server on the internet. …some kind of a DDoS attack and this could be either the students doing it knowingly or perhaps unknowingly because they got infected and now their devices acting like a botnet device.
So, federal agencies, law enforcement agencies may see that this server is under attack and they may trace this network activity to a public IP, which is perhaps from the university.
So then they will come back to the university and say, okay tell us who was the user who was actually responsible for that private IP at that particular instance of time when the attack took place.
Now, typically what happens is the universities as a part of the federal requirement, they do maintain logging information about the time stamp when the translation happened, the private IP and the public IP.
However, this information is really not sufficient because the private IP could have been assigned to me today, but the same private IP could can be assigned to somebody else via the DHCP mechanism.
So, you also need to go through your DHCP logs and then finally you determine the user ID who happened to be responsible for the private and the public IP at that particular instance of time.
Now, this information of going through the logs could be maintained by different groups. So, you will have to probably go through different groups and it’s a very time-consuming process, which can take a couple of days by the time you have answers for the law enforcement agencies.
So, how A10 can help you to actually solve that problem. Well, we can actually integrate with Microsoft active directory, …and this is an important point. Microsoft, active directory is a very well deployed solution in universities and in general in the enterprise scenario.
So, if the user is already authenticated in the Microsoft domain, or in the Windows domain, we can get the information about the user and the private IP. However, if the user will just getting onto the network and needs to be authenticated, we can send them authentication from back to the user and then authenticate the user against the active directory.
This enables our device to not only have the private to public IP mapping, but it also enables us to get the user ID information. So now we can maintain all this information in a unified log and this enables you to figure out in the particular point of time, what was the private IP, what public IP got translated to and the user who was responsible for that activity.
And this can help you to provide information to the law enforcement agencies in a much faster fashion and also in a much cost effective manner because you do not have to maintain different sets of logs. You just have to make the one set of log information. So this is a unique solution from A10 which is already being deployed by the universities
We hope that you will be able to take advantage of it as well. Thanks for watching. Watching and hope to catch you next time.
Additional Resources
