tracking hosts on the network
I asked this in the check point section but was hoping for some more ideas.
Currently due to security restrictions where i work we keep all host on static ip's (using MAc address resevation in DHCP), this is beccasue we have to be able to keep a history of what ddevice sent data out one of our wan links to a third party.
We have a checkpoint firewall that logs all traffic but as I understand it only llogs the IP address not the resolved host names.
So my question is is there any way to get the firewall or other method to log the actuly host that sent the traffic rather than jsut the IP, either via DNS resolution or authentication of devices.
I want to move away ffrom using static address on hosts where we can so the network can be more flexible, also it is of coursequite possible to spoof a ip address so the set up we have has lots of loop holes.
One thing I was looking at is 802.1x port authentication, which would give me a log of what device is connected to tthe net work.
and there are DCHP logs (BIND) to tie up with the fire wall logs, and we also have langardian and websence servers running.
I need to be able to tell at a glance, if the third party asks what host sent traffice from IP adddress X.x.x.x on date and time Xx/xx/xxxx. The exact machine it came from and to match it to the firewall logs.
Any suggestions would be welcome. One thing I would point out is this needs to be used and managed by first level support so needs to be user friiendly and if possible using our existing infrastructure.
Cheers
DevilWAH
Currently due to security restrictions where i work we keep all host on static ip's (using MAc address resevation in DHCP), this is beccasue we have to be able to keep a history of what ddevice sent data out one of our wan links to a third party.
We have a checkpoint firewall that logs all traffic but as I understand it only llogs the IP address not the resolved host names.
So my question is is there any way to get the firewall or other method to log the actuly host that sent the traffic rather than jsut the IP, either via DNS resolution or authentication of devices.
I want to move away ffrom using static address on hosts where we can so the network can be more flexible, also it is of coursequite possible to spoof a ip address so the set up we have has lots of loop holes.
One thing I was looking at is 802.1x port authentication, which would give me a log of what device is connected to tthe net work.
and there are DCHP logs (BIND) to tie up with the fire wall logs, and we also have langardian and websence servers running.
I need to be able to tell at a glance, if the third party asks what host sent traffice from IP adddress X.x.x.x on date and time Xx/xx/xxxx. The exact machine it came from and to match it to the firewall logs.
Any suggestions would be welcome. One thing I would point out is this needs to be used and managed by first level support so needs to be user friiendly and if possible using our existing infrastructure.
Cheers
DevilWAH
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com
Comments
-
DevilWAH Member Posts: 2,997 ■■■■■■■■□□I found out there is a very easy solution to this.
Turn on Identity awareness on the fire wall and authenticate against AD.
then the checkpoint logs have Device and User name checked against AD so no more spoofed ip's and giving me the tracking I want. It is also pat of the standard Firewall blade so no extra cost
Any thing not in AD (such as non standard devices) are static IP anyway so this will give me exactly what i need- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com