On 13-Jan-99 [EMAIL PROTECTED] wrote:
> OK, here's one:
>
> You'd like to use the "address hiding" feature that firewalls provide for
> obvious reasons, but at the same time, there's a requirement for an external
> entity to monitor/track activity based on IP address. In other words,
> tracing a connection back to the outside interface of one of your firewalls
> is unacceptable --- we need to identify the source address inside the
> firewall as well. Crazy as it sounds, is this at all possible?
Retrospective matching by reconcilliation is quite easy with available
functionality (i.e. keep logs on the internal interface and reconcile them
with logs from the external entity); that coupled with periodic exchange of
logs with the "external entity" over a trusted channel could presumably fill
your requirements. However, this obviously implies that you trust the external
entity with the details of your internal network.
I have tried a hacked up identd w/MD5 to do a one-time hash in a masqueraded
environment. The per-connection overhead was ridiculous. I haven't
investigated other options, but perhaps it is possible. I'd sooner wait to
switch to the next protocol.
--Vik
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
