[unisog] Tracking usage of dynamic IP

[Eric van Wiltenburg]

We're using a homegrown suite to scrape ARP caches, MAC address
tables, ACS/RADIUS logs, DHCP logs, and other resources every five
minutes.  We link this up with our database-driven cable plant
documentation and we can track a user or device down to a specific
data jack or access point within a five minute resolution.  This is
all back-ended by an Oracle DB.

We keep the data for several months, though we have a process that
saves space by reducing the resolution of those entries (ie merging
some of them) the older they get.  Eventually the entries expire and
are purged.  This means we have a database with several million
lines, but the size stays relatively constant.

We can query on IP address, MAC address, userid, switchport, or
VLAN.  We find it very effective when dealing with incidents where
you need to find a device quickly.  I've even experimented with
linking this into our intrusion prevention and quarantining systems
-- it works well in testing, but I'm not brave enough to implement
it institution-wide yet.

We also have an app we call BigBrother that uses the same database.
It will alert us when certain MAC addresses appear on the network --
useful for tracking stolen laptops, for example.

As of yet, we have not found any "standard" software (commercial,
opensource, or otherwise) that meets our needs, so we happily
maintain and expand our own apps.

Eric

--
Eric van Wiltenburg
Network Services
University of Victoria
Russell Fulton wrote: