NAT Logging

Tracing back IP addresses to the actual users and devices is a critical requirement in modern criminal investigations. Sometimes a source IP address, a TCP port number, date and time are the first or only leads available to a criminal or suspected terrorist.

Finding the user of such IP address and port number is sometimes difficult to impossible. One key challenge is the fact that many Internet Service Providers use NAT/NAPT (Network Address and Port Translation) for sharing IP addresses among a larger group of users or for security reasons. In practice, NAT breaks the traceability of source IP addresses, because the translation of addresses is highly volatile and commonly not recorded by the ISP.

Utimaco has developed an on-switch and off-switch solution to generate and load NAT logs to the Utimaco DRS in near-realtime. The on-switch approach reads and correlates NAT logs and AAA logs from available resources. Our unique off-switch solution generates the log data by filtering and correlating all pre-NAT and post-NAT IP traffic with AAA data captured from the network. Latest generation FPGA technology overcomes the processing limitations of software based logging solutions, such as incomplete data, limited protocol support, missing byte counts.

All aggregated Internet Connection Records (also known as Internet Protocol Detail Records - IPDR's) can be loaded to the Utimaco DRS for long-term retention and analysis. With Utimaco DRS, operators can trace back IP addresses to individual users, phone numbers and geographical locations. The Utimaco Data Retention Suite provides comprehensive security features for controlled data access by telecom operators and/or law enforcement agencies.

>> Further information and documents <<