On Mon, 2004-02-02 at 00:17, Ewen McNeill wrote:
An alternative approach to that type of thing is possibly just to heavily firewall -- at the ISP end of the link -- connections to all "potential n00b" users (SMTP to ISP mail server, POP/IMAP/HTTP/HTTPS to whereever and a few other common things) by default.
In a sense this is what we do at the university. All addresses are heavily firewalled by default but departmental IT support staff can set up (with a few restrictions) pretty what ever they want (or will be when I implement the next set of changes when I get back from leave -- for some reason nobody liked the idea of me doing just before I disappeared for a month). The current system is based on a large (and confusing :( ) set of access classes because that was the way our old firewall worked. We now are using OBSD's pf and I have written a nice web/mysql interface as part of our network management system that will allow much more flexibility. This system works well. I do occasional sanity checks and every now and again I will question why something is set up the way it is (usually there is a good explanation, but sometime people have misunderstood requirements or have simply open things right up to get something going and either forgot or not bothered to tighten things up again). We also do extensive monitoring of both in bound and out bound traffic and (although we don't do it) you could automatically quarantine users that appear to be infected or 0wned. A quarantined user could still get to their email which would tell them what was happening and to the support web site that would give them guidance in what to do, but would isolate them from the 'Net at large. In case anyone is interested what we actually do when we find that machines have problems is contact the departmental or faculty IT support staff who deal with it. In the case where there is evidence of active 'cracker' activity we isolate the machine at the firewall, but this is a manual process. I believe that network administrators (both corporate and ISP) need to be proactive in looking for trouble and to have effective means of dealing with machines that are causing it. It has been quite a while since I looked but it it very clear from the monitoring that I do which NZ ISPs are proactive in this area and which are not. At the moment I suspect this simply reflects the how the respective ISPs deal with abuse notices. -- Russell Fulton /~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!