On Mon, 2004-02-02 at 00:17, Ewen McNeill wrote:
An alternative approach to that type of thing is
possibly just to
heavily firewall -- at the ISP end of the link -- connections to all
"potential n00b" users (SMTP to ISP mail server, POP/IMAP/HTTP/HTTPS to
whereever and a few other common things) by default.
In a sense this is what we do at the university. All addresses are
heavily firewalled by default but departmental IT support staff can set
up (with a few restrictions) pretty what ever they want (or will be when
I implement the next set of changes when I get back from leave -- for
some reason nobody liked the idea of me doing just before I disappeared
for a month).
The current system is based on a large (and confusing :( ) set of access
classes because that was the way our old firewall worked. We now are
using OBSD's pf and I have written a nice web/mysql interface as part of
our network management system that will allow much more flexibility.
This system works well. I do occasional sanity checks and every now and
again I will question why something is set up the way it is (usually
there is a good explanation, but sometime people have misunderstood
requirements or have simply open things right up to get something going
and either forgot or not bothered to tighten things up again).
We also do extensive monitoring of both in bound and out bound traffic
and (although we don't do it) you could automatically quarantine users
that appear to be infected or 0wned. A quarantined user could still get
to their email which would tell them what was happening and to the
support web site that would give them guidance in what to do, but would
isolate them from the 'Net at large.
In case anyone is interested what we actually do when we find that
machines have problems is contact the departmental or faculty IT support
staff who deal with it. In the case where there is evidence of active
'cracker' activity we isolate the machine at the firewall, but this is a
I believe that network administrators (both corporate and ISP) need to
be proactive in looking for trouble and to have effective means of
dealing with machines that are causing it.
It has been quite a while since I looked but it it very clear from the
monitoring that I do which NZ ISPs are proactive in this area and which
are not. At the moment I suspect this simply reflects the how the
respective ISPs deal with abuse notices.
Russell Fulton /~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!