North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantaine network for infected hosts?

  • From: Hani Mustafa
  • Date: Mon Dec 01 14:09:22 2003


> I wrote up a quick note on what we do at:

Quote from "Known Issues":

"One of the unfortunate side effects of it is that some spyware/adware either overrides your DNS settings with their own or makes an HTTP call to their website before allowing the browser to download a page normally."

A different way to tackle this problem (instead of the dns views approach), is to do it at a lower level. Something like Cisco's SSG (*) can be used to do the equivilant of DNAT for a specified set of source addressees.

This being a static configuration, I wonder if SSG's original purpose can be used as a solution which does not need DHCP. In this case, all network users would, by default, be redirected to a "verification website" (whatever verification method is used to determine whether this host is infected), after which the user is allowed to pass through the gateway without manipulating the packets IF the box was confirmed clean.

On a seperate note, with the complexity of setting up ssg aside, you can easily implement something like this using iptables' REDIRECT target. ("iptables -s -j REDIRECT ..." or something)

~Hani Mustafa