|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Quarantine your infected users spreading malware
--On Tuesday, February 28, 2006 14:39:37 -0500 David Nolan <[email protected]> wrote: Following up my own post. I know, its always bad ettiquete, but I forgot to mention something.We a couple techniques at Carnegie Mellon, depending on the network scenario. The DHCP based technique outlined above requires no extra infrastructure, just extra configuration, so it is what we use for most of our campus wired networks. We use the same setup as our registration helper network, so our internal name for the DHCP based quarantine system is called QuickReg. An unknown or banned client gets an address in 1918 space and can only access our abuse tracking, patch download and network registration systems. We're also using an active suspension mechanism for these networks to block clients with current valid DHCP leases instantly. We use Unicast Reverse Path Filtering (*) and /32 host routes injected into our OSPF cloud via quagga (ospf routing daemon on a unix server). This means a suspended host loses all network connectivity immediately, until they re-dhcp, at which point they'll have a rfc1918 address and have access to the quarantine network. This also handles the occasional statically configured host. We can also use this system to filter external hosts without having to manipulate border router acls frequently. (*): For anyone who doesn't know, URPF is essentially a way to do automatic acls, comparing the source IP of on an incoming packet to the routing table to verify the packet should have come from this interface. With the right hardware this is significantly cheaper then acl processing. And its certainly easier to maintain. And by injecting a /32 null route into the route table you can cause a host's local router to start discarding all traffic from that IP. -David Nolan Network Software Designer Computing Services Carnegie Mellon University
|