North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)

  • From: Jeroen Massar
  • Date: Sun Jun 17 10:17:38 2007
  • Openpgp: id=333E7C23

Frank Bulk wrote:
> The Billy Goat product only seems to detect and notify nefarious activity,
> but it does nothing for the owned clients.
> I want something that restricts my owned subscribers to downloading updates
> and tools while preventing them from spewing forth more spam and the like.

A Billy Goat will nicely quarantine the host that is infected, that is
the whole goal of the system. What access is still allowed when the host
is in that quarantine is of course a matter of policy. Allowing them to
access things like Windows Update and providing at least a good
virusscanner + SpyBot Search&Destroy etc is most likely a good thing to
do for these situations.

IMHO ISPs should per default simply feed port 25 outbound through their
own SMTP relays. BUT always have a very easy way (eg a Control Panel
behind a user/pass on a website) to disable this kind of filtering. This
is what XS4all does and it seems to have a lot of effect but still
allows anybody who doesn't 'want' this protection to use the Internet
the way they want it, and not the way that is prescribed before them. Of
course, when they disable the filter it becomes very easy when something
does go wrong to laugh at them and not allow them to turn the filter off
unless they pay a fine or something similar ;)

For that matter, why don't ISPs start doing that: Introduce a fine. When
somebody gets infected, and thus doesn't take good care of his/her/it's
computer fine them. Let them pay say $25 to get fully back on the
Internet and only allow a very slow rate of traffic in the mean time.

Of course, the argument most likely goes then that they will swap ISPs,
but they will quickly run out of those and of course ISPs don't want to
lose clients over it, as the ignorant are the ones that provide the
simple cash.

> Mirage Networks is the closest to it, from my limited knowledge.

As mentioned, there are most very likely different products in this area
which can resolve your problem. Also one can always run your own(tm).


Attachment: signature.asc
Description: OpenPGP digital signature