Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?)

Matthew Sullivan matthew at sorbs.net
Mon Oct 6 06:32:08 UTC 2003


Sean Donelan wrote:

>>The difference being campus machines are null routed rather than
>>disconnected, and they are not reconnected until checked and clean.
>>    
>>
>
>And once again, the question: how do you know the machines have been
>checked and cleaned before they are reconnected?  Do you take the
>customers word, or do you perform some other check yourself?
>
If it's in the campus we take their word for it the first time 
(local/dept IT personnel only).

Dialups/externals we take their word for it the first time.

Second time for campus machines they are usually checked over by a 
member of the ITS security team.

Second time for dialups/externals again take their word for it, however 
warn strongly about the 3rd time.

Third time externals/dialups don't connect with us again.

Campus machines - I have yet to have this happen.

>>Network security is high priority here and it doesn't matter what
>>machine is compromised, they are all disconnected in one way or another,
>>and yet we still have to nuke machines occasionally because of
>>suspicious (DDoS/scanning etc) traffic.
>>    
>>
>
>Seems like a re-active policy.  Why don't you check the computers before
>they start exhibiting suspicious behavior, such as when they are first
>connected to the network?  Waiting until after the computer is compromised
>is too late.
>  
>
Already doing this...  except we are also actively scanning (new policy) 
all computers connected periodically.  It has taken a loooooooong time 
to get the train of thought that scanning is a good thing.  (FYI using 
Nessus)

>Should commercial service providers have the same policy when new
>customers connect to the network?
>
That is still reactive here, but I see no real reason why it shouldn't be.

>Or is it considered a bad thing to warn customers about vulnerabilities
>in their computers in advance.  Instead waiting until after your receive a
>complaint about something exploiting those vulnerabilities before taking
>action?
>  
>
Personally I feel there are 3 problems....

1/ Some people are already security concious and will give you merry 
hell over security scans (filling logs, false positives etc)
2/ Some poeple consider it an invasion of privacy - personally I'd tell 
these people to go else where if it was upto me.
3/ People install software after installing the machines and getting 
them connected.

/ Mat




More information about the NANOG mailing list