Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?)
Matthew Sullivan
matthew at sorbs.net
Mon Oct 6 06:32:08 UTC 2003
Sean Donelan wrote:
>>The difference being campus machines are null routed rather than
>>disconnected, and they are not reconnected until checked and clean.
>>
>>
>
>And once again, the question: how do you know the machines have been
>checked and cleaned before they are reconnected? Do you take the
>customers word, or do you perform some other check yourself?
>
If it's in the campus we take their word for it the first time
(local/dept IT personnel only).
Dialups/externals we take their word for it the first time.
Second time for campus machines they are usually checked over by a
member of the ITS security team.
Second time for dialups/externals again take their word for it, however
warn strongly about the 3rd time.
Third time externals/dialups don't connect with us again.
Campus machines - I have yet to have this happen.
>>Network security is high priority here and it doesn't matter what
>>machine is compromised, they are all disconnected in one way or another,
>>and yet we still have to nuke machines occasionally because of
>>suspicious (DDoS/scanning etc) traffic.
>>
>>
>
>Seems like a re-active policy. Why don't you check the computers before
>they start exhibiting suspicious behavior, such as when they are first
>connected to the network? Waiting until after the computer is compromised
>is too late.
>
>
Already doing this... except we are also actively scanning (new policy)
all computers connected periodically. It has taken a loooooooong time
to get the train of thought that scanning is a good thing. (FYI using
Nessus)
>Should commercial service providers have the same policy when new
>customers connect to the network?
>
That is still reactive here, but I see no real reason why it shouldn't be.
>Or is it considered a bad thing to warn customers about vulnerabilities
>in their computers in advance. Instead waiting until after your receive a
>complaint about something exploiting those vulnerabilities before taking
>action?
>
>
Personally I feel there are 3 problems....
1/ Some people are already security concious and will give you merry
hell over security scans (filling logs, false positives etc)
2/ Some poeple consider it an invasion of privacy - personally I'd tell
these people to go else where if it was upto me.
3/ People install software after installing the machines and getting
them connected.
/ Mat
More information about the NANOG
mailing list