nanog mailing list archives

Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?)

From: Sean Donelan <sean () donelan com>
Date: Mon, 6 Oct 2003 01:14:37 -0400 (EDT)

The difference being campus machines are null routed rather than
disconnected, and they are not reconnected until checked and clean.


And once again, the question: how do you know the machines have been
checked and cleaned before they are reconnected?  Do you take the
customers word, or do you perform some other check yourself?

Network security is high priority here and it doesn't matter what
machine is compromised, they are all disconnected in one way or another,
and yet we still have to nuke machines occasionally because of
suspicious (DDoS/scanning etc) traffic.


Seems like a re-active policy.  Why don't you check the computers before
they start exhibiting suspicious behavior, such as when they are first
connected to the network?  Waiting until after the computer is compromised
is too late.

Some companies require all new computers to pass a network scan (e.g.
ISS, Nessus, Retina, etc) before getting assigned a routable address.
Should commercial service providers have the same policy when new
customers connect to the network?

Or is it considered a bad thing to warn customers about vulnerabilities
in their computers in advance.  Instead waiting until after your receive a
complaint about something exploiting those vulnerabilities before taking
action?

Current thread:

Re: Is there anything that actually gets users to fix their computers?, (continued)
- - - Re: Is there anything that actually gets users to fix their computers? Kee Hinckley (Oct 04)
    - Re: Is there anything that actually gets users to fix their computers? Suresh Ramasubramanian (Oct 04)
    - Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Sean Donelan (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Suresh Ramasubramanian (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Sean Donelan (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Suresh Ramasubramanian (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Matthew Sullivan (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Suresh Ramasubramanian (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Valdis . Kletnieks (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Matthew Sullivan (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Sean Donelan (Oct 05)
    - Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Matthew Sullivan (Oct 05)
    - Re: Is there anything that actually gets users to fix their computers? Robert Boyle (Oct 05)
    - Re: Is there anything that actually gets users to fix their computers? Valdis . Kletnieks (Oct 05)
    - Kiss-o'-death packets? Sean Donelan (Oct 05)
    - Re: Kiss-o'-death packets? Paul (Oct 05)
    - Re: Kiss-o'-death packets? Valdis . Kletnieks (Oct 06)
    - Re: Kiss-o'-death packets? Sean Donelan (Oct 06)
    - Re: Kiss-o'-death packets? Peter Galbavy (Oct 06)
    - Re: Kiss-o'-death packets? Sean Donelan (Oct 06)
    - Re: Kiss-o'-death packets? Peter Galbavy (Oct 06)

(Thread continues...)