nanog mailing list archives
Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?)
From: Matthew Sullivan <matthew () sorbs net>
Date: Mon, 06 Oct 2003 16:32:08 +1000
Sean Donelan wrote:
If it's in the campus we take their word for it the first time (local/dept IT personnel only).The difference being campus machines are null routed rather than disconnected, and they are not reconnected until checked and clean.And once again, the question: how do you know the machines have been checked and cleaned before they are reconnected? Do you take the customers word, or do you perform some other check yourself?
Dialups/externals we take their word for it the first time.Second time for campus machines they are usually checked over by a member of the ITS security team.
Second time for dialups/externals again take their word for it, however warn strongly about the 3rd time.
Third time externals/dialups don't connect with us again. Campus machines - I have yet to have this happen.
Already doing this... except we are also actively scanning (new policy) all computers connected periodically. It has taken a loooooooong time to get the train of thought that scanning is a good thing. (FYI using Nessus)Network security is high priority here and it doesn't matter what machine is compromised, they are all disconnected in one way or another, and yet we still have to nuke machines occasionally because of suspicious (DDoS/scanning etc) traffic.Seems like a re-active policy. Why don't you check the computers before they start exhibiting suspicious behavior, such as when they are first connected to the network? Waiting until after the computer is compromised is too late.
Should commercial service providers have the same policy when new customers connect to the network?
That is still reactive here, but I see no real reason why it shouldn't be.
Or is it considered a bad thing to warn customers about vulnerabilities in their computers in advance. Instead waiting until after your receive a complaint about something exploiting those vulnerabilities before taking action?
Personally I feel there are 3 problems....1/ Some people are already security concious and will give you merry hell over security scans (filling logs, false positives etc) 2/ Some poeple consider it an invasion of privacy - personally I'd tell these people to go else where if it was upto me. 3/ People install software after installing the machines and getting them connected.
/ Mat
Current thread:
- Re: Is there anything that actually gets users to fix their computers?, (continued)
- Re: Is there anything that actually gets users to fix their computers? Suresh Ramasubramanian (Oct 04)
- Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Sean Donelan (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Suresh Ramasubramanian (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Sean Donelan (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Suresh Ramasubramanian (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Matthew Sullivan (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Suresh Ramasubramanian (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Valdis . Kletnieks (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Matthew Sullivan (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Sean Donelan (Oct 05)
- Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?) Matthew Sullivan (Oct 05)
- Re: Is there anything that actually gets users to fix their computers? Robert Boyle (Oct 05)
- Re: Is there anything that actually gets users to fix their computers? Valdis . Kletnieks (Oct 05)
- Kiss-o'-death packets? Sean Donelan (Oct 05)
- Re: Kiss-o'-death packets? Paul (Oct 05)
- Re: Kiss-o'-death packets? Valdis . Kletnieks (Oct 06)
- Re: Kiss-o'-death packets? Sean Donelan (Oct 06)
- Re: Kiss-o'-death packets? Peter Galbavy (Oct 06)
- Re: Kiss-o'-death packets? Sean Donelan (Oct 06)
- Re: Kiss-o'-death packets? Peter Galbavy (Oct 06)
- Re: Kiss-o'-death packets? E.B. Dreger (Oct 06)