The home user problem returns

[mason () schmitt ca]

Hi. Just sent my reply to "bots phoning home" and here's the follow up
email that I promised.

As an admin for an ISP, I'm pretty much stuck with default allow (for the
time being anyway).  Therefore, I've resigned myself to the fact and am
now trying to work within that constraint (odd that default allow is a
constraint...).  Here are some ideas (probaly not mine, but I'd like to
think they are) that I'm working on to help with the "home user problem". 
I sure hope this gets someone's juices flowing as I'd like to participate
in a discussion on this.


Idea 1
--------
Most ISPs around here now advertise bit caps, but most don't strictly
enforce them.  The common practice is to contact the top 10 each month and
"educate  them" concerning their usage.  If the same customer shows up on
that list repeatedly, most ISPs reserve the right to deny service to that
customer.

I was thinking of taking a similar approach and setting up OSSIM
(http://www.ossim.net/whatis.php#h2:whatis) on our network and using it to
identify our top ten least secure hosts (perhaps more often than once a
month...).  When we call these people, rather than wield our mighty
clue-by-four, we approach it with the understanding that most of these
people don't have a clue about this stuff.  This hopefully allows us to
get our message out to receptive ears:

   There are 4 things that must be in place to provide a base level of
   security for the home user.  Firewall, windows updates, up to date
   antivirus that is configured for automatic updates, and a anti-spyware
   app also configured for automatic updates.

   And if the customer is actually concerned about their own data - backups.
                                                                                                                        
                                   We
can
point
them
to
some
very
straight
forward
info
about
these
topics
online
and
tell
them
where
to
find
half
decent
free
tools
if
they
are
unwilling
to
purchase
software.

All
of
this
doesn't
require
the
customer
to
really
change
all
that
much,
so
we
also
offer
them
some
resources
for
learning
about
online
safety
and
security.

The
hope
is
that
by
regularly
interacting
with
our
customers,
people
will
talk
to
each
other.

We
do
service
small
towns,
so
people
do
talk
to
each
other
here.

Finally,
if
the
customer
continues
to
get
infected
and
doesn't
seem
to
be
making
any
effort
to
improve
the
situation,
we
reserve
the
right
to
ask
them
to
go
to
a
different
provider.

I
think
this
should
be
good
for
business,
good
for
our
network
and
for
raising
the
common
level
of
clue.

The
best
thing
is
that
my
boss
agrees.

Idea 2                                                                    
                                                                          
     --------
In a similar customer education vein, is our plan to do an event.  We are
going to advertise it like crazy and see if we can get people to come out
to a free-food,-literature-and-freebies-available kind of thing.  At this
event, I plan to do a few sessions throughout the day on some basic
security topics directed at very low tech home users.  I want to
specifically talk about online banking and online shopping; tell people
about spyware, how it gets on their computers, and what they can do to
prevent it; and talk to parents about online safety for kids.  If there
are any firewall wizards (or someone you know) in our area (Interior of
British Columbia) that might be intersted in coming out to spread some
wisdom at such an event, I'd love to hear from you.

Idea 3                                                                    
                                                                          
     --------
Getting away from people oriented approaches now.  I'm planning to setup a
"leper colony" (kudos to whomever coined that term.  I also hope I'm not
offending anyone...).  The idea is simply to quarantine obviously infected
machines from the rest of our network, and preferably from other members
of the colony as well.  Upon being shoved into the colony, all attempts at
viewing web pages will take the customer to a web page telling them what's
wrong and what can be done to fix it.  They will also receive an email
from our ticket system.  The webpage the customer is directed to will
include a list of sites that they can go to, to do online scans for
viruses and spyware (they will be allowed to go to these sites - just not
the rest of the net) and the same links to more info that I mentioned in
idea 1.  Once the customer is sure they are clean, they can just click on
a link on the page to let them out of the colony.
                                                                                                                        
                                   We
already
have
the
ability,
via
an
automated
system
we
have
built,
to
place
customers
into
such
a
colony.

What
remains
is
for
me
to
have
events
on
the
network trigger the move to the colony - this should be reasonably
straight forward.  I'm going to use our packetshaper to watch for high
numbers of
failed flows which 100% of the time signifies a worm, also use the shaper
to catch open socks proxies.  The shaper will just send an snmp trap on
these
events.  I'd like to extend this by also getting an IDS in place. 
Finally, as part of my current outbound mail hardening project, I'll also
be able to    trigger events immediately upon seeing spam from a spam
zombie - even if the zombie is attempting to relay through our smarthost
as opposed to the usual direct-to-mx spam zombie activity.

I have some other ideas too, but that's about all I'm willing to bite of
for the next several months.

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards