Firewall Wizards mailing list archives
The home user problem returns
From: mason () schmitt ca
Date: Wed, 7 Sep 2005 19:34:54 -0700 (PDT)
Hi. Just sent my reply to "bots phoning home" and here's the follow up email that I promised. As an admin for an ISP, I'm pretty much stuck with default allow (for the time being anyway). Therefore, I've resigned myself to the fact and am now trying to work within that constraint (odd that default allow is a constraint...). Here are some ideas (probaly not mine, but I'd like to think they are) that I'm working on to help with the "home user problem". I sure hope this gets someone's juices flowing as I'd like to participate in a discussion on this. Idea 1 -------- Most ISPs around here now advertise bit caps, but most don't strictly enforce them. The common practice is to contact the top 10 each month and "educate them" concerning their usage. If the same customer shows up on that list repeatedly, most ISPs reserve the right to deny service to that customer. I was thinking of taking a similar approach and setting up OSSIM (http://www.ossim.net/whatis.php#h2:whatis) on our network and using it to identify our top ten least secure hosts (perhaps more often than once a month...). When we call these people, rather than wield our mighty clue-by-four, we approach it with the understanding that most of these people don't have a clue about this stuff. This hopefully allows us to get our message out to receptive ears: There are 4 things that must be in place to provide a base level of security for the home user. Firewall, windows updates, up to date antivirus that is configured for automatic updates, and a anti-spyware app also configured for automatic updates. And if the customer is actually concerned about their own data - backups. We can point them to some very straight forward info about these topics online and tell them where to find half decent free tools if they are unwilling to purchase software. All of this doesn't require the customer to really change all that much, so we also offer them some resources for learning about online safety and security. The hope is that by regularly interacting with our customers, people will talk to each other. We do service small towns, so people do talk to each other here. Finally, if the customer continues to get infected and doesn't seem to be making any effort to improve the situation, we reserve the right to ask them to go to a different provider. I think this should be good for business, good for our network and for raising the common level of clue. The best thing is that my boss agrees. Idea 2 -------- In a similar customer education vein, is our plan to do an event. We are going to advertise it like crazy and see if we can get people to come out to a free-food,-literature-and-freebies-available kind of thing. At this event, I plan to do a few sessions throughout the day on some basic security topics directed at very low tech home users. I want to specifically talk about online banking and online shopping; tell people about spyware, how it gets on their computers, and what they can do to prevent it; and talk to parents about online safety for kids. If there are any firewall wizards (or someone you know) in our area (Interior of British Columbia) that might be intersted in coming out to spread some wisdom at such an event, I'd love to hear from you. Idea 3 -------- Getting away from people oriented approaches now. I'm planning to setup a "leper colony" (kudos to whomever coined that term. I also hope I'm not offending anyone...). The idea is simply to quarantine obviously infected machines from the rest of our network, and preferably from other members of the colony as well. Upon being shoved into the colony, all attempts at viewing web pages will take the customer to a web page telling them what's wrong and what can be done to fix it. They will also receive an email from our ticket system. The webpage the customer is directed to will include a list of sites that they can go to, to do online scans for viruses and spyware (they will be allowed to go to these sites - just not the rest of the net) and the same links to more info that I mentioned in idea 1. Once the customer is sure they are clean, they can just click on a link on the page to let them out of the colony. We already have the ability, via an automated system we have built, to place customers into such a colony. What remains is for me to have events on the network trigger the move to the colony - this should be reasonably straight forward. I'm going to use our packetshaper to watch for high numbers of failed flows which 100% of the time signifies a worm, also use the shaper to catch open socks proxies. The shaper will just send an snmp trap on these events. I'd like to extend this by also getting an IDS in place. Finally, as part of my current outbound mail hardening project, I'll also be able to trigger events immediately upon seeing spam from a spam zombie - even if the zombie is attempting to relay through our smarthost as opposed to the usual direct-to-mx spam zombie activity. I have some other ideas too, but that's about all I'm willing to bite of for the next several months. -- Mason _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- The home user problem returns mason (Sep 07)
- Message not available
- Re: The home user problem returns Mason Schmitt (Sep 08)
- Message not available
- Re: The home user problem returns Antonomasia (Sep 12)
- <Possible follow-ups>
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- RE: The home user problem returns Marcus J. Ranum (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- Re: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns R. DuFresne (Sep 13)