Re: [Re: Have worm? University upgrades network]

[Sean Donelan <sean () donelan com>]

On Mon, 1 Dec 2003, joshua sahala wrote:
> > Do people find "self-certification" by end-users actually fixes
> > anything?
>
> depends on how badly they want to get back on that interweb-thing...and
> how clueful they are (or can be made to be).  if the penalties for not
> being clean are steep enough (no interweb privileges for a semester),
> then i think they will do it right.

Ah, you mean the same policies they previously agreed to follow worked so
well to keep their computers up-to-date and virus-free will work in this
case too?  If the policies were working, why install new systems?

In order to fix something, you first have to understand what is broken.

> i would hope that you are filtering and rate-limiting upstream traffic,
> and that you have built the server with sufficient horsepower and
> self-preservation hooks that it would survive.  ftp or http don't require
> too much upstream, and you probably don't need to allow much else from
> the users computers

Dynamic application of queue policies on every port on your network?  A
single infected computer can wipe out an WiFi area, even if you have an
upstream filter on the access point.  Unless there is a way for the
network to push the filter onto the computer's NIC, the network has to
sustain the load from the worm even if it drops the packets.

With 802.1x (or PPP or however you authenticate), it would be nice if the
network could securely negotiate filters for the NIC side of the
connection.