Re: Security v. Privacy (was Re: Is there anything that actually gets users to fix their computers?)

[Matthew Sullivan <matthew () sorbs net>]

Sean Donelan wrote:

> > The difference being campus machines are null routed rather than
> > disconnected, and they are not reconnected until checked and clean.
> >    
>
> And once again, the question: how do you know the machines have been
> checked and cleaned before they are reconnected?  Do you take the
> customers word, or do you perform some other check yourself?
If it's in the campus we take their word for it the first time 
(local/dept IT personnel only).

Dialups/externals we take their word for it the first time.

Second time for campus machines they are usually checked over by a 
member of the ITS security team.

Second time for dialups/externals again take their word for it, however 
warn strongly about the 3rd time.

Third time externals/dialups don't connect with us again.

Campus machines - I have yet to have this happen.

> > Network security is high priority here and it doesn't matter what
> > machine is compromised, they are all disconnected in one way or another,
> > and yet we still have to nuke machines occasionally because of
> > suspicious (DDoS/scanning etc) traffic.
> >    
>
> Seems like a re-active policy.  Why don't you check the computers before
> they start exhibiting suspicious behavior, such as when they are first
> connected to the network?  Waiting until after the computer is compromised
> is too late.
>  
Already doing this...  except we are also actively scanning (new policy) 
all computers connected periodically.  It has taken a loooooooong time 
to get the train of thought that scanning is a good thing.  (FYI using 
Nessus)

> Should commercial service providers have the same policy when new
> customers connect to the network?
That is still reactive here, but I see no real reason why it shouldn't be.

> Or is it considered a bad thing to warn customers about vulnerabilities
> in their computers in advance.  Instead waiting until after your receive a
> complaint about something exploiting those vulnerabilities before taking
> action?
>  
Personally I feel there are 3 problems....

1/ Some people are already security concious and will give you merry 
hell over security scans (filling logs, false positives etc)
2/ Some poeple consider it an invasion of privacy - personally I'd tell 
these people to go else where if it was upto me.
3/ People install software after installing the machines and getting 
them connected.

/ Mat