nanog mailing list archives
Re: Quarantine your infected users spreading malware
From: "Christopher L. Morrow" <christopher.morrow () verizonbusiness com>
Date: Wed, 01 Mar 2006 16:33:51 +0000 (GMT)
On Wed, 1 Mar 2006, JP Velders wrote:
Date: Tue, 28 Feb 2006 18:50:29 +0000 (GMT) From: Christopher L. Morrow <christopher.morrow () verizonbusiness com> To: nanog () merit edu Subject: Re: Quarantine your infected users spreading malwareOn Tue, 28 Feb 2006, Jim Segrave wrote:www.quarantainenet.nlIt puts them in a protected environment where they can get cleaned up on-line without serious risk of re-infection. They can pop their e-mail, reply via webmail, but they can't connect to anywhere except a list of update sites.there was little in the way of 'how' in the link above though :(Well, it's very much dependant on your own network.From what I know (from presentations of the folk behind Qnet, andtalks with people actually using it) is that they have a sort of "export" module, which allows you to either output the IP's, or parse them such that you get a crafted DHCP entry, or special MAC address based "alternate VLAN" statement for on a switch etc.
which is fabulous for those of you with ethernet... without ethernet most of these solutions fall on their faces and die the horrid death of an enterprise product :( Now, they say: "Works great on carrier networks"... my question was "how" and "perhaps with a little less hand-waviness please?"
They have templates for a bunch of things, but whether or not one of those templates is applicable or even useful in your own network remains te be seen each and every time.
and none of these so called templates is available or described on their public documentation :( There are a few ways to skin this cat, depending upon architecture one might even work. Without knowing the possible methodologies available it's not helpful :(
The main strength of Qnet is the detection, and even better, the way of allowing people to clean themselves, and then get back on the net. Having a helpdesk tell (different) people the same line over and over again gets tedious. Putting the effort into making a nice explanatory webpage get so much more "return on investment"... ;)
agreed, punting this problem to the helpdesk makes the helpdesk manager grab his gun(s) and find the security wonk that put a hurtin' on his numbers :) Also, it costs lots of money, which isn't generally a good plan.
Current thread:
- Re: Quarantine your infected users spreading malware David Nolan (Mar 01)
- Re: Quarantine your infected users spreading malware Jack Bates (Mar 01)
- Re: Quarantine your infected users spreading malware David Nolan (Mar 01)
- Re: Quarantine your infected users spreading malware Bill Nash (Mar 01)
- Re: Quarantine your infected users spreading malware David Nolan (Mar 01)
- <Possible follow-ups>
- Re: Quarantine your infected users spreading malware JP Velders (Mar 01)
- Re: Quarantine your infected users spreading malware Christopher L. Morrow (Mar 01)
- Re: Quarantine your infected users spreading malware Jack Bates (Mar 01)
- Re: Quarantine your infected users spreading malware David Nolan (Mar 01)
- Re: Quarantine your infected users spreading malware Christopher L. Morrow (Mar 02)
- Re: Quarantine your infected users spreading malware Jim Segrave (Mar 02)
- Re: Quarantine your infected users spreading malware Jim Segrave (Mar 02)
- Re: Quarantine your infected users spreading malware Christopher L. Morrow (Mar 01)
- Re: Quarantine your infected users spreading malware Jack Bates (Mar 01)
- Re: Quarantine your infected users spreading malware Jim Segrave (Mar 02)
- Re: Quarantine your infected users spreading malware Robert E . Seastrom (Mar 02)
- Re: Quarantine your infected users spreading malware Niels Raijer (Mar 02)
- Re: Quarantine your infected users spreading malware Robert E . Seastrom (Mar 02)