[Re: Have worm? University upgrades network]

Mailman List Mirror (Read Only)
1

Do people find "self-certification" by end-users actually fixes
anything?

depends on how badly they want to get back on that interweb-thing...and
how clueful they are (or can be made to be). if the penalties for not
being clean are steep enough (no interweb privileges for a semester),
then i think they will do it right.

Or do users keep on clicking on the "Yes, I'm Clean" button?

In the meantime, you still have to carry the traffic from the infected
computer if only on your quarantine "network." Usually the quarantine
LAN is some type of virtual network, so the underlying bandwidth is
still consumed by the traffic. Its amazing what happens to a
registration server when an infected computer tries to register tens of
thousands of times a minute. Redirecting the user traffic to a
quarantine server, results in that server getting whalloped.

i would hope that you are filtering and rate-limiting upstream traffic,
and that you have built the server with sufficient horsepower and
self-preservation hooks that it would survive. ftp or http don't require
too much upstream, and you probably don't need to allow much else from
the users computers

/joshua

"Walk with me through the Universe,
And along the way see how all of us are Connected.
Feast the eyes of your Soul,
On the Love that abounds.
In all places at once, seemingly endless,
Like your own existence."
     - Stephen Hawking -

2

> Do people find "self-certification" by end-users actually fixes
> anything?

depends on how badly they want to get back on that interweb-thing...and
how clueful they are (or can be made to be). if the penalties for not
being clean are steep enough (no interweb privileges for a semester),
then i think they will do it right.

Ah, you mean the same policies they previously agreed to follow worked so
well to keep their computers up-to-date and virus-free will work in this
case too? If the policies were working, why install new systems?

In order to fix something, you first have to understand what is broken.

i would hope that you are filtering and rate-limiting upstream traffic,
and that you have built the server with sufficient horsepower and
self-preservation hooks that it would survive. ftp or http don't require
too much upstream, and you probably don't need to allow much else from
the users computers

Dynamic application of queue policies on every port on your network? A
single infected computer can wipe out an WiFi area, even if you have an
upstream filter on the access point. Unless there is a way for the
network to push the filter onto the computer's NIC, the network has to
sustain the load from the worm even if it drops the packets.

With 802.1x (or PPP or however you authenticate), it would be nice if the
network could securely negotiate filters for the NIC side of the
connection.

3

would be nice if microsoft had some sort of "launcher" like you see on
all the good mmorpg's. pop open the launcher and it checks for updates
and antivirus BEFORE it lets you out of jail to the rest of the world.

prolly make em a few $$ in deals with an antivirus company. i think it'd
be the one money grubbing feature of windows that i would actually like..
course the patch server goes down and you just hosed everyone off the
internet... wait a sec... *grins*

On
Mon, 1 Dec 2003, Sean Donelan wrote:

Date: Mon, 1 Dec 2003 09:49:34 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: joshua sahala <joshua.ej.smith@usa.net>
Cc: nanog@merit.edu
Subject: Re: [Re: Have worm? University upgrades network]

> > Do people find "self-certification" by end-users actually fixes
> > anything?
>
> depends on how badly they want to get back on that interweb-thing...and
> how clueful they are (or can be made to be). if the penalties for not
> being clean are steep enough (no interweb privileges for a semester),
> then i think they will do it right.

Ah, you mean the same policies they previously agreed to follow worked so
well to keep their computers up-to-date and virus-free will work in this
case too? If the policies were working, why install new systems?

In order to fix something, you first have to understand what is broken.

> i would hope that you are filtering and rate-limiting upstream traffic,
> and that you have built the server with sufficient horsepower and
> self-preservation hooks that it would survive. ftp or http don't require
> too much upstream, and you probably don't need to allow much else from
> the users computers

Dynamic application of queue policies on every port on your network? A
single infected computer can wipe out an WiFi area, even if you have an
upstream filter on the access point. Unless there is a way for the
network to push the filter onto the computer's NIC, the network has to
sustain the load from the worm even if it drops the packets.

With 802.1x (or PPP or however you authenticate), it would be nice if the
network could securely negotiate filters for the NIC side of the
connection.

Ryan Dobrynski
Hat-Swapping Gnome
Choice Communications

Like the ski resort of girls looking for husbands and husbands looking
for girls, the situation is not as symmetrical as it might seem.

4

Heck, I'm just asking for simple stuff like Microsoft supporting the rest
of the PPP protocol, and displayed the Reply-Message sent by the network
to the computer's user instead of thowing it away. That way you could
tell the user why the network is rejecting the access, instead of the
generic Microsoft error message.

Instead of using the features built into the protocol, because Windows
doesn't support the PPP messages, everyone else has to come up with other
ways to inform users what's wrong.