[63429] in North American Network Operators' Group
Security v. Privacy (was Re: Is there anything that
daemon@ATHENA.MIT.EDU (Jamie Reid)
Sun Oct 5 18:11:24 2003
Date: Sun, 05 Oct 2003 18:08:25 -0400
From: "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca>
To: sean@donelan.com, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--=_D48A6695.84E57345
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
While we were fighting blaster/nachi and others, we relied heavily on =
IDS's to generate
alerts for the worms, then we disabled their network access and called =
them. Generic=20
viruses are not an ISP's problem, but a worm is something that affects the =
prviders
infrastructure, and is therefore a network operators business.=20
Privacy is not an issue in this case as there is a policy being monitored =
by a policy
monitoring tool, and enforced on a per-violation basis. It wasn't a =
fishing expedition=20
that could assess the users configuration or usage, it was monitoring our =
network.=20
There is no generalized way, without management access to the customers =
machine
(via SMS or citrix or something), to check that the machine is in =
compliance with a=20
network policy. An IDS can tell you if it violates policy, and you can act =
as your
security procedures dictate.=20
=20
--
Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre=20
Corporate Security, MBS =20
416 327 2324=20
>>> "Sean Donelan" sean@donelan.com> 10/05/03 04:49pm >>
[...]
So from an ISPs point of view, is there a way for the ISP to quickly
tell the customer if the particular computer is fixed without unduly
intruding on the privacy of the customer? With home networks, there
may be multiple computers behind a NAT/router/firewall. So a simple
network scan doesn't always work.
--=_D48A6695.84E57345
Content-Type: text/plain
Content-Disposition: attachment;
filename=TEXT.htm
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px"><FONT
size=1></FONT>
<DIV> </DIV>
<DIV>While we were fighting blaster/nachi and others, we relied heavily on IDS's
to generate</DIV>
<DIV>alerts for the worms, then we disabled their network access and called
them. Generic </DIV>
<DIV>viruses are not an ISP's problem, but a worm is something that affects the
prviders</DIV>
<DIV>infrastructure, and is therefore a network operators business.
</DIV>
<DIV> </DIV>
<DIV>Privacy is not an issue in this case as there is a policy being monitored
by a policy</DIV>
<DIV>monitoring tool, and enforced on a per-violation basis. It wasn't a fishing
expedition </DIV>
<DIV>that could assess the users configuration or usage, it was monitoring our
network. </DIV>
<DIV> </DIV>
<DIV>There is no generalized way, without management access to the customers
machine</DIV>
<DIV>(via SMS or citrix or something), to check that the machine is in
compliance with a </DIV>
<DIV>network policy. An IDS can tell you if it violates policy, and you can act
as your</DIV>
<DIV>security procedures dictate. </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>--<BR>Jamie.Reid, CISSP, <A
href="mailto:jamie.reid@mbs.gov.on.ca">jamie.reid@mbs.gov.on.ca</A><BR>Senior
Security Specialist, Information Protection Centre <BR>Corporate Security,
MBS <BR>416 327 2324 <BR><BR>>>> "Sean Donelan" <A
href="mailto:sean@donelan.com> 10/05/03 04:49pm >>">sean@donelan.com>
10/05/03 04:49pm >></A><BR><BR>[...]</DIV>
<DIV><BR>So from an ISPs point of view, is there a way for the ISP to
quickly<BR>tell the customer if the particular computer is fixed without
unduly<BR>intruding on the privacy of the customer? With home networks,
there<BR>may be multiple computers behind a NAT/router/firewall. So a
simple<BR>network scan doesn't always work.<BR></DIV>
<DIV><BR> </DIV></BODY></HTML>
--=_D48A6695.84E57345--
