[88995] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (Bill Nash)
Tue Feb 28 14:16:15 2006
Date: Tue, 28 Feb 2006 14:07:36 -0500 (EST)
From: Bill Nash <billn@odyssey.billn.net>
To: "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0602281849490.9741@marvin.argfrp.us.uu.net>
Errors-To: owner-nanog@merit.edu
The simplest method is to issue a different gateway to a registry of known
offenders, forcing their into a restrictive environment that blocks all
ports, and uses network translation tricks to redirect all web traffic to
a portal.
For cable modems and bridged DSL, you can do this with DHCP, matching
their MAC address. PPPOE/DSL or similiar, you match on user name.
Issue RFC1918 space with a gateway to your quarantine network.
The rest is NAT/PAT and w3proxy stunts. You could pull it off with
something as simple as iptables and squid, after dealing with the DHCP or
authentication servers (ala Radius) to issue to the correct credentials.
- billn
On Tue, 28 Feb 2006, Christopher L. Morrow wrote:
>
>
> On Tue, 28 Feb 2006, Jim Segrave wrote:
>>
>> www.quarantainenet.nl
>>
>> It puts them in a protected environment where they can get cleaned up
>> on-line without serious risk of re-infection. They can pop their
>> e-mail, reply via webmail, but they can't connect to anywhere except a
>> list of update sites.
>
> there was little in the way of 'how' in the link above though :(
>
