[89027] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (JP Velders)
Wed Mar 1 09:09:24 2006
Date: Wed, 1 Mar 2006 15:08:56 +0100 (CET)
From: JP Velders <jpv@veldersjes.net>
To: "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0602281849490.9741@marvin.argfrp.us.uu.net>
Errors-To: owner-nanog@merit.edu
> Date: Tue, 28 Feb 2006 18:50:29 +0000 (GMT)
> From: Christopher L. Morrow <christopher.morrow@verizonbusiness.com>
> To: nanog@merit.edu
> Subject: Re: Quarantine your infected users spreading malware
> On Tue, 28 Feb 2006, Jim Segrave wrote:
> > www.quarantainenet.nl
> > It puts them in a protected environment where they can get cleaned up
> > on-line without serious risk of re-infection. They can pop their
> > e-mail, reply via webmail, but they can't connect to anywhere except a
> > list of update sites.
> there was little in the way of 'how' in the link above though :(
Well, it's very much dependant on your own network.
From what I know (from presentations of the folk behind Qnet, and
talks with people actually using it) is that they have a sort of
"export" module, which allows you to either output the IP's, or parse
them such that you get a crafted DHCP entry, or special MAC address
based "alternate VLAN" statement for on a switch etc.
They have templates for a bunch of things, but whether or not one of
those templates is applicable or even useful in your own network
remains te be seen each and every time.
The main strength of Qnet is the detection, and even better, the way
of allowing people to clean themselves, and then get back on the net.
Having a helpdesk tell (different) people the same line over and over
again gets tedious. Putting the effort into making a nice explanatory
webpage get so much more "return on investment"... ;)
Kind regards,
JP Velders