Service Providers can not sit back and allow violated customers to continue on their network. The applies to all Service Providers, be it residential, business, cloud, hosting, mobile, or any other. This module will use the outline of the community’s expression of necessary action – IETF draft-oreirdan-mody-bot-remediation – as the foundation to walk peers through the details.
Core principles and knowledge objectives:
- Customers are not the problem. They are victims of a thriving criminal eco-system.
- Violated customers are a critical risk to the business.
- The Service Provider, ISC, Cloud, Hosting Provider, or big enterprise cannot solve the problem on their own – they need to work as part of a eco-system team that cleans up malware
- There are cost effective techniques that can be used to build a synergistic “security relationship” with your customers and users.
What’s Next?
This module is constantly evolving, pulling in experience from providers around the world. Here are some of the items in the queue to be added:
- Explicit examples of how generic solutions would work.
- Dust off, update, and elaborate on the remediation cycle. It offers a work flow of action.
Latest Version
The latest version would be pushed up to Slideshare.
Remediating Violated Customers
References
The following are useful whitepapers, specifications, articles, and other resources that would help operators get internal support, design, deploy, and implement a remediation tool kit.
What is a Walled Garden? http://en.wikipedia.org/wiki/Walled_garden_(media)
Many SPs Already has Walled Gardens Deployed – It is their Self Provisioning System
Many SPs have deployed a walled garden system to scale their provisioning teams – allowing consumers to get equipment from the corner computer stores.
How To Deploy Cost Effective Wall Gardens
- Cisco’s 2005 “Phase 0” Techniques for Quaranting Customers into a Walled Garden to assist in their recovery. ftp://ftp-eng.cisco.com/SP-Security/Quarantine/QuaWhitePaper8.pdf
Open Source Vendor Neutral Tools
- NetPass is a vendor-neutral network environment for quarantining clients identified as being out of compliance with your network policy. http://netpass.sourceforge.net/
How To Whitepaper and Presentations
- Life on a University Network: An Architecture for Automatically Detecting, Isolating, and Cleaning Infected Hosts
Eric Gauthier, Boston University http://www.nanog.org/mtg-0402/gauthier.html
- Cisco’s 2005 “Phase 0” Techniques for Quaranting Customers into a Walled Garden to assist in their recovery. ftp://ftp-eng.cisco.com/SP-Security/Quarantine/QuaWhitePaper8.pdf
- Deploying Network Access Quarantine Control, Part 1 Jonathan Hassell 2004-08-04 http://www.securityfocus.com/infocus/1794
- Deploying Network Access Quarantine Control, Part 2 Jonathan Hassell 2004-08-30 http://www.securityfocus.com/infocus/1799
- EDUCAUSE 2007 Security Architecture Design http://www.educause.edu/SecurityArchitectureDesign/1261 Aim: Strengthen the security of your infrastructure by designing security into it and creating control points from which computers can be maintained, where network traffic can be filtered and monitored, and where problematic segments of the network can be detached from the rest to protect the majority.
- Quarantining DHCP clients to reduce worm infection risk, Paul Blackburn http://www.giac.org/certified_professionals/practicals/gsec/3472.php
- Spam Zombies And Inbound Flows To Compromised Customer Systems http://darkwing.uoregon.edu/~joe/zombies.pdf Joe St Sauver, Ph.D. (joe@uoregon.edu) MAAWG Senior Technical Advisor
-
A Hybrid Quarantine Defense Phillip Porras, Linda Briesemeister, Keith Skinner, Karl Levitt, Jeff Rowe, Yu-Cheng Allen Ting
University Quarantine Approaches
Universities have a difficult challenge. Every Fall they must handle a wave of students, faculty, and staff returning to school with their computers. Computer which have unknown security risk. These computers all connect to the campus network infecting and getting infected over the nice high speed infrastructure. Until that infrastructure is stressed to service impact.
- Network Quarantine At Cornell University. Steve Schuster (2005) www.educause.edu/ir/library/powerpoint/CSD4464.pps
- Advantages and Challenges of Network Quarantine Steve Schuster (2005) http://connect.educause.edu/library/abstract/AdvantagesandChallen/41397?time=1189812217
- Rice University http://www.rice.edu/vpit/quarantine.html
- Bucknell University http://www.bucknell.edu/x9973.xml and http://www.bucknell.edu/x9964.xml
- University of Leicester http://www.le.ac.uk/cc/dsss/docs/quad.shtml
- University of Texas at Austin http://resnet.utexas.edu/secure/port_deact.html
- Ohio State University http://cio.osu.edu/policies/mcss.html
- Miami University http://www.units.muohio.edu/mcs/disableddatajacks/index.htm Cool page/tool which list which ports/computers are quarantined.
- University of South Carolina http://uts.sc.edu/network/security/validation/generalFAQ.shtml
- Northwestern University Policy and Enforcement Plan for Unapproved Campus Network Extensions http://www.it.northwestern.edu/policies/extensions.html
- Durham University’s Campus Manager Tool http://www.dur.ac.uk/its/services/ensuite/campusmgr/
- University if Illinois at Urbana Champaign http://www.housing.uiuc.edu/technology/URHnetsecurity/Policies/Quarantine.htm
- University of Cincinnati http://www.uc.edu/UCit/policies/network_connection.html Network Connection Policy
- Shippensburg University http://resnet.ship.edu/quarantine.asp
Example Pages Once a Victim is Inside the Quarantine
- Arizona State University http://www.west.asu.edu/IT/network/security/index.htm
- Marquetet University http://www.marquette.edu/its/strategy/quarantine.shtml
- Brandeis University “So You Were Shut Off From the Network” http://lts.brandeis.edu/techresources/students/shutoff.html
- Westnet http://www.westnet.com.au/internet/about/aisi/
Articles and Whitepapers
- Forrester August 3, 2004 Making Sense Of Network Quarantine by Laura Koetzle, Robert Whiteley http://www.forrester.com/Research/Document/Excerpt/0,7211,35060,00.html
- Study: ISPs should block ‘Net attack ports By Paul Roberts, IDG News Service, 09/08/03 http://www.networkworld.com/edge/news/2003/0908studyisps.html
Vendor Product and Commercial Solutions (needs updating)
- Deepnines http://www.deepnines.com/products/Access_Control.php
- Sandvines (acquired Simplisita) http://www.sandvine.com/
- Bradbord http://www.bradfordnetworks.com/
- Motive http://www.motive.com/
- Cisco/Perfigo http://www.cisco.com/en/US/products/ps6128/index.html
- F-Secure Network Control http://www.f-secure.co.uk/enterprises/products/fsnc.html
- Trend Micro Intercloud http://us.trendmicro.com/us/about/news/pr/article/20070123143622.html
- PerfTech http://www.perftech.com
-
TippingPoint Quarantine Protection