On Tue, 21 Feb 2006 Valdis.Kletnieks@vt.edu wrote:
If people actually *knew* how to do this differentiation any better than flipping the quarter I have in my pocket, we wouldn't be having this discussion.
Yep. Although it should have been obvious, a problem with quarantine systems is most users can't validate an inline "trusted path" if the host or something along the path may have been compromised. Even if it hasn't been totally compromised, the bad guys can impersonate the look and feel of your quarantine system to lead your users down the walled garden path of the bad guy's choosing. If you notify uses by e-mail, the bad guys can make their e-mail look very similar. If you notify users by web page interception, the bad guys can make their web page pop-ups look like your quarantine pages. And so on. So you are quickly back to out-of-band communication paths with the user. A couple of years ago I was a big fan of inline quarantine systems. And for some things it may still work such as initial registration and setup before an user's machine is compromised. But I've changed my mind, or rather the bad guys changed it for me, what the long term effectiveness of inline quarantine systems of compromised systems can be.