On Sat, 12 Mar 2005, Hannigan, Martin wrote:
[ SNIP ]
Who's got time for all that? Chase the controller, shut down the user until they buy some AV software. We've gone beyond "I didn't know" for endusers in most regions.
Enterprise IT staff running from whip-cracking security staff, that's who has time for it. Unless, however, you have no security requirements surrounding your accounting records, network inventory, provisioning tools, and credit card processing services. Other reasons: .. if you're providing a premium service to business grade customers who can sum up their connectivity requirements as '80, 443, 25, 53, period.' ..if you're running honeynets. ..if you're providing structured services with explicit controls on what goes on (ala AOL, some .edu networks, etc.) ..you've been singled out by your peers because a significant portion of large DDoS attacks are originating from your network. ..you've been singled out by accounting because of the traffic costs involved with sourcing DDoS attacks. As popular as instant messenger, and increasingly, voip toys, have become, actual IRC usages represents a diminishing percentage of inter-user chatter. Even something as simple as carving irc usage out of your netflow records and tagging specific endpoints as potential sources is a piece of automation that will save you some time down the road. A decent network inventory would facilitate this. - billn