I'll admit to not knowing too much about this project, but what you are describing sounds similar in part to the Network Admission Control that Cisco is pushing - an automated way of ensuring user machines are protected before being admitted on to the network. Here is a link to their site on the subject: http://www.cisco.com/en/US/netsol/ns466/ networking_solutions_white_paper0900aecd800fdd66.shtml - Jeff On Sep 21, 2004, at 6:00 PM, james edwards wrote:
The port 25 blocking seemed like a real good idea.
-M
I disagree. Port blocking does not change user behavior & it is user behavior that is causing this problem. Blocking just hides it. I used to believe in port blocking as the solution to many user problems but now I have 3 and 4 page ACL's on my border routers. This does not scale. Yes, I could push this out via radius to the NAS but again this does not solve the problem. I feel blocking just pushes us closer to ports loosing their uniqueness, as we have seen with PTP filesharing.
The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic from the users going to dark space and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy. We already have a system in place where users, after multiple virus problems, must obtain protection software prior to being re-enabled. Ramping up the amount of proof we have at hand will allow us to enforce our existing AUP.
The key to changing a behavior is to create consequences to this behavior. I have noticed we never have problems getting a user to get virus/firewall software after they pay to have their box disinfected. Hit the users first with e-mails, then phone contact, ending with being shut off should create the consequences needed to change their behavior.
james