Re: The worst abuse e-mail ever, sverige.net
The port 25 blocking seemed like a real good idea.
-M
I disagree. Port blocking does not change user behavior & it is user behavior that is causing this problem. Blocking just hides it. I used to believe in port blocking as the solution to many user problems but now I have 3 and 4 page ACL's on my border routers. This does not scale. Yes, I could push this out via radius to the NAS but again this does not solve the problem. I feel blocking just pushes us closer to ports loosing their uniqueness, as we have seen with PTP filesharing. The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic from the users going to dark space and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy. We already have a system in place where users, after multiple virus problems, must obtain protection software prior to being re-enabled. Ramping up the amount of proof we have at hand will allow us to enforce our existing AUP. The key to changing a behavior is to create consequences to this behavior. I have noticed we never have problems getting a user to get virus/firewall software after they pay to have their box disinfected. Hit the users first with e-mails, then phone contact, ending with being shut off should create the consequences needed to change their behavior. james
I'll admit to not knowing too much about this project, but what you are describing sounds similar in part to the Network Admission Control that Cisco is pushing - an automated way of ensuring user machines are protected before being admitted on to the network. Here is a link to their site on the subject: http://www.cisco.com/en/US/netsol/ns466/ networking_solutions_white_paper0900aecd800fdd66.shtml - Jeff On Sep 21, 2004, at 6:00 PM, james edwards wrote:
The port 25 blocking seemed like a real good idea.
-M
I disagree. Port blocking does not change user behavior & it is user behavior that is causing this problem. Blocking just hides it. I used to believe in port blocking as the solution to many user problems but now I have 3 and 4 page ACL's on my border routers. This does not scale. Yes, I could push this out via radius to the NAS but again this does not solve the problem. I feel blocking just pushes us closer to ports loosing their uniqueness, as we have seen with PTP filesharing.
The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic from the users going to dark space and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy. We already have a system in place where users, after multiple virus problems, must obtain protection software prior to being re-enabled. Ramping up the amount of proof we have at hand will allow us to enforce our existing AUP.
The key to changing a behavior is to create consequences to this behavior. I have noticed we never have problems getting a user to get virus/firewall software after they pay to have their box disinfected. Hit the users first with e-mails, then phone contact, ending with being shut off should create the consequences needed to change their behavior.
james
participants (2)
-
james edwards
-
Jeff Wheeler