Educause Security Discussion mailing list archives

Re: IRC policies

From: Elliot Kendall <ekendall () BRANDEIS EDU>
Date: Wed, 6 Jun 2007 08:58:56 -0400

On 2007-06-06 07:47:14 -0400, Knowles, Richard N. CISSP PMP wrote:

Are there any schools that are blocking IRC to curb 'bot activity?


We use some rules built into Snort to monitor IRC activity, but do not
block it outright. Once we confirm that a particular user is
legitimate, we whitelist them to avoid further alerts. This system also
allows us to identify and remediate infected machines. If you simply
block IRC, infected machines may be safe while they remain on campus,
but will start causing problems as soon as they're connected to a
different network.

I've been very surprised by the number of legitimate IRC users we have
on campus. I had thought IRC's popularity was on the wane, but many
applications with chat functionality use it as a backend. For that
reason, I would be very careful about blocking it completely.

-- 
Elliot Kendall <ekendall () brandeis edu>
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/

Attachment: smime.p7s
Description:

Current thread:

IRC policies Knowles, Richard N. CISSP PMP (Jun 06)
- <Possible follow-ups>
- IRC policies Knowles, Richard N. CISSP PMP (Jun 06)
- Re: IRC policies John Piercy (Jun 06)
- Re: IRC policies John Piercy (Jun 06)
- Re: IRC policies Elliot Kendall (Jun 06)
- Re: IRC policies Anthony Maszeroski (Jun 06)
- Re: IRC policies Everett, Alex (Jun 06)
- Re: IRC policies Hull, Dave (Jun 06)
- Re: IRC policies Hull, Dave (Jun 06)
- Re: IRC policies Everett, Alex (Jun 06)
- Re: IRC policies Gary Dobbins (Jun 06)
- Re: IRC policies H. Morrow Long (Jun 06)
- Re: IRC policies David Shettler (Jun 06)
- Re: IRC policies Gary Flynn (Jun 06)
- Re: IRC policies Cal Frye (Jun 06)