Educause Security Discussion mailing list archives
Re: what sites do you make available from quarantine network for remediation
From: Cal Frye <cjf () CALFRYE COM>
Date: Tue, 28 Apr 2009 14:37:36 -0400
Jeff Kell wrote:
We do it via a captive portal - the DNS server resolves selected zones/names, and points everything else to the captive portal IP. It's not IP-based (if that is what you were looking for).
And that's a great virtue. Windows Update is Akamaized, so keeping a list of valid IP addresses for the most basic Windows patches is a never-ending chore. Better to permit wildcard domains such as *.microsoft.com or the like, if you can. Our implementation of Cisco Clean Access is rather old, and basically I permit quarantined machines access to much of the Internet, blocking specific ports like 25, and most things UDP to be kind. We also block access to most addresses on campus, so providing an incentive to get the machine cleaned up and back online. Don't let the perfect become the enemy of the good in this case (from Voltaire). -- Celebrating the 150th anniversary of the publication of the Origin of Species. -- Cal Frye, Network Administrator, Oberlin College Mudd Library, x.56930 -- CIT will NEVER ask you for your password! www.calfrye.com, www.pitalabs.com "Art is the only way to run away without leaving home. --Twyla Tharpe.
Current thread:
- what sites do you make available from quarantine network for remediation Russell Fulton (Apr 27)
- <Possible follow-ups>
- Re: what sites do you make available from quarantine network for remediation Jeff Kell (Apr 27)
- Re: what sites do you make available from quarantine network for remediation Cal Frye (Apr 28)