Re: RE: Probable new MS DCOM RPC worm for Windows

["Brent J. Nordquist" <b-nordquist () bethel edu>]

On Sat, 27 Sep 2003, Karl DeBisschop <kdebisschop () alert infoplease com> wrote:

> On Fri, 2003-09-26 at 22:57, Paul Schmehl wrote:
>
> > We're working on a "jail vlan" concept now, where "evil" computers go.
>
> Maybe this concept is already widely in use at academia. If it is not,
> it may soon be.

We've been using the concept here for 2-3 years, and it has worked well.  
We call ours the "black hole".  :-)  We only allow machines in the black
hole to access MS Update, our virus vendor's site, and other places where
the student can get the tools (s)he needs to fix the computer.  As Paul
said, we can't work on their computers; it has to be self-help (or a paid
outside company).

Over time we are making improvements toward increased detection of
infected computers and automatic placement into the black hole.  At the
beginning it was mostly manual which is a lot of work.  When the recent
Nachi/Welchia/Sobig.f wave hit we had some incentive to invest more time
in automated detection.

Educational institutions that are interested in this concept might want to
look into the RESNET-L mailing list; topics like this that are relevant to
the ResNet environment are discussed there regularly.

        http://LISTSERV.ND.EDU/archives/resnet-l.html

-- 
Brent J. Nordquist <b-nordquist () bethel edu> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html