Re: Port blocking last resort in fight against virus

[Mans Nilsson <mansaxel () sunet se>]

Subject: Re: Port blocking last resort in fight against virus Date: Tue, Aug 12, 2003 at 10:36:12AM -0500 Quoting Jack 
Bates (jbates () brightok net):
> Is it just me that feels that blocking a port which is known to be used 
> to perform billions of scans is only proper? It takes time to contact, 
> clean, or suspend an account that is infected. Allowing infected systems 
> to continue to scan only causes problems for other networks. I see no 
> network performance issues, but that doesn't mean other networks won't 
> have issues.

I have two faces, let's hear what they say:

"I am a network operator. I do not see issues with my network unless
 somebody fills it up beyond capacity. Then I might ask somebody a
 question as to why they are shoveling so many more packets than
 usual. If it is a panic, I might null0 someone. I just want to keep
 my network transparent."

"I am a systems administrator. Sometimes, there are security problems with 
 my operating systems of choice. Then, I fix those hosts that are affected,
 and all is well. The network is not bothering me as long as it is 
 transparent." 

Your chosen path is a down-turning spiral of kludgey dependencies,
where a host is secure only on some nets, and some nets can't cope
with the load of all administrative filters (some routers tend to
take port-specific filters into slow-path). That way lies madness. 

-- 
Måns Nilsson         Systems Specialist
+46 70 681 7204         KTHNOC
                        MN1334-RIPE

Oh my GOD -- the SUN just fell into YANKEE STADIUM!!

Attachment: _bin
Description: