nanog mailing list archives
RE: FBI tells the public to call their ISP for help
From: <michael.dillon () bt com>
Date: Thu, 14 Jun 2007 15:27:08 +0100
Since many Microsoft patches are only legally available via the Internet, and an ISP can not predict which servers Microsoft will use to distribute Microsoft patches, ISPs must enable essentially full Internet access which includes access for most worms.
Has anybody tried a firewalling solution in which unpatched PCs are only able to access a special ISP-operated forwarding nameserver which is configured to only reply with A records for a list of known Microsoft update sites? And then have this specially patched nameserver also trigger the firewall to open up access to the addresses that it returns in A records? According to Microsoft, their list of "trusted sites" for MS Update is *.update.microsoft.com and download.windowsupdate.com. Even if they have some sort of CDN (Content Delivery Network) with varying IP addresses based on topology or load, this is still predictable enough for a software solution to provide a temporary walled garden. You don't need to make copies of their patch files. You don't need MS to provide an out-of-band list of safe IP addresses. As long as you are able to divert a subscriber's traffic through a special firewalled garden, an ISP can implement this with no special support from MS. Wrap this up with a GUI for your support-desk people to enable/disable the traffic diversion and you have a low-cost solution. You can even leverage the same technology to deal with botnet infestations although you would probably want a separate firewalled garden that allows access to a wider range of sites known to be safe, i.e. Google, Yahoo, ISP's own pages, etc. --Michael Dillon
Current thread:
- FBI tells the public to call their ISP for help Sean Donelan (Jun 13)
- Re: FBI tells the public to call their ISP for help Roland Dobbins (Jun 13)
- Re: FBI tells the public to call their ISP for help Sean Donelan (Jun 13)
- Re: FBI tells the public to call their ISP for help John Levine (Jun 13)
- Re: FBI tells the public to call their ISP for help Sean Donelan (Jun 14)
- RE: FBI tells the public to call their ISP for help michael.dillon (Jun 14)
- Re: FBI tells the public to call their ISP for help Kradorex Xeron (Jun 14)
- Re: FBI tells the public to call their ISP for help Per Heldal (Jun 15)
- RE: FBI tells the public to call their ISP for help Frank Bulk (Jun 16)
- Re: FBI tells the public to call their ISP for help Alexander Harrowell (Jun 17)
- Re: FBI tells the public to call their ISP for help Sean Donelan (Jun 14)
- Re: FBI tells the public to call their ISP for help Roland Dobbins (Jun 13)
- Re: FBI tells the public to call their ISP for help Jack Bates (Jun 14)
- Re: FBI tells the public to call their ISP for help Sean Donelan (Jun 14)
- Re: FBI tells the public to call their ISP for help Owen DeLong (Jun 14)
- Re: FBI tells the public to call their ISP for help Jim Popovitch (Jun 14)
- Re: FBI tells the public to call their ISP for help Owen DeLong (Jun 14)
- Re: FBI tells the public to call their ISP for help Florian Weimer (Jun 15)