[sdnog] Network Full with malicious activities
Scott Weeks
surfer at mauigateway.com
Fri Nov 23 22:44:05 SAST 2018
--- philip at trouble.is wrote:
From: "Philip Paeps" <philip at trouble.is>
On 2018-11-22 16:53:10 (+0100), Khadiga Elhassan wrote:
> Hi all ,what is the most proper way of dealing with a network full of
> malicious activities .
> From where to start
If possible, put all hosts on the affected network in quarantine: no
egress traffic other than DNS, NTP and HTTP/HTTPS until proven healthy.
[...]
Depending on the number of students you have coming in every year, it
may also be possible to refuse them connectivity until they can prove
their device is healthy. It won't actually stop anyone from connecting
their devices (that's not how students work) but it could create some
useful social pressure (that is how students work).
------------------------------------------------------
I worked for a university before and the above suggested by Philip is
what we did. We trunked a "quarantine VLAN" throughout the network.
When the students came in they were immediately put on a VLAN that
only had access to services that were needed to check the devices for
malware infections and for cleanup of the infected device. Once they
were clean we put them on the normal VLAN. If they became re-infected
they were put back on the quarantine VLAN.
If you let them have internet access while you're trying to get them
cleaned up, they have no incentive to do it and keep putting it off.
If they have no internet access until they're cleaned up they get the
cleaning process going with surprising speed. ;-)
scott
_______________________________________________
sdnog mailing list
sdnog at sdnog.sd
https://lists.sdnog.sd/mailman/listinfo/sdnog
More information about the sdnog
mailing list