Re: Blocking Suspicious Outbound Traffic

From: BC (bconneely_at_yahoo.com)
Date: 09/16/03 

Date: 16 Sep 2003 05:12:54 -0700

"Beoweolf" <Beoweolf@pacbell.net> wrote in message news:<Hrl9b.107$4T.9612558@newssvr13.news.prodigy.com>...
> How do you assign usage? Do the patrons just walk in or do you have some
> method of assigning the open stations/port?
>
> Trend Micro has a free service "House Call" it does a virus scan over an
> internet connection. As part of the logon procedure or a handout you could
> make them aware of the service and that it is "free" (at least it is last
> time I checked). It's is fairly automated, but you probably would still need
> to include a distilled version of the instructions on the hand-out,
> "fool-proof" or at least "Fool-tolerant" is a requirement when dealing with
> the coddled public, wouldn't want to confuse anyone.
>
Right now they just walk in, plug in. I am going to see about
having little signs put up pointing laptop patrons to sites
with free anti-spy/anti-virus services & software, like AVG,
Ad-Aware, and, of course, House Call as well.

Ideally, though, since most viruses and worms now actively
scan other PC's on the network or have their own smtp mailer
built-in, it would be nice to actually detect suspicious
activity coming from the notebooks and not rely solely on
their owners being sensible.

One approach I'm thinking of trying is zoning the assigned
DHCP IP range as being external to the rest of the library
since the firewall products I've tried so far are very limited
on their outbound filters, mostly looking for suspicious app
activitity on the PC's they're installed on. So I was thinking
that I could have the current DHCP program (Paul Smith's
vDHCP program -- an extremely simple, utterly app by the
way) assign new IP addresses that point towards the new
firewall PC and then have the firewall treat them as external
people trying to access an internal server, in this case a NAT
server to give them web access. I sounds and is roundabout,
but it this works then detection of worm activity should
be very simple since this is what most current firewall
software does.

Think this might work?

-BC

> "BC" <bconneely@yahoo.com> wrote in message
> news:dba7d68e.0309141445.83e751b@posting.google.com...
> > Hi all
> >
> > I'm exploring some solutions to a little worm/security
> > issue. There's this public library that allows patrons
> > to hook up their own notebook computers to the library's
> > network for high speed internet access. DHCP is handled
> > by free program on a Win98 "server" (a PC dedicated for
> > general file storage and workstation images.) It's been an
> > extremely stable and useful system until people recently
> > started bringing in infected notebooks. Since the library
> > systems are pretty secure and tied together with a
> > Netware server, there has been zero impact to it due to
> > the infected notebooks, but the library system is also
> > tied in with the town's, and they have lots of Windows
> > servers and not so strong security.
> >
> > I had suggested that people bringing in notebook PC's
> > simply have to show that they have up-to-date antivirus
> > protection before being allowed to connect, and be offered
> > a fee-based cleaning option if things don't look right,
> > but the library administration wants to keep things as
> > they are and simply wants a system in place that blocks
> > any suspicious activity from the notebooks.
> >
> > So I'm thinking to replace the DHCP program with with
> > either a PC running DHCP and a firewall, or else a
> > hardware firewall router. I would set the DHCP to use
> > an address range different from the rest of the system.
> > It would be nice though if there was some simple way
> > to detect suspicious IP activity coming from specific
> > notebooks in way that will allow the basically non-tech
> > library staff to warn a patron that his/her notebook
> > is likely infected. Of course, this being a public
> > library means that money is very tight.
> >
> > I'm not sure what software and/or hardware would make
> > the best solution and I've only started looking around.
> > I'll likely set up a spare PC with ZoneAlarm for an
> > interim/testing setup. Any ideas or links would be of
> > course appreciated. Thanks in advance.
> >
> > -BC

Loading