compromised machines and entire network health
Gary D. Margiotta
gary at tbe.net
Thu Jul 13 16:20:39 UTC 2006
On Thu, 13 Jul 2006, Arie Kachler wrote:
> Hello,
>
> In the past several years, we have had a few incidents of servers of
> customers that are compromised and then flood our entire network and bring
> down almost everything. The sql slammer worm for example.
>
> Is there a solution to this? I know all computers should be kept up to date
> so this does not happen, but most times customers are not as attentive to
> patches as we sysadmins are.
> Assuming that there will always be machines with security issues, is there a
> way to prevent a compromised computer to bring down an entire network?
>
> Any suggestions will be greatly appreciated.
>
> Arie Kachler
Firewall each machine, or see if you can do rate limiting on the machines
to minimize the amount of traffic each machine can pump out at any given
time. You can try to do it at the machine level, or you can look for
smart hardware such as smart switches or IDS systems that will do it for
you.
We limit each port on our switch to 10Mbit (which shouldn't be able to
flood the entire network and take it down... maybe slow it up a slight
bit, but nothing catastrophic), and we have alarms to trigger when
bandwith exceeds a certain threshold for a certain length of time. The
port gets shut off if the alarm fires, and the customer is advised of
their problem, and is required to fix it before we allow it back on the
network. No exceptions.
We enforce a policy for customers to patch their machines themselves, or
they have us do it for them as a managed service. The customer is
responsible for any damages related to any hacks/worms/mistakes, and the
machines are removed from the network until they are fixed, either by them
or by us standing on a console. If they don't upkeep their systems on
their own, we do it for them and charge them for it. If they refuse to
pay, we shut off their machine, confiscate their hardware, and go after
them for any other time and materials related to the problem. Mostly it
doesn't get that far, but you have to be prepared for it with a published
policy outlining these types of things.
Most customers get the point after they see the initial bill for damages
their machine caused, and they just have us manage their systems for them,
it's easier (and cheaper) for them, and safer for us, plus they are not
responsible for any more damages if a machine we manage has a problem.
-Gary
More information about the freebsd-isp
mailing list