mailing list archives
Re: Quarantine your infected users spreading malware
From: Sean Donelan <sean () donelan com>
Date: Tue, 21 Feb 2006 19:36:05 -0500 (EST)
On Tue, 21 Feb 2006 Valdis.Kletnieks () vt edu wrote:
If people actually *knew* how to do this differentiation any better than
flipping the quarter I have in my pocket, we wouldn't be having this discussion.
Yep. Although it should have been obvious, a problem with quarantine
systems is most users can't validate an inline "trusted path" if the host
or something along the path may have been compromised. Even if it hasn't
been totally compromised, the bad guys can impersonate the look and feel
of your quarantine system to lead your users down the walled garden path
of the bad guy's choosing. If you notify uses by e-mail, the bad guys can
make their e-mail look very similar. If you notify users by web page
interception, the bad guys can make their web page pop-ups look like your
quarantine pages. And so on.
So you are quickly back to out-of-band communication paths with the user.
A couple of years ago I was a big fan of inline quarantine systems. And
for some things it may still work such as initial registration and setup
before an user's machine is compromised. But I've changed my mind, or
rather the bad guys changed it for me, what the long term effectiveness
of inline quarantine systems of compromised systems can be.