Yes. And they will get an entirely different DNS server (through DHCP) that will only resolve the hosts that we want them to resolve. :-)
I imagine mail out of that subnet passes through a proxy server with spam and virus detection.
That's the plan, although the focus right now is completely on the Microsoft clients. I recently suggested that we should switch all MS clients to Mac OS X. :-) They actually didn't laugh this time.This is a cute concept Paul. You've got a pretty challenging environment there, and this looks like a creative and functional help for you. It will be interesting to hear how well this ends up working for you and what evolution it goes through. For instance, if your security policy includes supporting diversification, you could add connections to mirrored Linux and/or (Net|Free|Open)BSD distros (which would be easy enough to mirro locally).
We already are pretty diversified. Our "backoffice" stuff is primarily Solaris, but we've got plenty of Linux flavors, HP_UX, SGI, FreeBSD, OpenBSD, etc.
The ideas along this line have been floating around for some time and variations of it have been implemented during the Blaster mess, but I haven't seen this *exact* idea espoused. Don't misunderstand. It's not really my idea. It's more a result of ongoing discussions amongst a group of us, with me and others throwing out various thoughts and input from a number of mailing lists that we read, all thrown together into a stewpot and stirred vigorously. :-)Maybe this concept is already widely in use at academia. If it is not, it may soon be.
The implementation will require the skills of other people. I'm not a DNS expert nor a switching/routing expert, but we have guys that are, and they're figuring out the implementation now.
Essentially what would happen is a person's MAC address would end up in the "evil" file and their connection would be killed. Then DHCP would see their next REQUEST and ACK an address in the "evil vlan" (10.x.x.x so they can't serve anything or get off campus without translation) with a special DNS server that resolves the vendor's patch site, our gateway mail server and a web page that warns them of the problem. Eventually mirroring could enter into the equation as well. We already mirror all MS patches and AV stuff locally anyway.
As much as possible we're trying to eliminate work for us and put the onus on the user to fix their problem, with help from IT if they need it.
Eventually I can see us putting hosts in there that have been hacked, tagged, infected, whatever. Personally I'd like to put them in there if they're simply vulnerable, not hacked, but I haven't yet persuaded the powers that be that we should be that "draconian". (I prefer to see it as proactive.)
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
