I know this is a moot point as far as some networking is concerned, but
I will put it out there anyways, if only to hear you all's thoughts.
My network is 100% Lucent hardware with varrying versions of the
firmware instilled in each unit. (I am holding out till we have the
financial backing to upgrade the ones that aren't already Karlnet..) It
is also a bridged network, with reason. (see below)
I am currently having to remove customers (temporarily) who get virii
on their computer, in particular ones that scan (SYN, etc.) My "guess"
is that the amount of packets per second with a virus that scans subnet
classes (& ports) to find hosts is greater than what the hardware can
handle, and it makes the unit practically unreachable to remove the MAC
of the unfortunate victim. I have a decent system for response and
triage, but have been curious as to what else can be done. It has a
tendency to bring negative feelings towards my company as an ISP when
the network has these moments, and I don't like having to call customers
and deny them service due to what is a common problem in today's world.
My thoughts are to
1. Instill some kind of pre network virus software. We do not at the
moment simply due to the overhead our gateway deals with for what it's
responsibilities are, and I am in the process of redesigning and
improving the set-up. It is directly proportional to how fast my Linux
skills are improving. :) (including instilling Cacti to monitor my
links, as it has Karlnet SNMP and MIBs built in!)
2. (since above alone cannot be 100% efficient... nothing is)
Upgrade to the latest Karlnet release which had firewalling built
in. But this is where (finally) my questions come to light:
Does it keep the unit from being stoned if it is blocking the ports, or
does it meerly keep the units post it's heirarchy in the network from
also getting bitten? My thoughts say that if it even filters the port,
it has to respond, say with a RST, which means it will be consumed
anyways (probably even more so).
My network is bridging (as of moment), mainly due to it's original
design. I am aware that instilling "cloud" networks NATed on the end
would eliminate alot of network wide issues, but (see above) am
currently in the process of dealing with how this interaction would
break our network and what it it's limitations are, (including
insitilling radius to keep my authentication central, which is an
integral part to our current network architecture.) I have yet to have
a huge amount of luck with Karlnet Config being able to scan across
subnets, and like the visiblity and control of a bridges system as well.
this IS wireless :0
Since I am an ISP, port filtering is something I try to avoid to keep
my customers options open, and keep the "pipe" as intact as possible,
(although our firewall is blocking "some" known evil ports.) Anyone else
share this opinion?
As you can tell, I am quite long winded, but always appreciate the
chance to share my thoughts with the community. Any feedback or
otherwise is appreciated.
Thanks in advance!
Scott
_______________________________________________
Karlnet mailing list
Karlnet@WISPNotes.com
http://lists.wispnotes.com/mailman/listinfo/karlnet
|