US Cable Support > Comcast HSI > Comcast Announces Constant Guard Program

reply to NSM998

Re: Comcast Announces Constant Guard Program

6.1 Walled Garden Notification
Placing a user in a walled garden is another approach that ISPs may take to notify users. A walled garden refers to an environment that controls the information and services that a subscriber is allowed to utilize and what network access permissions are granted. This is an effective technique because it could be able to block all communication between the bot and the command and control channel, which may impair the ability of a bot to disrupt or block attempts to notify the user.

While in many cases the user is almost guaranteed to view the notification message and take any appropriate remediation actions, this approach poses can pose other challenges. For example, it is not always the case that a user is actively using a computer that uses a web browser or which has a web browser actively running on it. In one example, a user could be playing a game online, via the use of a dedicated, Internet-connected game console. In another example, the user may not be using a computer with a web browser when they are placed in the walled garden and may instead be in the course of a telephone conversation, or may be expecting to receive a call, using a Voice Over IP (VoIP) device of some type. As a result, the ISP may feel the need to maintain a potentially lengthy white list of domains which are not subject to the typical restrictions of a walled garden, which could well prove to be an onerous task, from an operational perspective.

The ISP has several options to determine when to let the user out of the walled garden. One approach may be to let the user determine when to exit. This option is suggested when the purpose of the walled garden is to notify users and provide information on remediation only, particularly since notification is not a guarantee of successful remediation. It could also be the case that, for whatever reason, the user makes the judgment that they cannot then take the time to remediate their computer and that other online activities which they would like to resume are more important. Exit from the walled garden may also involve a process to verify that it is indeed the user who is requesting exit from the walled garden and not the bot.

Once the user acknowledges the notification, then the user decides to either remediate and then exit the walled garden, or exit the walled garden without addressing the issue. Another approach may be to enforce a stricter policy and require the user to clean the computer prior to permitting the user to exit the walled garden, though this may not be technically feasible depending upon the type of bot, obfuscation techniques employed by a bot, and/or a range of other factors. Thus, the ISP may also need to support tools to scan the infected computer and determine whether it is still infected or rely on user judgment that the bot has been disabled or removed. One challenge with this approach is that if the user has multiple computers sharing a single IP address, such as via a common home gateway device which performs Network Address Translation (NAT). In such a case, the ISP may need to determine from user feedback, or other means, that all affected computers have been remediated, which may or may not be technically feasible.

Finally, when a walled garden is used, a list of well-known addresses for both operating system vendors and security vendors should be created and maintained in a white list which permits access to these sites. This can be important for allowing access from the walled garden by end users in search of operating system and application patches.