Industry Forums > Wireless Service Providers > Do you guys monitor you network for spyware and virus?

Do you guys monitor you network for spyware and virus?

Pf has a package for that and I used for awhile
seemed to slow the old router down a bit
so I stopped using it for now once I build up a new more powerful one I am going to try it again though

As for what I do if I catch an offender I disable their LAN port till its resolved
--
Best Regards

MD

reply to treichhart
Most ISP's where I live block outgoing port 25 by default, and I am thinking about having an extra plan tier with virus and email scanning on my transparent proxy.

Also all my customers are firewalled by their CPE using nat so the bad stuff cant spread easilly around my network.

If i notice someone making alot of constant connections, i will investigate it further unless i know they are a p2p or torrent user - which i only have a few so i know if someones usage patterns are a little odd.

reply to treichhart
Blocking port 25 to anything but an approved out going mail server is good IMHO. The customer can always use the workaround port if they need to connect out. Any web-host worth their salt supports 587 these days.

Things like limiting connections, and blocking known ports via a firewall are also good things to do.
--
Justin S. Wilson
»j2sw.mtin.net/blog/

reply to treichhart
Asking purely from a curiosity standpoint - for those that do monitor for these things, what do you do when a customer triggers an alert? Do you notify them and help them fix it? Put them in a walled garden type situation? Or just remove their connection all together?

Just curious - thanks for any input!
--
Tech at the Beach.
I speak for myself, not my employer.

reply to treichhart
The customer's connection is disconnected until the problem is solved.

reply to treichhart
Disconnect the user and call. Most times if they have something it is opening up all types of connections. If the CPE is unable to limit the number of connections then you are risking that single customer dragging down the AP they are on.
--
Justin S. Wilson
»j2sw.mtin.net/blog/

reply to j2sw
My ISP by default applies a filter that stops certain outgoing and incomming connections, but it is removeable.

Some details:

* outgoing connections on port 25 are limited to our SMTP server - stops computers being used to generate spam, unless they happen to relay it though us, but most spam bots will just try and connect directly
* incomming NetBIOS et al ports are blocked - prevents people who connect direct from their PC from being the target of a lot of common exploits
* incomming port 80, 22, 23 as of recent is being blocked by default - this is because of a lot of exploits targeting cheap/crappy SOHO CPE after which they are used to participate in DDoS, etc

And many more.

As I said, this can be turned off by the customer if they so wish, so if they want to run a web server, or use any other mail server, they can quite easily switch it off in their control panel area on our website.

I think this is the best model to operate under, as it removes the draconian "these ports are filtered, live with it" feeling that some ISPs can impose on customers. Some customers simply object to the notion of filtering, regardless of the justification, so this is really a best of both worlds solution.

Interesting Tom might I inquire how or what you using for a management/ control panel interface that would allow a client to make such a change

reply to TomS_
I am curious to find out what system(s?) you use to do this. I think it's an interesting approach to network management and from a customer standpoint it would be pretty neat.
--
Tech at the Beach.
I speak for myself, not my employer.

reply to treichhart
We're a Cisco shop, so the filter is just an ACL.

The ACL is applied to a users PPP session via RADIUS attributes, so to turn the filter on we add a couple of Cisco specific AV pairs to their RADIUS profile, and to turn it off we simply remove those AV pairs from their RADIUS profile.

After they make the change all that is required (after a short wait) is for them to disconnect/reconnect (turn modem on/off, or disconnect/reconnect via the web interface).

Now, the advantage of doing this with PPP sessions is that each users session has its own virtual interface on the LNS terminating the session. The ACL is simply applied to this interface which then filters traffic going to/comming from the customer, hence it can be turned on/off quite easily for individual customers.

This becomes a lot more complex with pure IP services as you can only apply a single ACL inbound and outbound to an interface on a Cisco. I dare not think how big and complicated the ACL would get to support multiple customers preferences ....

edit: sorry, didnt really answer Mad Dawg's question. The control panel is an in-house thing. We are an ISP of the size where an in-house control panel is really the only one that makes sense (i.e. 140,000+ customers).

Thanks Tom
Sounds slick as hell
140K clients wow thats the largest wisp client base
Ive ever heard of congrats
I cant even fathom trying to manage that many

edit actually I guess with that number I wouldnt have to worry about it somebody else would --
Best Regards

MD

Actually its not 140k wireless customers, but 140k broadband customers. Quite a lot of those are on ADSL, but the same basic principles that we apply to our wireless stuff applies to them aswell.