Use Existing Data and Equipment
Solution No. 2: Use existing data and equipment Clever use of existing data and equipment is one way to keep costs down, while helping to secure your network. Providers based in the United States may have already purchased equipment for CALEA compliance. The Communications Assistance for Law Enforcement Act (CALEA) is a United States statute that covers lawful intercepts on digital transmissions, including data and voice over IP (VOIP).Solution No. 3: Block port 25 and use a walled garden Most Internet providers block port 25 from their dynamic IP space and, in some cases, from their static IP space. This is great in helping to stop the flow of spam and other nefarious activity using e-mail, but it does not stop infected machines from launching attacks, nor does it fix the underlying problem of a compromised host. There is now a trend to move toward a walled garden approach, which allows providers to restrict the activity of a user until their machine is clean. This also allows for another method of communicating the issue to the user. While users may ignore e-mail notifications sent to them, with a walled garden, those users can be notified via a redirect to a Web site on their browser, and access to the Internet can be severely restricted or cut off completely. There are those who argue that providers should call these infected customers but, depending on the size of the provider and the number of infections, that may not be practical. Providers should also be willing to suspend infected user accounts if the problem persists. A walled garden does not have to be limited to an ISP. Networks of any size could benefit from this approach. Solution No. 4: Hunt for compromised machines The hunt for compromised machines is not limited to network providers. Anyone hooked up to the Internet can watch their traffic and report their findings. Instead of ignoring warnings from an intrusion detection system, automated reports could be sent out. Tools exist to locate the source network. A good example of such a tool is Team Cymru's IP to ASN Mapping project. Other tools such as the abuse.net whois or DNS-based lookup services can be used to find out the correct reporting address. Most intrusion detection systems have some sort of reporting process and hopefully include enough automation so that it does not become like a second job. Automation means people might be willing to spend a little bit of time reporting intrusions. These are only a few suggested solutions to this problem. The cost of tools for monitoring this threat can be very low if budget is a concern. If you take stock of what is already on your network, chances are you may already have the tools needed. It just takes a little bit of time and effort to use them to your advantage. Darren Grabowski is Manager of the NTT America Security & Abuse Team, which is tasked with responding to security and abuse issues (port scans, malware, DoS attacks, spam, etc.) across the entire NTT Com Global IP Network. Darren joined NTT America in 1996 and has been active in the security and abuse department for more than 10 years. The majority of his time on the security and abuse team has been in a leadership role. Darren and his team are based at the Global IP Network Operations Center located in Dallas, TX. Previously, Darren worked for OnRamp Technologies, which was acquired by Verio. He joined NTT America upon the acquisition of Verio by NTT America.
Many companies sell surveillance platforms. These devices are capable of doing deep packet inspection, stealth packet filtering, transparent redirection, as well as a host of other services. A network operator could leverage the pattern-matching capabilities of these machines in their hunt for compromised hosts on their network. Even if CALEA is not a concern, these devices could be useful to a network operator who wants to monitor their network for harmful activities.