On 10/31/2011 11:48 AM, Michael Thomas wrote:
I've often wondered the same thing as to what the resistance is to outbound
filtering is. I can think of a few possibilities:
1) cost of filtering
2) false positives
3) really _not_ wanting to know about abuse
On the other hand, you have
1) cost of tracking
2) support costs handling infections
It's really an range from "easiest and cost effective" to "doing it
right". I personally run hybrid. There are areas that are near
impossible to track; this is especially true for wide area
wireless/cellular/NAT areas. I always recommend my customers block
tcp/25, even to the local smarthosts. Use 587 and authentication to
support better tracking. It's a hack, though, as it doesn't stop other
abuses and it won't fix the underlying root cause.
In locations that support ease of tracking, using a mixture of feedback
loops with proper support is usually the proper way. This allows
notification and fixing of the root cause. In our case, we recommend
quick suspensions to demonstrate to customer how seriously we take the
problem, and then we point out that the sending of spam/scanning is only
the easier to detect symptoms. It is unlikely we'll notice if they have
a keylogger as well.
Finally, when architecture allows it, dynamic profiles with ACL support
allowing a default of tcp/25 blocked, and easy to find and click removal
of an account from tcp/25 blocking, combined with ACL monitoring,
flagging, and notification by support staff is probably the ultimate in
ideal scenarios. Combined with a % of traffic mirrored into a tunnel to
an IDS which monitors for things such as network scanning or known
signatures outbound, it makes for a very effective mechanism to assist
customers in protecting themselves.
I'm personally curious how much traffic is necessary to mirror to
properly detect problems. ie, can you get away with 1% or less (GE for
each 100GE-200GE of traffic) or if you must cover as much as 10%+. My
traffic load is small enough that it doesn't matter, but it's always
nice to know how well something might scale.
Jack
