Opinion: Apply computer quarantine via network access control policy

Quarantining infected PCs from the Internet may be a long way off, but Mike Cobb argues that the same principle works well for corporate networks in the form of NAC.

Microsoft's Scott Charney, the leader of the software giant's trustworthy computing team, hit the headlines recently when he proposed that virus-infected computers that pose a risk to other PCs should be blocked from connecting to the Internet. He quite rightly argues that this would go a long way toward stopping the spread of incredibly large botnets, of which some contain millions of PCs.

Our current defences of firewalls, patching, antivirus and antimalware software aren't enough to combat the spread of viruses. When human beings catch a highly contagious disease, they are put into quarantine to avoid infecting others, so why is putting machines into temporary computer quarantine to stop the spread of a virus such a crazy idea? Some ISPs are already throttling the bandwidth of users suspected of having infections or sending out spam emails.

However, rolling this idea out into the real world would clearly create some problems; people may think any message telling them that their PC is infected is a scam, ISPs could be inundated with customer queries or complaints, or access to emergency services via the Internet could be blocked during a crisis.

But within the closed community of your own network, you don't have to worry about such concerns. You can easily enforce a ban on infected machines by using a network access control (NAC) product, a security technology that evaluates the state of systems and users as they access the network. The organisation's firewall rules should already control who has access to the network and at what times; NAC just takes this concept a step further by vetting computers before they are allowed full access to the corporate network.

NAC works by running a pre-admission check before allowing a computer full access to the network. The check ensures the computer complies with the network's security policy requirements, such as system settings, up-to-date patches and antivirus software, and that it's not infected with known malware. Until the computer passes this check, it can only access network resources that can resolve problems or update any necessary settings or software.

There are plenty of vendors providing support for network access control, such as Check Point Software Technologies Ltd., Cisco Systems Inc. and Microsoft, so why not implement Charney's idea in your organisation with your own network access control policy to keep your network botnet free?

About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Read more on Network security management