[AusNOG] Oh this is a good laugh.

Dobbins, Roland rdobbins at arbor.net
Tue Jun 22 15:03:32 EST 2010


On Jun 22, 2010, at 11:58 AM, Mark Caetano wrote:

> Is it even technically possible for an ISP to ascertain the security of a users machine without having to install client-end software?


One can't trust end-nodes to self-report, anyways - the miscreants will compromise them anyways, and then send back the signals the management system expects to hear.  This is why 'NAC' is completely useless.

The only way to determine whether a given host is compromised/misbehaving is observe its behavior from *outside* said host - flow telemetry, DNS queries, et. al.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken






More information about the AusNOG mailing list