Microsoft continues push for infected computers to be quarantined
SAN FRANCISCO -- Microsoft's Scott Charney is pushing ahead with a proposal for a public health model to curb the damage from botnets of malware-laden computers around the world.
During a keynote presentation (see documentation) at the RSA Conference here, Charney trumpeted a "global Internet health model" that uses existing technologies and organizational policies to implement a system that limits what an infected computer can do on the Internet.
This year, Charney took his message further, suggesting that computer users can opt into a Web-based program that provides alerts when security risks are identifies.
"Notifying individuals of security problems or configuration issues in advance provides a first step in transforming current computer security posture from reactive to preventative," Charney added.
In an accompanying white paper (.pdf), Charney suggested the concept of device health can benefit from a more aggressive approach to pinpointing infected devices. Specifically, he called for an analysis and hte sharing of data from sinkholes, network traffic, and product telemetry to identify potentially infected devices.
"If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet, minimizing the risk of the infected device contaminating other devices or otherwise disrupting legitimate Internet activities," Charney declared.
In most cases, Charney said this can be done with current technology across multiple systems and platforms and pointed out that Comcast is already making attempts to quarantine dirty machines.
"It is our view that approaches like this need to be broadened significantly, even globally," he added.
On the consumer side, he said there is need for a mechanism for clean computers to demonstrate their "good health" (a health certificate) without rendering the systems more vulnerable, less reliable, or providing a conduit for leaking private information.
Second, the mechanism that produced the health certificate must be trusted (that is, infected devices should not have a way to fake a health certificate).14 Combining trusted software such as hypervisors and hardware elements such as a Trusted Platform Module (TPM) could further enable consumer devices to create robust health certificates and ensure the integrity of user information.15 Third, access providers and other organizations must have a way to request health certificates and take appropriate action based upon the information provided. Finally, we will need to create supporting policies and rules to ensure the effectiveness of this model.
Under this model, Charney said a consumer machine seeking to access the Internet could be asked to present a “health certificate” to demonstrate its state. Although the conditions to be checked may change over time, he said the health checks should ensure that software patches are applied, a firewall is installed and configured correctly, an anti-virus program with current signatures is running, and the machine is not currently infected with known malware.
If the health certificate indicates a security issue, such as a missing patch or out-of-date anti-virus signature, Charney said an ISP may provide a notice that assists the user in addressing the security concern or directs the user to resources for remediation.
"If the problem is more serious (the machine is spewing out malicious packets), or if the user refuses to produce a health certificate in the first instance, other remedies such as throttling the bandwidth of the potentially infected device, might be appropriate," he added.
The idea of quarantining infected users to secure the Internet ecosystem is not new but security experts say that unless ISPs have a financial incentive to implement these models, these initiatives will go nowhere.