You must be at least this secure to ride on the Internet

You must be at least this secure to ride on the Internet

Summary: Isn't it time to stop letting malware-infected PCs on the Internet? The answer is in Network Access Control.


My friend Richi Jennings is fond of the idea that users with malware-infected PCs should be cut off from the Internet. To this, I say not just "Yes," but "Hell yes." And, as he pointed out, other people are getting behind this idea of helping to clean up the litter of spam, malware, and distributed denial-of-service (DDoS) attacks that junks up the Internet highway.

Comcast, as Jennings pointed out, will be letting imalware-infected users know that they've got garbage on their hard disk, but not keeping them off the net. Darn it.

Microsoft's Corporate VP of Trustworthy Computing, Scott Charney, has just suggested, that "Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources."

In other words, if your device isn't protected, sorry, you can't go on the Internet. I find this more than a little ironic coming from a Microsoft executive. After all, Windows is the host for 99.4% of all malware according to G Data, a German IT security company. That's sounds about right.

So, logically, the best thing to do would be to ban Windows from the Internet! OK, while I can get behind that idea, that's not going to happen.

So what can we do? Well, for starters, ISPs could start including language in their Acceptable Usage Policies (AUP) that if a user's devices can be shown to be actively sending spam, participating in DDoS , or otherwise causing a nuisance, the ISP can lock down their account until they get the malware off their PC.

And how would they do that? They'd use NAC (Network Access Control).

In companes, NAC technology makes sure that before any end user's computer or any other endpoint, is only allowed on the corporate network the computer must prove that it complies with the company's security policies. So, you could lock out say PCs that don't have the latest IT-blessed patches or the latest updates for the corporate anti-virus program.

There are multiple NAC approaches already out there. Some of the more important of these are Cisco's Secure Access Control System, the Trusted Computing Group's TNC (Trusted Network Connect PDF Link) and Microsoft's NAP (Network Access Protection). There are also many others for any size company or ISP.

The way companies use NAC would never fly on the Internet, but then, we wouldn't be requiring users to prove that their systems are safe, or safer anyway. We'd only be using NAC to lock down hardware that's already showing itself to be an Internet litterbug. Until the system can prove that it's now behaving itself, it can stay locked down in in a VLAN (virtual LAN) jail where the only sites they can get to are the ones explaining to them-in very simple terms-what they need to do to get rid of their problem.

I don't know about you, but I like this plan. What do you think folks?

Topics: Browser, Health, Malware, Security, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Agree with a caveat

    I can get behind your proposal, but I think we will need to come up with a simpler way to clean out/clean end user's PCs. I would have no problem cleaning out Malware if a server detected that I was infected. But what would my grandparent's do? And don't say get a Mac or have them run Ubuntu, that just isn't realistic for everyone.

    I worry that un-savvy folks would just be paying for internet access that they can't use AT ALL.
    • RE: You must be at least this Secure to ride on the Internet

      @endermc12 Got an easy answer for you... put a router between the internet and your Grandparent's computer...
      • And...


        Get them a good AV/AM package for FREE:
  • RE: You must be at least this Secure to ride on the Internet

    Finally somebody making a noise on how to ease the hazard of connecting to the Internet.
    When a law is enacted outlining that the propagation of malware is against the National Interest then things will move much faster.
    Does the internet mean so little to generating wealth and security (of this country) that no minimum standard is required for either the equipment connected to it or the use of it?
    • RE: You must be at least this Secure to ride on the Internet

      Great idea. Pass a law against it. Can I even count the number of unenforceable laws on the books. What are you going to do to violators, send out the FBI to arrest Granny Smith. It is a technical problem and needs a technical solution. This one has to be managed by the ISPs. They are the ones providing access.
  • ISP's partly to blame

    I run into plenty of people who have the Ethernet cable co directly from the cable modem to the back of their computer without even "linksys" in between. It is that way because they asked for "installation" and some cable guy showed up and plugged in the wires.
    • RE: You must be at least this Secure to ride on the Internet

      The ?cable guy" is not responsible for anti-virus software, and the cable company often requires the direct link when installing. Some of the ISPs do offer anti-virus software, but it is up to the customer to install it.
    • RE: You must be at least this Secure to ride on the Internet


      A lot of the DSL and Cable modems are router combos with build in firewalls.
      • RE: You must be at least this Secure to ride on the Internet


        Well, that's a bit of stretch, though. NAT isn't really a firewall. Still, it's better than nothing, and lots of people get nothing.
  • RE: You must be at least this Secure to ride on the Internet

    First step is to get all linux machines off the internet since the OS itself is insecure and with leaving the telnet open and built in smtp servers its the main vector for all the malware you see today. The psyb0t isn't helping either with its flooding of routers. Once this step is completed you'll have less infected machines on the internet and will see faster bandwith.

    Some ISP's have already started blocking infected machines. I've had a few reports of roadrunner blocking internet access until the machine that is infected is cleaned up.
    Loverock Davidson
    • RE: You must be at least this Secure to ride on the Internet

      @Loverock Davidson
      Your perception of reality is backwards..

      BTW its windows 2000+ that have telnet built in and exchange server that relays a lot of spam.
      Anthony E
      • RE: You must be at least this Secure to ride on the Internet

        @Anthony E <br>And in Ubuntu if port 23 is open run terminal and issue the command - <br>sudo ufw deny 23 ............ the firewall has it blocked<br>sudo ufw allow 23 ............ to put it back.<br>sudo ufw status verbose ............. to see the status.
      • RE: You must be at least this Secure to ride on the Internet

        Thats if you want to enable the telnet port but no distro even uses telnetd, its been sshd for about 6+ years..
        Anthony E
    • Totally disingenuous, intentional misinformation, troll bait

      @Loverock Davidson
      Have more DayQuil.
      Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: You must be at least this Secure to ride on the Internet

      @everyone else

      Everything Loverock says is wrong. Perhaps we can all just flag him and stop replying.
    • RE: You must be at least this Secure to ride on the Internet

      @Loverock Davidson

      Aww, aren't you a cutey? You must be the resident troll, who posts outrageous statements to get attention. Everybody, did you see the troll? Say hi, let it know you're watching! :-D
      • RE: You must be at least this Secure to ride on the Internet

        @enderland@... LOL. he's actually the famous Apple fanboi troll.
    • Just in Case Anyone Actually Doesn't Know This

      Just in case there is anyone out there who seriously is not aware of the lack of veracity of the statements in this post.

      Telnet is considered obsolete for general use and is not even installed on any modern Linux distribution.

      The replacement for telnet, ssh, is not installed by default on most Linux distributions, and is much more secure than telnet even when present.

      Almost no Linux desktop distributions install an smtp (mail server) program by default, and even if one is present, it's no indication of a lack of security.

      Roadrunner actually does block spam sending machines, although they're not exactly on top of things when it comes to their reaction time. My brother got a malware infection (trojan based) on a computer in the basement of my home which turned it into a spambot (Microsoft Internet Explorer was the only existing software required). I quickly found out about the issue, and had it cleaned up within a couple of days. A couple of weeks later at the end of the month, long after the machine had been disinfected, Time Warner cut off my Internet access because of the infection that had been on the machine. Their information is not exactly in real time. It was easy to get it reactivated, but the slow motion response was rather amusing.
  • Teach a man to fish

    Most hardware read computer sellers and ISPs dont in any instance provide any education or software on protecting your new PC and by proxy the ISPs network. Some do but its usually substandard antivirus with no malware or adware or trojan capabilities We could also enact laws that make spam so unbelievably expensive if caught via fines We could also teach new users or hell at least give a skills test to computer buyers and if they fail give them some free lessons on protecting your machine. The AV and spybot software makers could subsidize it but definetly if you get caught with a infected machine kick your ass off the internet till you are healthy again. But then again we live in a world where parents Knowingly send their sick kid to school to infect the rest of their classmates....
  • RE: You must be at least this Secure to ride on the Internet

    Let's see; $200+ for a computer; $55 a month for internet access and now we want to add $X to let me keep my $55 a month expense? Sounds like a recipe for switching to Linux to me...