You must be at least this secure to ride on the Internet

Isn't it time to stop letting malware-infected PCs on the Internet? The answer is in Network Access Control.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

My friend Richi Jennings is fond of the idea that users with malware-infected PCs should be cut off from the Internet. To this, I say not just "Yes," but "Hell yes." And, as he pointed out, other people are getting behind this idea of helping to clean up the litter of spam, malware, and distributed denial-of-service (DDoS) attacks that junks up the Internet highway.

Comcast, as Jennings pointed out, will be letting imalware-infected users know that they've got garbage on their hard disk, but not keeping them off the net. Darn it.

Microsoft's Corporate VP of Trustworthy Computing, Scott Charney, has just suggested, that "Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources."

In other words, if your device isn't protected, sorry, you can't go on the Internet. I find this more than a little ironic coming from a Microsoft executive. After all, Windows is the host for 99.4% of all malware according to G Data, a German IT security company. That's sounds about right.

So, logically, the best thing to do would be to ban Windows from the Internet! OK, while I can get behind that idea, that's not going to happen.

So what can we do? Well, for starters, ISPs could start including language in their Acceptable Usage Policies (AUP) that if a user's devices can be shown to be actively sending spam, participating in DDoS , or otherwise causing a nuisance, the ISP can lock down their account until they get the malware off their PC.

And how would they do that? They'd use NAC (Network Access Control).

In companes, NAC technology makes sure that before any end user's computer or any other endpoint, is only allowed on the corporate network the computer must prove that it complies with the company's security policies. So, you could lock out say PCs that don't have the latest IT-blessed patches or the latest updates for the corporate anti-virus program.

There are multiple NAC approaches already out there. Some of the more important of these are Cisco's Secure Access Control System, the Trusted Computing Group's TNC (Trusted Network Connect PDF Link) and Microsoft's NAP (Network Access Protection). There are also many others for any size company or ISP.

The way companies use NAC would never fly on the Internet, but then, we wouldn't be requiring users to prove that their systems are safe, or safer anyway. We'd only be using NAC to lock down hardware that's already showing itself to be an Internet litterbug. Until the system can prove that it's now behaving itself, it can stay locked down in in a VLAN (virtual LAN) jail where the only sites they can get to are the ones explaining to them-in very simple terms-what they need to do to get rid of their problem.

I don't know about you, but I like this plan. What do you think folks?

Editorial standards