Node Detection & Isolation
Identification and isolation of compromised, infected, or faulty network attached nodes.
The scope of this SOP is to provide a procedure that will assist the Information Security office and the Network Services Department in identifying and removing compromised, infected, and faulty hosts from the wired network.
For compromised and infected systems, formal request from the Information Security office to isolate network hosts which are exhibiting behavior typical of compromised or virus infected devices. Network Services may, without formal request from Information Security, take steps of its own to isolate or disconnect such hosts from the network to protect other network devices. Host's MAC address, IP address, user name, host name, plus any other relevant information that may aid in the identification of hosts. For all cases, tracing of network device to switch and switch port number.
Both Network Services and Information Security are responsible for the monitoring and tracking of unusual network behavior and network patterns and anomalies on the wired network. Network Services is responsible for the isolation or removal from the network of all compromised, infected, and faulty network hosts. It is also responsible for the identification of faulty network devices. Information Security is responsible for the identification of compromised and infected systems.
- Receive request from Information Security or identification by Network Services.
- Identify node on wired network.
IT Security Network policies.
Network equipment documentation (Cisco, HP, D-Link, etc.)
Information Security – UTPA Information Security personnel.
Network Services – UPTA Network Services personnel.
MAC Address – Network Interface Card burned in physical address
IP address – Network Interface Card logical Internet Protocol assigned address
Network Host – any device attached the wired network. Typically refers to PC's
Switch – network device that provides network connectivity for network hosts