I had a technical interview recently and seek opinions. The IT manager asked about loops, spanning-tree, firewalls and NAT. My questions is what your response would be to this scenario he put to me at the end.
If a system is affected by a virus from outside network for example on your network, what would you do? I simply answered: I will implement an access-list to block traffic to that segment/node, take it off the network and put it right. My response did not seem to strike the right chord as he repeated in a different ways by asking, how would I identify the affected system, is that all I would do .etc.
I am CCNA with a little hands-on networking experience, half way into CCNP, more of systems but pursuing career in networking. What is best-practice for such scenario?
Maybe he wanted more focus on how you would make sure that the whole network is healthy again?
As you said u only cut of the node/segment and make it right. What about the rest?
It could have been spreading without it being visible. Also you should use logs or IPS/IDS systems to locate the affected computer/element, that computer can give clues on how far the infection spread. Identifying the virus can help you take steps to secure your network and/or remove the virus on other systems it is on.
Basically the problem i see with your answer is that it is way to limited. You did the following:
1. Isolate the affected node/segment
2. take it off the network
3. fix the problem
Steps that should be performed as well could be:
4. Identify the problem
5. Prevent future incidents of this problem
6. Check rest of network for signs of the problem
7. Identify the underlying cause and reevaluate your network security for related problems/improvement point
So in short, your answer was to limited as you only mentioned isolating and fixing the problem.