On Sun, 16 Nov 2003, Jamie Reid wrote:
There was a comment (maybe even mine) in a previous thread about accepting a base level of potentially compromised hosts on a network, as the costs of rooting out every last one becomes unwieldly. Networks are large enough that security must be viewed as an economy of controls and risks instead of as a binary state of secure or compromised.
If your policy is not to root out every last one, then you need to beef up your network so a single compromised host doesn't bring down the whole network. The Internet is evidence that a network can continue to operate even with a very large number of compromised machines on a daily basis. On the other hand, if a single user downloading a music file on your network can take your entire network off the air for several days, you may have a problem. I've often tried to explain that ISPs generally view worms as a "capacity planning" issue. Worms change the "eco-system" of the Internet and ISPs have to adapt. But ISPs generally can't "fix" the end-users or their computers. System admins were able to completely eradicate the Morris worm. But most modern worms like Nimda, Code Red I/II, Slammer stick around. Sometimes a new worm like Nachi supplants an older worm like Blaster. Even if the ISP tries to be the great network firewall, we have mobile computers with mobile code. Laptops are too common, connecting to multiple networks.