On Tue, 21 Dec 2004, Suresh Ramasubramanian wrote: : On Tue, 21 Dec 2004 07:09:35 +0000 (GMT), Christopher L. Morrow : <christopher.morrow@mci.com> wrote: : > I'm not such a fan of the auto-acting devices, I'd rather have a person : > review the action prior to taking it.... Each security/network person : > should determine how best to handle that themselves though. : For most large networks with hundreds of thousands of end users : (broadband providers, say), the sheer volume of trojaned or otherwise : compromised hosts makes automation necessary. : : This should of course be subject to manual review once the traffic has : been cut off.. Certain types of infections can be dealt with automatically (to preserve network performance) and other types of infections/compromises don't lend themselves to fully automatic action. For large and small networks, there needs to be a combination of both. Further, the methods used need to be strictly defined in policy and carefully carried out according to the resulting procedures. This keeps everyone consistent in how the network-performance-affecting problems are dealt with, resulting in more efficient troubleshooting and a happier customer base. scott