OSNews

Sounds interesting. I am sure the people who write the viruses and the worms will try to create a false alarm and make the system get kicked out to create some chaos, but neverthless it should be fun to see which group gets outsmarted!

I am not too thrilled about Hardware thinking it knows how to manage a given network. Expensive solution that will be obsolete in the time it takes to install it.

Well the article was rather light on specifics.

Here's one guess:
* The system works on traffic profiling, since it doesn't require virus signatures. What might signal a worm outbreak? High bandwidth outgoing traffic indicating a worm attempting to spread or conduct a DDoS attack would be a good metric. This would also not detect normal downloads. Statistic metrics can be devised to filter out "abnormal" patterns for a specific environment.

Here's a bit of technical speculation as to how I'd like to see it done:
* If Intel are into it, it sounds like it sits outside the operating system. You *could* implement this in hardware but this has a number of issues in the flexibility, cost and management aspects.
* A better place to put this would be in a virtual machine monitor: put the OS in a high performance virtual machine (probably using Intel's VT extensions) and have the VMM take care of this sort of maintenance.
* You could even use a separate "locked down" virtual machine to perform the "circuit breaking" for the user's virtual machine. The "circuit breaker" could be accessed remotely by IT staff to assess what's happened.
* Running the Intrusion Detection in a separate virtual machine also means you can use standard IDS systems such as Snort, potentially running several at once.

My 2 Euro cents ;-)
Mark

A nice-sounding idea, but I don't see how this could ever be implemented in a functional manner that stays out of your way. I expect that if it is ever deployed, it will end up requiring more administration and hand-holding than systems without it.

Actually I wouldn't like it a bit if my hardware decided that I am infected or not. My ISP runs (and has more or less invented)
http://www.quarantainenet.nl/?lang=en&page=quarantainenet
. It requires managable switches and a honeypot, and it just works. At the moment an infected a computer tries to infect the honeypot, it is thrown into a very limited network, that consists of the university homepage, windows update, and the virusscan definition update page. The client gets one chance to desinfect his PC and declare himself sane on a simple page (that is the default page the infected computer gets redirected to). Only if he gets reinfected after that, he will have to explain to a helpdesk what he has done to clean himself and only than they will reconnect him. No more easy buttons, but pure patience. This has helped to reduce the workload on the helpdesk significantly and has made it a lot easier for me to remain virus-free.

The conclusion: A smart, well-managed network works, don't know how much PC hardware would help.

Just thinking its not that hard to code a virus to use normal traffic patterns. I think the only reason they are not coded that way now is because Virus writers are lazy and or they don't have too. I would bet there are quite a few Trojans/Virii out there now that does just that.

Normal applications don't create hundreds of outgoing connections per second.

Forcing worm authors to slow down their worms is good, because it gives people more time to react.