Two Lessons of the Week of the Worms.

I think that recent outbreak of self-propagating computer worms (Blaster and Nachi worms) has given us two important lessons:

1. Updating and patch distribution model used in Microsoft Windows is not good enough for corporate networks
2. Importance of multi-layered defences on home and corporate computers.

I would consider the first lesson very important. Current patch distribution model, implemented in Microsoft Windows family of Operating Systems, allows two main methods of installing updates and patches (including critical security updates):
- Using Windows Update feature. It requires access to the Internet (direct or through proxy/firewall) by each computer that has to be updated.
- By running patches on each computer that has to be updated.

The first method is not universally acceptable on the corporate networks. Internet is quite often inaccessible by many of computers on corporate networks due to internal policies, bandwidth limitations etc. So computers that are prohibited from using Internet cannot use Windows Update and therefore are not updated in time.

The second method requires manual installation of patches. It could be automated using network scripts; but even in this case it requires manual intervention by system administrators on domain controllers (or equivalent). Manual interventions are prone to mistakes and slip-ups. Network scripts do not run on non-domain computers.

So both methods leave quite a big space for having numbers of un-patched computers inside corporate networks. This makes them vulnerable for this sort of worms. This lesson was not that clear from the previous outbreaks of similar worms (Slammer, Cod Red), because those worms operated on (mostly) server computers (Slammer on MS SQL servers and Cod Red on Windows NT), which are much less numerous than desktop and servers vulnerable to the Blaster and Nachi worms (Windows 2000, Windows XP, Windows 2003).
This means that model of distributing critical patches has to be changed. One of the possible solutions could be having something similar to Windows Update Server but inside the corporate networks.

The second lesson (necessity of multilayered defences including inside the perimeter) came from the fact that if there are a number of infected computers inside the network (including segments of cable networks) unprotected computer can be infected in the matter of minutes. Computer protected by anti-virus software only would still be impossible to use, because Blaster virus would infect it every few minutes (because there are several infected computers on the network), forcing anti-virus to request user to reboot every time. On the other hand not every computer can be patched, because some application software is not compatible with some of the service packs and patches. It means that second layer of defence should be added. It could be done in form of personal firewall.