There is more and more talk of people (typically people that just talk about things, i.e. analysts, as opposed to people who really *do* anything) wanting the ISPs to take up the battle against botnets and zombies. Personally, I feel that if ISPs are going to be forced into taking care of things closer to the end-user or that affect the end-user (either through detection and/or shunning after a threshhold), they’re going to go balls-out and go farther than I, as a consumer, want them to go.
It is already difficult enough to shop around for an ISP that gives me a static IP (or at least very low turnover dynamic), allows me unfettered incoming and outgoing ports, and allows me to use my own mail and DNS servers as I see fit. I don’t want that crap done for me. And I don’t want to pay for business-class service. But if I were an ISP forced to go this route, forced to tackle a layer in the communications that I wasn’t really supposed to tackle (this is like asking the physical layer to protect the sessions), I would make damn sure I log everything I can and get as far as I can and as thorough as I can before consumers start decying privacy issues and freedom of service. This is a ball I do not want to have started rolling.
Besides, I don’t really think ISPs are going to dent that particular problem right now. I’d rather they were left to focus on what they do best, and provide me with uptime, reliability, and faster circuits. I don’t want to have my system shunned (loss of reliability) because one of my neighbors can’t stop visiting infested porn pages or out of the blue if it is my system affected.
But yes, I do think security will still head towards the switch, only the switch will be inside corporations and inside the user home.