Slashdot Mirror
Reverse Firewalls As An Anti-Spam Tool
An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""
Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.
You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.
I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?
The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?
[tinfoil_hat_on]
1. What if I where to have a good reason to send loads of e-mail?
2. Whould these firewalls keep logs, and if so, who would have access to them.
3. This sound alot like microsoft Trusted Computing project, bad idea
[tinfoil_hat_off]
-Joey
Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.
All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.
So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.
He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.
Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).
Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.
No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.
Go uncap a cable modem. Oh wait in some cases a hard thing to do. Also against your Terms of Service. What is to stop manufactures from hindering the users ability to configure this reverse firewall in a similar manner. What is to stop your provider from doing the same for your and the providers network and other customers protection?
It comes down to this, if they cannot trust the users computers, why should they trust them to configure a reverse firewall?
What if you only have one choice of broadband provider?
Personally I think the best place for activation of such things is at NOC level not user level and on a case by case basis.
speaking of "floods of e-mail," one of the most entertaining things is to take my original copy of win2k without any service packs, :-)
do a fresh install,
plug in without any firewall,
and watch how fast the damn thing tries to send out mass mailings
*trying not to feed the troll*
The problem is not just to monitor the traffic, but to apply uncircumventable precautions against unallowed behaviour. For a similar, yet a lot tougher solution, my cable provider blocks a port(port 80 right now) at the Cable Broadband Router level(the other side of my connection) and similarly, a DSL provider could do the same at the DSLAM level. That most providers don't do this is that
1) it increases the per-user cpu cost at the edge of their network
2) it increases the support calls(as not a single one of them has had the balls(yet) to my knowledge to announce it in public fora(and they are similarly afraid to announce it to their users, despite that it could actually be marketed as a good thing: we protect you from this, so your bills are more likely to stay low)
Putting it on the other side of the demarc is putting provider policy control on the client's side of the link, which is generally a bad idea.
The problem with something like this is that it would likely either be an everyone-or-nobody change to the new system, or we'd have a scenario like the Windows API, where old code and functionality is left intact for legacy purposes (which, in effect, makes the new changes irrelevant, as the old exploitation methods are still viable).
Not saying I disagree, just playing devil's advocate.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
What if a spyware is packaged like a plugin for your app? For example, most "search bars" for Internet Explorer proxy their traffic through Internet Explorer. That kinda defeats this scheme. Also, what if I rename "my spyware" app to iexplorer.exe? Do Windows check the MD5 hash of the .exe app that claims to be "iexplorer.exe"?
A. You don't use Internet Explorer if you're concerned about security. B. Most of the current software firewalls do keep a hash of the .exe (including the path) and notify/ask about the replacement.
Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
But this filtering is quite difficult to do, especially with static rules.
For example, from our webproxy we allow connects to certain ports only. The proxy can connect to ports like 80 and 443 (and some high port ranges).
This works well 99% of the time, but sometimes sites setup a second server on a port like 81 and it cannot be connected.
There could be some magic like "the proxy software is allowed to do it but another process on that machine isn't". That is like ZoneAlarm.
However, I question the utility of this approach, because when a cracker is able to install a trojan process that does outgoing connects, who guarantees me that he will not be able to defeat this magic filter?
Eh, when I stopped accepting direct-to-mx mail from dynamic IP addresses, I had exactly 1 legitimate mail get blocked in the first six months, and that was because the sender forgot he'd been playing with Mercury.
Compared to the 900+ viruses/spams/worms that get 550'd every month, I'd call that acceptable.
There is a security flaw with everything that runs locally on a windows machine configured by a home user, and that is simply that once infected all firewall / spam / virus software can theoretically be disabled by a program running.
The articles point out that if we have some limits set into a hardware product (ie the cable / adsl modem) then we limit the effectiveness of the attack. This is based upon the fact that the spam relay software is to be run on a badly configured system (aka casual home user).
I like the idea of a reverse firewall, and have throught for a long time that it is about time that something like Smoothwall should be altered to provide functionality as described in the articles.
By that I mean that home users need something that is simple to setup, has the ability to tell them about typically suspect activity (outgoing port X access, where X is a port known to be used by some unwanted program) and allow the user to define certain limits for users on their home network. And I do mean home network, after all, a corporate network should have a profficient IT person administering it all day and they can set up whatever is required to protect their network.
A home user needs something that will aid them to set limits for their own use of the internet. For example, if my mom installed such a product and the product asked her "1, Do you use email? 2, Do you use the web? 3, Typically how many emails do you send a day? 4, etc, etc surely this would setup a modem whereby a lot of untoward activity would be reduced by a spam relay infected machine.
Personally I would like to see a firewall that lets me define which applications are to be allowed on a per machine basis / port set basis. So you could define that the set of ports used by say unreal tournament, would be allowed on machine A, but not on machine B.
Another example would be if I have two machines, one for myself and one for my child, I would certainly want to only allow me to play violent games online eg RTCF: Enemy teritory which is free to download and install by my child, but I would be warned that they are using it as it would be rejected and logged on the firewall. This would happen for any other product that tried to get out of my lan.
There are a few flaws, the main one being if all the products started using port 80 (or read the computers configuration and used the proxy). In this case you would need to filter the port 80 requests, but still, it would be a good step to prevent a lot of abuse of infected machines.
Of course the firewall would also need to have email filters and a net nanny, but such a product should sell well to any parent who is worried about the internet and their childs use of it, assuming of course the manual is in PLAIN english and simply says something to the effect "To get email protection up and running do A, B, C then D".
It is strange that people working for free, I am talking open source here, do not produce something that is useful for home users. All the OSS firewalls I have looked out require you to have a good to expert knowledge (depending on firewall) of networking in order to effectivly use them. They all seem to be just creating replacements for professional products rather than somehting that is useable by the average Joe.
Perhaps if they grasped this usabilitly problem, then OSS might finally create a linux distro that is good for the desktop.
I set up a firewall at a medium-sized company and the only machine which was allowed to connect to some remote machine on port 25 was the mail server. In a similar vein, the transparent proxy was deliberately set up to break LookOut Express HotMail over HTTP.
Simple things like that, default to deny for both inbound and outbound, virus checking on the mail server: they all greatly reduce the risk of these Windows plagues.
And I thought it was all pretty much standard practice.
I personally think that individuals should take more responsibility for their equipment. It's not really the ISP's business to put in firewalls - perhaps if the users were to pay for the additional service, then the ISP can provide... The individual can always put in a firewall themselves which would only allow port 25 connection to their ISP's mailserver.
Perhaps - a "manditory" additional fee for a firewall for those who do not have an operational firewall?
Just thinking aloud....
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
Obviously, if the firewall rather than the PC becomes the main point allowing or denying access to the network then attackers will concentrate on the firewall instead. Lots of consumer-level firewalls are likely to have 'easy-to-use' features which can be exploited. Probably even a firewall control panel accessed from Windows, so all you need to do is crack the PC and wait for the user to enter the firewall password once.
Arguing that we should use reverse firewalls to stop exploited PCs sending out traffic to the network is an admission that expecting security on the PC itself is doomed and we should rely on something, anything else - that doesn't run Windows. I think it would be better to attack the real problem and try to make the typical PC as hard to crack as the typical consumer firewall. For those stuck with insecure systems (or systems which make it very hard for a naive user to keep his PC secure) a reverse firewall might be a useful sticking plaster.
-- Ed Avis ed@membled.com
I've been using Zone Alarm to do this for years. And as I recall, Windows XP SP2 will include a bi-directional firewall. While it would be nice to have this implemented into a set-it-and-forget-it hardware solution, apps like Zone Alarm are are free and quite effective.
Further, any effective hardware implementation will have to keep logs or send alerts because personally, I want to know what's being prevented from going out.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
A "hardware" firewall is just a software firewall on another machine. As such, it's still complex to keep it setup correctly. You can get close to a default good condition, but it's not perfect.
"but it also requires the user to accept or reject applications requesting access (and knowing users, they will just click accept all the time)."
You got it. There is no easy practical way to actually know what all the requests, even when presented with them, actually *mean* right then at the exact second you need to make an executive decision on allow/disallow. You have the tool to do this, but not the knowledge to make the decision intelligently without a LOT of prior research, it is not default "clear" to most people. For one, you as joe user have to know which host/process/connect/in/out is cool or not. The firewall will do what you tell it to do, that part is not difficult, it's binary, yes or no, but if you don't *know* intuitively,in advance of being forced to make a decision, you have to *guess* if you want to continue surfing.
Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.
Sorry, can't do that. I frequently use telnet out of workstations on my network to connect to port 25 on other machines to verify SMTP setups are correct there.
I also use P2P software that has random port assignments, so a small proportion of the users I connect to with that will be on port 25, and I'd rather not interfere with it.
Nice suggestion, though.
"Reverse" firewall huh. That sounds a lot like Egress filtering to me. Don't all real firewalls do that?
I wouldn't trust stateful packet inspection on my "modem" as far as I could throw it. The firewall built into my old (not-so)Efficient 5861 DSL router was horrible. It had no statefuly packet inspection, so you were letting in packets on ports outside the realm of established connections. The firewall built into my Cayman 3546 is smarter, but not very configurable at all. It's either on or off and I could map some ports, but it's not nearly as configurable as others.
The only thing I trust is my PF/IPF firewalls in place around the crappy DSL modem firewalls.
More than just tying the application to the port (email client to port 25) Zone Alarm warns if an excessive amount of email is about to be sent by the previously authorized client. My normal mail goes without a peep; my distributions to a mailing list gets a Zone Alarm confirmation.
With a compromised spam factory, such a volume warning may serve to wake up even the most naive user. OTOH, I wouldn't be surprised at a, "Oh that Zone Alarm thing? Yeah, it does that every night..."
> Sorry, can't do that.
If you are indeed an/their admin you should easily be able to configure the server to open the submission(or any other) port to test your smtp servers that way. Is that not what ssh is for? ssh in, telnet localhost 25, test away.
> and I'd rather not interfere with it.
The amount of users who bind their p2p onto port 25 I can count on one hand, any p2p software worth its merit won't bind to anything below 1024 unless told to anyways.
This attitude is one of biggest reasons why there are so many infected machines, people won't comply because it breaks their 'Kaaza' and crap, yet they complain when there is no security.
Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
No offense, but these are rather poor excuses.
Sorry, can't do that. I frequently use telnet out of workstations on my network to connect to port 25 on other machines to verify SMTP setups are correct there.
Okay, so you create exception rules for the *specific* machines that you will be working from. Either that, or you connect to one central machine and do the majority of your testing from there, by remote access (ssh, VNC, whatever).
Personally, I'd suggest the latter, as it allows you to easily set up automated testing scripts that can be run from anywhere.
I also use P2P software that has random port assignments, so a small proportion of the users I connect to with that will be on port 25, and I'd rather not interfere with it.
Any program that randomly binds to port 25 is BAD[1], and you should get rid of it in favor of a decent program. Applications that need a random port to use should take the first available port that is greater than 1024. On many operating systems, this is enforced by the OS.
I'd be curious as to which P2P software you're describing, so I can make sure I avoid it.
[1] Broken As Designed
Topher
With a firewall in the cable modem itself, the cable company will be able to remotely configure it, and conceivably stop any kind of traffic they want to stop. Don't want you using P2P applications? Just firewall those ports! It's not like you "own" the cable modem anyway (most people just lease one). And even if you do own, they can just write a clause into the contract giving them rights to remotely configure it.
Before you know it, cable modems without such firewalls will be banned from the network.
Sorry, I'm not installing any piece of hardware that I don't own, is under direct control of the cable company, and can be used to filter my outgoing traffic. Not in a fucking million years. And definitely not in the name of "stopping spam."
"Stop spam" has become the cyber equivalent of "Save the children." It seems we're willing to throw away far too much in return for too little benefit.
It's always been the same, at least as far back as I've been online (no not since the beginning, probably 14 years or so though).
The ISPs get away with that kind of bullshit because 98% of users don't go anywhere near the limits and no matter how loudly the other 2% shout that they're being ripped off, nobody listens or cares.
They can't advertise it as "limited internet" because nobody else does, they wouldn't get new customers despite the fact that those customers would have stuck well within the limits anyway. People always like to think they're getting more for less.
The result is that anyone who does want their broadband connection to be used as a broadband connection either has to pay vastly inflated business rates or use an ISP that hosts spammers/porn/etc where they end up blacklisted from half the net.
Theres also the TOS (terms of service), most ISPs TOS includes statements such as "we reserve the right to change the TOS without informing the customer and without incurring liability", i.e. we can do whatever we want and you can suck it up.