Reverse Firewalls As An Anti-Spam Tool

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

Off by default

[Kris_J]

Where my mother works, they're all allowed to have VPN access (I know this because I'm getting ADSL so she won't be dialling in directly anymore), but it's not on by default, you have to make a request to turn it on.

Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.

You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.

Re:Off by default

[ottothecow]

Yes

He is right.

ISP's should block port 25, that is a definate yes at this point in time. But, when a user wants port 25, they should be able to ask and recieve.

Your average cable/DSL user is probobly still using their free yahoo or hotmail account to check email. Maybe they made an ISP account now that POP3/SMTP is offered, but they probobly have no need for an external mailserver.

The next guy up--the one who wants the mailserver--is either someone who knows enough about the internet and can deal with the attacks on their system, or some corporate exec who is told that he needs to do this to check his email. They could have a little quiz about security and if you do well, you get port 25, if you dont do well you can either take a little online class or maybe just buy a NAT box (maybe with a reverse firewall).

Re:Off by default

[Ryan+Amos]

The days of the ISP as a "carrier" are long gone. They were over pretty much as soon as broadband hit the market. ISPs these days handle such massive amounts of bandwidth with such ignorant users that they have somewhat of a responsibility to the rest of the internet (not to mention their bottom line) to make sure that bandwidth isn't being used for nefarious purposes by hackers or viruses which have taken over the computers of these ignorant users. 99% of users don't need to and will never run a mail server, DNS server, whatever from their cable modem. All leaving these ports open does is allow the spambots and botnets to spread unabated.

The days of the free, trusted internet are gone. Look at it this way: any competent sysadmin runs a firewall on a box that blocks all incoming ports except those which the admin knows are in use. Doing the same with outgoing traffic is not a bad idea, especially considering that most people whose computers are sending these massive crapfloods have no idea what's going on. We've got to protect the internet from itself or it will render itself practically useless.

Oh yeah, router manufacturers will buy this...

[cleverhandle]

I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?

The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?

reverse firewall? what?

[rritterson]

Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.

All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.

So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.

He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.

Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).

Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit

Re:reverse firewall? what?

[mdfst13]

"He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop."

They are generating the SMTP connections. Once a virus is on a computer, it can communicate out to its source via common ports, like http's port 80. It doesn't need to use a blockable port (although ports like the NetBIOS port should be blocked to avoid trojans). Anti-virus is a client side solution, and clearly, relying on clients does not work. Plus, there is a lag time between a virus being introduced and the AV software catching it.

I'm not sure that the cable modem is the place to make these blocks either. I would think that they could be more sensibly made at the network router/switch.

Virus could disable software firewall

[erice]

The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.

No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.

New???

[really?]

Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.

Re:This isn't normal behavior?

[geminidomino]

Eh, when I stopped accepting direct-to-mx mail from dynamic IP addresses, I had exactly 1 legitimate mail get blocked in the first six months, and that was because the sender forgot he'd been playing with Mercury.

Compared to the 900+ viruses/spams/worms that get 550'd every month, I'd call that acceptable.

Standard practice at companies?

[atcurtis]

I set up a firewall at a medium-sized company and the only machine which was allowed to connect to some remote machine on port 25 was the mail server. In a similar vein, the transparent proxy was deliberately set up to break LookOut Express HotMail over HTTP.

Simple things like that, default to deny for both inbound and outbound, virus checking on the mail server: they all greatly reduce the risk of these Windows plagues.

And I thought it was all pretty much standard practice.

I personally think that individuals should take more responsibility for their equipment. It's not really the ISP's business to put in firewalls - perhaps if the users were to pay for the additional service, then the ISP can provide... The individual can always put in a firewall themselves which would only allow port 25 connection to their ISP's mailserver.

Perhaps - a "manditory" additional fee for a firewall for those who do not have an operational firewall?

Just thinking aloud....