Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reverse Firewalls As An Anti-Spam Tool

Posted by timothy on from the to-each-his-own dept.

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

6 of 513 comments (clear)

  1. Off by default by Kris_J · · Score: 4, Interesting
    Where my mother works, they're all allowed to have VPN access (I know this because I'm getting ADSL so she won't be dialling in directly anymore), but it's not on by default, you have to make a request to turn it on.

    Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.

    You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.

    1. Re:Off by default by ottothecow · · Score: 4, Interesting
      Yes

      He is right.

      ISP's should block port 25, that is a definate yes at this point in time. But, when a user wants port 25, they should be able to ask and recieve.

      Your average cable/DSL user is probobly still using their free yahoo or hotmail account to check email. Maybe they made an ISP account now that POP3/SMTP is offered, but they probobly have no need for an external mailserver.

      The next guy up--the one who wants the mailserver--is either someone who knows enough about the internet and can deal with the attacks on their system, or some corporate exec who is told that he needs to do this to check his email. They could have a little quiz about security and if you do well, you get port 25, if you dont do well you can either take a little online class or maybe just buy a NAT box (maybe with a reverse firewall).

      --
      Bottles.
  2. Oh yeah, router manufacturers will buy this... by cleverhandle · · Score: 4, Interesting

    I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?

    The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?

  3. reverse firewall? what? by rritterson · · Score: 5, Interesting

    Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.

    All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.

    So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.

    He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.

    Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).

    Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
  4. Virus could disable software firewall by erice · · Score: 4, Interesting

    The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.

    No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.

  5. New??? by really? · · Score: 4, Interesting

    Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.

    --

    "Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley