Slashdot Mirror
Reverse Firewalls As An Anti-Spam Tool
An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""
I have Kerio Personal Firewall on my Windows machine and it prompts me about every outgoing connection (to learn it, or allow it, or block it).
since they monitor traffic going in and out of the PC.
Comment removed based on user account deletion
So long as I can edit firewall settings I would
support mandatory default reverse firewalls for
any equipment that so much as touches IP.
Ahh, and who will control what defines an attack? Is using Freenet an attack? Bittorrent? Kazaa?
This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.
My other car is first.
Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.
But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?
Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.
You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.
Comment removed based on user account deletion
How can you make a reverse firewall as easy to set up as a normal consumer firewall? Is technology advanced and automated enough where this reverse firewall can detect when a user is sending email via port 25 to his or hers ISPs SMTP server? Can a reverse firewall tell the difference between spam being sent out, and someone emailing his entire family with good news about his daughters report card?
A better solution is for ISPs to block port 25 for all consumer connections, and only allow port 25 traffic to their own SMTP servers. Why put the onus on the consumers, when it is the ISPs who seem to be failing us?
Feed the need: Digitaladdiction.net
I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?
The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?
Seems reasonable. Too reasonable. Just like a deal with the devil.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
Great Idea! New technical concepts and products always excite me. We must keep one thing in mind however, hackers/crackers/spammers/whatever you want to call them are clever and very imaginative people. Single concepts and technologies will be overcome and bypassed. The security/spam fight needs to be a continuous and evolving process. One cannot simply rely on a single product or conceptual model to end malicious actions. When people start realizing that keeping computers secure is a process and NOT a product, the world will be a lot safer and secure.
I, being the ubergeek that I am, already have a 14k^H^H^H^H "reverse-firewall".
No hackers for me, no siree!
When things get complex, multiply by the complex conjugate.
The problem is that unlike traditional NAT'ing firewalls where everything not part of an existing TCP/IP conversation can be thrown to the bit bucket there is no such simple rule for a reverse firewall. So you get into heuristics and signatures, which have to be constantly updated and which give a LOT more false positives than a simple NAT box, ask anyone who has worked with intrusion detection systems. Not only that but since updates have to be done constantly to screen for new threats there is an ongoing cost, and so companies will of course want to charge an ongoing fee, so instead of a cheap Linksys box just costing $50-100 it will cost that much AND have a monthly maintenance fee. I personally wouldn't want such a device for the same reason I don't own a Tivo, I hate perpetual revenue streams that add little value over what I can get with fixed function device. Now I personally would LOVE this for my business customers, I already utilize Sonicwall's with integrated virus enforcement, blocking machines with unusual usage paterns would be nice so long as the false positive rate were sufficiently low.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
at least name it right!
SMTP is limited to one port (25), and most people are simply not sending out hundreds of emails per hour. A simple bit of rate limiting of the outgoing traffic (say 60 emails per hour) wouldn't even be noticed by 99% of home users. The other 1% probably knows what they're doing and could disable it. 60 per hour is plenty for the average person, but a hinderance to a spammer.
First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.
The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.
It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.
Best slashdot comment
[tinfoil_hat_on]
1. What if I where to have a good reason to send loads of e-mail?
2. Whould these firewalls keep logs, and if so, who would have access to them.
3. This sound alot like microsoft Trusted Computing project, bad idea
[tinfoil_hat_off]
-Joey
For about 3.2 seconds till the UPNP enabled virus tells the UPNP enabled firewall that it is an authorized app...
cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
Reverse firewall polarity!
The idea here is not to stop spammers from using their own equipment, it is to stop them from using other's equipment (i.e. trojaned windows boxes).
When things get complex, multiply by the complex conjugate.
all mine does is prevent me from playing halo or warcraft... thats pretty mean, blocking the viruses so they stay in your computer!! "great, my computers infested with viruses, and we have to install a whole new operating system, but at least everyone else doesnt have it!!" comon, are you really going to think of that? how very american of them ever think of the fact that we would WANT to send lots of viru-*cough*emails out to the general public? oh, so im not normal now?!?!?!?
A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.
Strange women lying in ponds distributing swords is no basis for a system of government.
If he means a firewall based on network level and not on content it will fail miserably in providing good service for power users, because the firewall won't be able to react to new traffic trends. Even the NAT can give you headheaches and has been around for a while.
If he means a firewall with content scanning embedded, is certainly a security risk... for the user, I don't trust my router deciding what is right and not right for me thank you.
What is needed here is a protocol for mail exchange designed with spam in mind, not zillions of dumb firewalls fighting their own users.
Stop bloating networks with security fails at top protocolos, some guys should reread OSI stack fundamentals...
Just the thing to protect the computers of... Reverse Vampires
I know, instead of trying to band-aid the problem with a hack that does nothing but weaken the peer to peer concept of the net even more, how about getting microsoft the fix the crux of the problems in the first place?
Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.
All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.
So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.
He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.
Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).
Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
that spam is a difficult problem to solve, but that is the most idiotic idea I think I've ever encountered. That's like making it difficult to do encryption to prevent terrorists from communicating safely. Granted, "normal" people's computers are a vessel for spammers, but it's asinine to limit normal people's hardware. Why not fix the problem at the source and work on making consumer's computers secure? The day I find out my DSL modem is blocking ports or something like that is the day I wreck the thing while trying to fix it. I mean, really.
ZoneAlarm software firewall already checks for unreasonable outgoing email, and asks the user if it is okay. ZoneAlarm check time, number of recipients, and attachment reasonability.
Just Put a Condom on it.
It could be worse, it could be Monday.
The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.
No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.
until of course a cablemodem (or whatever the llawerif is embedded in)is reverse engineered and a hack found and described for the world to see.even if most couldnt do the hack,some would.
this is more nonsense.
software will always be hackable.(after all its just commands to harness the hardware)
hardware will always be hackable(it would take a meta man to create hardware unhackable by man)
GTF over any notion that computers on networks will EVER be secure.Gawd if you could just show legislators that simple logic we could quit wasting valuable tax dollars in this country.
we make machines to work for us.
we have to talk to the machines in a language they understand.
The language can conduct nice business with the comp.
The language can conduct nastiness.
we make machines that block nastiness.
we move this circuit.shunt.rewire.reprogram the cmos or in the case of nvidia just move this resistor from here-> * to here ->* and save a buncha mon$y.
so in reply:no it wont stop virii and worms as well.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
While it is true that the reverse firewall will stop too much traffic from a "home" computer, there are some aspects of this which raise interesting questions: 1. How much is "too much" ? How is this decided? 2. What abt proxies to circumvent this? 3. The majority of spam, generated is probably not from a home computer. 4. Modern firewalls can be configured for outbound filtering as well. How radically will the propsed scheme be different from this? Correct me if i am wrong in any of the assumptions above. If we are achieving too less while applying too much effort, the low of economy wouldnt justify this.
This sounds similar to the reasoning used by the RIAA and others use to conclude that DRM is a good thing. Copyright fair use turns into a permission model. At least in this case the problem is one of real theft of resources.
speaking of "floods of e-mail," one of the most entertaining things is to take my original copy of win2k without any service packs, :-)
do a fresh install,
plug in without any firewall,
and watch how fast the damn thing tries to send out mass mailings
ip access-list extended EGRESS_FILTER
permit tcp any eq smtp
deny tcp any any eq smtp
permit ip any any
interface
access-group EGRESS_FILTER out
Fixed!
This would limit the rate of outgoing emails (or presumably anything else) to a limit that most people wouldn't hit in normal use. If implemented this limit would be configurable in the "firewall" so that users who know what they are doing can alter it.
It is different to software "reverse firewalls" such as Zonealarm as it couldn't easily be turned off by viruses and the like. But on the other hand it lets anything through once.
It would be beneficial to prevent the massing hordes of clueless broadband users from being juicy targets to the spammmer - since each zombie could only send out a pathetically tiny number per hour.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
Please check and see what % of currently shipping sub 100 USD firewalls/NAT devices are UPNP enabled. You might be shocked.
Wonderful, Just what I need, yet another wing of the cable company telling me what I can and can't do. And just how do you propose monitoring this system? What if I run a mailing list or support group from home, why would I want to pay another $20 to send out 50 emails to poeople, and at what point would this firewall cut me off?
What if a new game comes out which makes a odd form of connection for multi-play. Or perhaps my software dose something thats not viewed as "normal" by Joe Schmoe, M.C.S.E.
And what could I do about it?
Here is the problem.
You have a flood of water 15 foot high coming for your house.
So lets paint the basement with some water-sealant.
There are bigger problems to fix.
Complex things lead to complex problems.
--
However, the security model in 802.11 may not be enough to prevent an attacker to get access to the intranet.
you're kidding..
Obviously this is a practical concept, but I'm hesitant. I personally feel that spam blocking is the burden of the receiver, just by the nature of the email protocol. I hate obtrusive advertising as much as the next guy, but I do recognize it as a form of speech. And no matter how inane, idiotic, and offensive it may be, I feel it is protected under the 1st amendment.
I recognize that spam is an inconviniece for end recipients, and a serious waste of resources for networks. Regardless, i feel that a reverse firewall process as described sets a dangerous precedent. Many might concede to blocking mass emails, but would they also concede to blocking of private web servers? Would the blocking of P2P be acceptable?
I've encountered numerous mail servers that are rejecting emails sent from cable modem and DSL users. I think that that is a significantly more responsible solution, even though it may not be as efficient. I feel as a paying customer of my broadband provider, I should not be prevented from emailing whoever I want, in whatever manner I want, though I cannot force any mail server to actually receive my emails.
This sounds like a really dumb idea to me (It might be time to shit can their principal scientist) Not only will it be easy to get around after someone figures out how it works, but it sounds like something that should be done more centrally, maybe at the ISP level instead of each individual cable modem.
Actually if this "scientist" did his research he would have found it has already been done by ISP's. Cox.net blocks outgoing port 25 so you are forced to use their email servers. I'm sure they have something in place to prevent an outflow of spam.
ISP's can block whatever they want because all traffic must flow through them. Therefore this is an old idea, that may just need to be implemented in more places.
No. See. There's a difference.
On those routers, it provides functionality. It allows software the ability to portmap itself to allow functionality as a server. For P2P, for instance, that's a boon.
On a firewall specifically designed to block outgoing attacks, that it a worthless function. It would, however, allow malicious programs free access, making it worthless.
If you can't see the difference, you're hopeless.
so how did you post to slashdot?
----
http://www.hellection.com
Better yet, make the thing totally configurable so you can block all of the spyware inherently loaded into Windows. Not only can you lock down all incoming ports, but lock down all outgiong ports. Of course....iptables already does this. Just one more way they need 3rd party hardware/software to catch up to what Linux is already doing.
Mod points are pointless when you browse at -1.
how I am I supposed to crash Half Life servers when some admin is being a real dick?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
If we can't get people to run anti-virus software to scan their systems and remove viruses, how can we hope people will run a reverse firewall?
Installing anti-virus software is not too difficult but apparently too difficult for a significant number of users. If we can't get people to install anti-virus software to keep the viruses from destroying their hard drive, how can we hope they'll install a firewall to stop their machine from sending spam?
-Art
Anyone who takes control of your PC will also use it to punch open holes through your firewall to allow spam to go out through the modem/router/whatever!!
This proposal is different, though - it's saying that ISPs should restrict Port 25 by default, but let customers have it turned on if they do want to. That means that you can still do what you want, but if you weren't using it, and you get some Outlook virus because you're careless, you won't got spamming everybody. Some cable modem companies have started doing this, and it's much more reasonable than the policies that they used to have.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The idea of putting that sort of thing near the customer (in the ISP) isn't new at all. It's been promoted and advocated for years. There's just one problem: ISPs don't want to do it.
They claim that they're just in the business of moving bits from one point to another. They dig in their heels and resist just about any sort of filtering on their customers. There's just one irony: They all whine, moan, and complain when someone else's infected/stupid/malicious customer causes problems for them, and the other ISP doesn't take care of it.
I can't tell you how many times I've been approached by people, and asked "Why doesn't anyone offer a service where you're protected from (insert virus/spam/whatever)?" While I haven't (yet) started a business doing it, I've made quite a few people happy by giving them email through my mail server, where any executable attachment is blocked. A couple of times per year, it'll block a legitimate email. But (literally) tens of thousands of times per day, it's preventing malicious email from ever hitting their computer.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Why rate limit? Just shut off the port altogether. Unless they are running a mail exchanger, cable/DSL users should not be using port 25; they should use SMTP Auth over port 587 instead. If they are running a mail exchanger, then that person should have the port open for as much traffic as they need.
I use zonealarm. Most of the time its a nice sane product, and the price can't be beaten.That gives me an alert every time a new piece of software tries to access the net, for both outgoing and incoming connections. I then get to choose whether to always allow the program to make the connection, or just allow that particular instance.
Only problem is its impractical to disallow common programs from connecting for themselves. So a trojan infecting one of these would make this feature useless. Perhaps what we need is an "allow x number of connections per y time" feature. That would stop floods and DDOS attacks at least.
These posts express my own personal views, not those of my employer
Where the hell has VeriSign been? Arrogance to the point of ignorance!
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
But then what will happen to you? You are just a lamb surrounded by wolves.
I have linux and, as far as I am concerned, have never been subject to such worms spreading by mail. So my situation is similar to a windows system properly configured to block outgoing mail.
The fact is that I receive a lot of email for those worm that oblige me to configure a spamassassin on my computer. I think that an anti spam filter is more efficient, at first, and quite easy to configure to block harmfull spam. Moreover, before trying to fix what goes out from your computer, if the incoming traffic was stop in the first place, no unwanted outgoing traffic would even exist.
I really think that the problem comes for laxist default firewalling rules (if any...) in widows system: if there was a blocking one for incoming traffic, it would be good thing for the average windows user, that would have to take firewalling into account if he wants to act as a server. At least he would know about the problem...
ZoneAlarmPro is best known for its ability to block to control outgoing traffic. However, lesser known is its ability to control outgoing email, by specifying which applications can send email, along with how many emails are sent at once before an alarm is raised about possible virus/worm, and the offending application is frozen by ZoneAlarm until the user intervenes & allows it permission to do so. So, the functionality of the reverse firewall to reduce spam that the author is asking for is already available.
If its not much extra to have embeded into a router, I would get it in a second.
Sure, it would be a better idea. But how long would this take to implement? Just take the example of ICANN adding IPv6 to their root servers. They expect it'll take 20 years before IPv4 is out of the business. How many years would it take for SMTP/POP/IMAP? 10? 15? 20? ... not to mention how long it would take for the new protocols to be developed and accepted by the major players.
VeriSigns idea is a quicker but uglier solution.
/John Sjolander, project manager Contribio
The manufacturers will make the cable modems ect with this feature and the ISP will sell them.. or they'll become common and everyone will have one...
The problem with anti-virus software is its an ongoing commitment.. with this thing there would be much less user maintenance needed.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
When a real letter comes from my bank, it is printed on letterhead with a prominent bank logo.
Every snail mail I get from my bank is done with a laser printer - pretty easy to fake the bank logo.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
Did you select from that "form" randomly or did you want to actually make an insighful point?
(x) Users of email will not put up with it
Actually if implemented properly (allowing people to configure it) people WILL put up with it..
(x) Requires immediate total cooperation from everybody at once
No. Every user that gets one of these things helps.
(x) Lack of centrally controlling authority for email
Huh?
(x) Open relays in foreign countries
No. Every user that gets this helps.
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
I think this is practical. Just like a regular firewall is practical. (Might as well make this thing a proper full blown hardware firewall)
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
Pardon?
(x) This is a stupid idea, and you're a stupid company for suggesting it.
Yes - very amusing. We're all laughing at your stupidity.
This is not a fix-all solution. But it's a simple solution that would help to alleviate some of the spam problem.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
Provided the clueless millions install the Service Pack, that is. They obviously don't use updated anti-virus software to stop the mass-mailing worms, so I won't hold my breath. Everything you ever wanted to know about SP2, and many things you didn't, is here.
When I am king, you will be first against the wall.
At which point they get blackholed, and that nice shiny T1 is now useless.
Only the most legitimate of spammers (and what an oxymoron that is)even use their own equipment anymore. What they're doing is semi-legal as it is, so taking the next step into actually breaking the law is reasonably trivial.
With all the worms, spyware and apps violating user's privacy, we need a strong security model for individual processes rather than just different users.
Let's say, by default the application is allowed to only open one top level window and access it's own directory on the disk ala chroot jail. No internet access at all. Users can pick application type from a list of profile, for example "A typical web browser" and further edit permissions manually. Only priviliged system processes will be able to install or modify executables. Now try to turn my PC into a spambot.
This reminds me of an old joke.
Our university doesn't need a firewall to protect itself from allt the "hackers" on the internet, the internet needs a firewall to protect itself from the students at the university.
Not funny? Try telling it on a party, really late..
I just think it's funny that VeriSign's "chief scientist" said we should use "reverse firewalls" ... I'll foil his plans by installing a reverse router with dual reverse Ethernet switches between my hosts and my cable modem. And I'll connect it all using my reverse CAT6 cables. This way, by the time a packet arrives at the reverse firewall it will already have been reversed...in which case...uhhh...it will be re-reversed and forwarded normally. Yup.
I'm gonna go to reverse sleep now.
"A clear conscience is usually the sign of a bad memory."
no, the server is the vampire. The wheels are it's markings. ~We's dumb...dumb as hell.
They already have this. For internal accounting they keep track of everything traffic related, ports, amounts, frequency. If you abuse it, they send you a letter. This is governed by laws [in most sensible democracies].
Stop eroding our rights under a smokescreen of SPAM prevention.
[% slash_sig_val.text %]
A lot of spam originates from servers located in China, Taiwan, HongKong and Korea. I don't plan to receive mail from these countries in a foreseeable future; yet, spamassassin doesn't catch all the spam they send me. So I designed a tool to filter them at the firewall level : netfilter iptables geoip
I find it amusing that VeriSign's chief scientist has the initials PHB.
I read the article and found it to have very little substantial content. It makes some vague suggestions in areas where the devil is in the detail. It ends up with a sales pitch for a VeriSign service - a very bad sign for any article that purports to be technical.
In the business world, the need for egress filtering (i.e. what they are calling a 'reverse firewall') has been needed and met for a long time. For example, my network's firewall only allows *out* legitimate traffic, rather than the typical NAT home broadband router which by default blocks in on all, but passes out on all. My default rule is block in on all and block out on all, and only open port/IP combinations where there is a definite legitimate need to be met.
Many people fail to see the value in egress filtering by default - most small-business network administrators see the obvious need to protect their network from incoming traffic from the Internet, but don't think about the consequences of a cracker getting in and being able to defeat your ingress filtering by having their machine listen to a port, and then remotely (say, via a webserver vulnerability) have a shell connected as an *outbound* connection to their machine. Not to mention that egress filtering helps you be a good net neighbour - if someone manages to run a trojan, it's at least contained.
Oolite: Elite-like game. For Mac, Linux and Windows
Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.
If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.
Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.
No Wonder!
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
I had to actually phone them to ask them to turn it back on when it happened, because naturally they were blocking me sending an email to request it. But it's good that it's there now, even though it did mean a bit of inconvenience in the beginning.
Karma: It's all a bunch of tree-huggin' hippy crap!
but a firewall is a piece of software which allows or denies packets based on their properties; it cares not in which direction they are flowing.
A reverse firewall, then, is just a firewall. It's like the difference between a slash and a forward slash (pet peeve). In fact, if you use an iptables or ipchains firewall, you only need a few extra rules to implement this on your gateway machine.
...a "reverse firewall" was called the OUTPUT chain.
too late ... http://yro.slashdot.org/article.pl?sid=04/07/20/10 15234&tid=95&tid=17
`find / -name "*your_base*" -exec chown us:us {} \;`
Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
It is endlessly frustrating when there are posts like this.
Why isn't it obvious that the only traffic allowed in and out of a network or PC is that traffic that has been explicitly defined as being allowed. Even if that network consists of nothing but your home PC.
You don't "block email not coming from your server", you simply do not *unblock* anything but the traffic you need.
Explicit! Not implicit! Repeat until you either get it or you get someone else to do it that gets it.
Sigh.
This was disappointing five years ago, and will undoubtedly disappoint in another five.
koan
This signature intentionally left blank
Everyone stop saying "reverse firewall".
No, just stop.
A firewall is something that controls traffic flow through it. Not in a particular direction.
A reverse firewall is one that you have simply turned around. This just makes it harder to plug the cables in. Or easier if you are using non-specific hardware as a platform.
So don't say it anymore.
Oh crap look at Google, there are already 670 entries for "reverse firewall".
Damn, thats another one.
koan
This signature intentionally left blank
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical I think this is practical. Just like a regular firewall is practical. (Might as well make this thing a proper full blown hardware firewall)
I think you may be over estimating people if you think firewalls are practical for the majority of users on the Internet. They haven't worked out how to keep their systems patched yet, (using basic, automated patch installers) and you think they understand UDP/TCP/IP/ICMP well enough to configure a firewall properly ?
The "so-called" advantage of NAT is that on a home router, you plug it in, switch it on an you are magically "secure". Sadly, that's all people want to do, and that is usually what they do. They don't want to learn what this NAT thing is, and they don't want to have to configure it. Same with a firewall. All they want is access to the Internet, and if they can view a web page, they consider they've achieved that, and don't want to spend any more effort on doing it "properly".
We might be able to do something like "reverse firewalls" once the majority of the VCRs in the world have stopped blinking "12:00". That would show a dramatic improvement in the technical competence of the general public.
I'd recommend not holding your breath ...
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Your eager analysis is flawed.
The only people who will be affected are
1) those who use the ISP-supplied modem
AND
2) don't ask to have that feature disabled because they are running mailing lists
Most users with trojan'd machines are not running a mailing list, are using the ISP supplied modem and will not be asking to have this feature disabled.
You are correct when you say it requires co-operation from many people at once, but each ISP that uses it gives their customers an advantage as spamming moves to other networks and their customers avoid being black-holed.
Most cable ISPs have remotely updatable firmware so it is technioally managable - I think this covers any valid parts of your "lack of centrality" objection, and the fact that the end user is not required to install any patches.
Sam
blog.sam.liddicott.com
SPF is flawed, and won't become a popular standard for reasons like this.
I don't want to debate about it, but the few people who behave against the SPF rules in the various different ways add up to a lot of people.
If folk don't want to hear from me because of SPF, then I don't want to talk to them.
Sam
blog.sam.liddicott.com
yeah just like all the other "personal firewalls".
I believe there is a future for this afterall:
"welcome to the setup of your personal firewall. To install some personal settings please anwswer the following questions:
- Do you click on banners.
Yes / no / Banners?
- Do you use floppies and CD's provided by your idiot neighbour.
Yes / no / also from my uncle
- Is your default webpage www.msn.com.
Yes / no / Banners?
- You have created a personal webpage about your hobbies.
Yes / no / with my cat
- Running Outlook and Outlook express.
Yes / no / I like it
- Paid for more space on the hotmail account.
Yes / no
- You made friends with a Gorrila.
Yes / no / I like him because he is purple
- Do you trust company popups that trie installing software.
Yes / no / They are here to help me run the internet arent they?
Thank you for filling out these questions, your personal setting will now be choosen. While we are doing that please fill in as many square boxes below as possible and a few email adresses from YOU and your friends so we can GIVE you information for FREE......
Setting found, If one of the questions above was not no your personal firewall will be put in the L-User setting, dis-engaging internet connection now, thank you, go read a book or play solitaire........still here? the setting was permanent, shoo, SHOO, rebooting now......
Message from god, Please logoff, rebooting the Universe
Router manufacturers compete on features, and that includes security. See for example Cisco's "Network Admission Control", or HPs "ProCurve Networking Adaptive EDGE Architecture". It may take a while for those sort of security features to appear in consumer products, but defending the rest of your enterprise network against an infected PC is a real market for the router and switch manufacturers. If a particular idea is not taken up it is more likely that the people who really know the business think it will not work.
Everyone is harping on the fact that the term "reverse firewall" is not really accurate. But, there's a more important issue here, and that is the idea that one of these should be forced on anyone who has a cable modem or access point. They're talking about taking more control away from Internet users, which I believe is the wrong thing to do.
a reverse firewall will keep Megabyte and Hexadecimal bottled up in the Tor... :)
The Mongrel Dogs Who Teach
What is the chance of getting everyone out there behind their own reverse firewall? Slim, very slim. However, blocking outbound port 25 at the ISP's router is the way to do it at the flip of a switch and still maintain the flexibility of opening it up to those users who have a business need or have demonstrated the "know how" to run their own mailserver. We can't even get all ISP's to block port 25, how you gonna get aunt Jane and kasaa loving cousin Sally to bother going down to Costco to pick up a router with reverse firewalling built in.
Blocked outgoing port 25 except from my Linux mail server.
My three-year-old daughter is an Administrator on my Win2k box (mutter, mutter, stupid Bob the Builder game), so if she manages to do anything that compromises the box, I won't be churning out spam now.
Ydco co
I set up a firewall at a medium-sized company and the only machine which was allowed to connect to some remote machine on port 25 was the mail server. In a similar vein, the transparent proxy was deliberately set up to break LookOut Express HotMail over HTTP.
Simple things like that, default to deny for both inbound and outbound, virus checking on the mail server: they all greatly reduce the risk of these Windows plagues.
And I thought it was all pretty much standard practice.
I personally think that individuals should take more responsibility for their equipment. It's not really the ISP's business to put in firewalls - perhaps if the users were to pay for the additional service, then the ISP can provide... The individual can always put in a firewall themselves which would only allow port 25 connection to their ISP's mailserver.
Perhaps - a "manditory" additional fee for a firewall for those who do not have an operational firewall?
Just thinking aloud....
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
what many ISP's are now installing on their servers. Bell south is now changing their servers so the clients must log in and verify their identity each time they send mail. BTW they told me they don't surport Mozilla but do support Netscape! Idiots...
Netscape IS Mozilla!
Obviously, if the firewall rather than the PC becomes the main point allowing or denying access to the network then attackers will concentrate on the firewall instead. Lots of consumer-level firewalls are likely to have 'easy-to-use' features which can be exploited. Probably even a firewall control panel accessed from Windows, so all you need to do is crack the PC and wait for the user to enter the firewall password once.
Arguing that we should use reverse firewalls to stop exploited PCs sending out traffic to the network is an admission that expecting security on the PC itself is doomed and we should rely on something, anything else - that doesn't run Windows. I think it would be better to attack the real problem and try to make the typical PC as hard to crack as the typical consumer firewall. For those stuck with insecure systems (or systems which make it very hard for a naive user to keep his PC secure) a reverse firewall might be a useful sticking plaster.
-- Ed Avis ed@membled.com
And the cable companies would NEVER use it to shut down things they don't like, e.g., online gaming servers, p2p programs, etc.
If someone says he and his monkey have nothing to hide, they almost certainly do.
i've always held that a good firewall ruleset should have an 'east german borderguard' type mentality. all traffic going in and out on either side is suspect of being bad things.
all the concept of 'reverse firewall' does is demonstrate how inadequate and inappropriately named the 'built-in' firewalls that come on cable/dsl router/modems are.
"Omnis tuus capsa sunt inesse nos"
I've been using Zone Alarm to do this for years. And as I recall, Windows XP SP2 will include a bi-directional firewall. While it would be nice to have this implemented into a set-it-and-forget-it hardware solution, apps like Zone Alarm are are free and quite effective.
Further, any effective hardware implementation will have to keep logs or send alerts because personally, I want to know what's being prevented from going out.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
A "hardware" firewall is just a software firewall on another machine. As such, it's still complex to keep it setup correctly. You can get close to a default good condition, but it's not perfect.
"but it also requires the user to accept or reject applications requesting access (and knowing users, they will just click accept all the time)."
You got it. There is no easy practical way to actually know what all the requests, even when presented with them, actually *mean* right then at the exact second you need to make an executive decision on allow/disallow. You have the tool to do this, but not the knowledge to make the decision intelligently without a LOT of prior research, it is not default "clear" to most people. For one, you as joe user have to know which host/process/connect/in/out is cool or not. The firewall will do what you tell it to do, that part is not difficult, it's binary, yes or no, but if you don't *know* intuitively,in advance of being forced to make a decision, you have to *guess* if you want to continue surfing.
All the guy's talking about is egress filtering, and I too wish more people did it. Thankfully, some ISPs have gotten a clue and started filtering individual outbound services (e.g. SMTP) or installed intrusion prevention systems at their NAPs (e.g. RoadRunner Business Class, who block my portscans, the bastards). Unfortunately, egress filtering, like ingress filtering, requires detailed knowledge of your network in addition to appropriate Acceptable Use Policies, and your typical business or residential customers rarely have that depth of understanding.
I'm proud of my Northern Tibetian Heritage
Anyone who goes on record as saying "normal people have no need for [technology x]" will find themselves quoted to hilarious effect when, within ten years, "normal people" are using [technology x] as part of daily life.
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
This isn't new. It's not even something that security practitioners don't know about. It's just something that management doesn't want to implement in most cases, and that personal firewall vendors are afraid to.
It's egress filtering and every firewall in existence should have been configured to do it a long time ago. When done correctly, it can allow you to filter all of your outbound traffic with ease on your existing firewall.
"Reverse" firewall huh. That sounds a lot like Egress filtering to me. Don't all real firewalls do that?
I wouldn't trust stateful packet inspection on my "modem" as far as I could throw it. The firewall built into my old (not-so)Efficient 5861 DSL router was horrible. It had no statefuly packet inspection, so you were letting in packets on ports outside the realm of established connections. The firewall built into my Cayman 3546 is smarter, but not very configurable at all. It's either on or off and I could map some ports, but it's not nearly as configurable as others.
The only thing I trust is my PF/IPF firewalls in place around the crappy DSL modem firewalls.
More than just tying the application to the port (email client to port 25) Zone Alarm warns if an excessive amount of email is about to be sent by the previously authorized client. My normal mail goes without a peep; my distributions to a mailing list gets a Zone Alarm confirmation.
With a compromised spam factory, such a volume warning may serve to wake up even the most naive user. OTOH, I wouldn't be surprised at a, "Oh that Zone Alarm thing? Yeah, it does that every night..."
and it has been considered a best practice for a looong time. Unfortunately, it requires a little bit of knowledge, comprehension, skill and time, and most computer users will have none of that, hence Windows.
Why spend all the money to stick this stuff in DSL and Cable modems, when they should be signing up ISPs to block the ports at the gateway. Then there is no need to have all these companies distribute a hardware option.
And I've been using it for years.
Great for stopping those pesky programs that like to "phone home to mother" without your permission.
I always thought that the purpose of a firewall was to filter traffic, whether it be outgoing or incoming. Isn't the term "reverse firewall" about as ridiculous as "reverse discrimination?"
*wraps his cable modem in tin foil*
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Try SmoothWall Firewall. A great open source and easy to set up and use firewall.
SmoothWall.Why not a balistic armor firwall system. Any thing like spyware etc when it hits your firewall fires back a kill program to the orginator that terminates that system. After about .002 seconds proabbly half of the worlds computers would be clean permently.
Locks only keep honest people out.
...that "normal email" means "everything goes through my ISP's server." Wrong.
Look here and here.
This is slashdot...if you're here, you're probably a geek, and cheap to boot...build your own.
First link is for control freaks, second link is for putterers.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
check mirage networks out
the firewall that the spam trojan is legitimate traffic?
I'm pretty sure that most folks see the little "Allow this application to connect?" dialog and click OK automatically. That's what Windows has been teaching them to do for eons... try and delete something, then click Ok. Try and close a program, then click Ok.
So when the firewall says "Do you want to allow Bob's Friendly Spam Puppy to connect to the Internet?" they just automatically click Ok. This is additionally reinforced when they click "No" after seeing "Do you want to allow msimn.exe to connect to the Internet" (What's that anyway - sound suspicous!) and mail stops working. Oh oh! Better never click No!
There's no silver bullet.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
My ugrad Clemson did this back when I was there 97-00 to keep all the kiddies from sucking up bandwidth using p2p programs etc, as well as using dialpad, for which we made /. I believe.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
Egress filtering is a normal function of a normal firewall, so I don't see a particular need for some new "reverse firewall" paradigm.
Even newbie-oriented firewalls have been doing egress filtering for some time. See also: ZoneAlarm.
There's nothing wrong with monitoring outgoing traffic in the cable/DSL modem if the user has the option to control the blocking rules. All good (software) personal firewalls have this capability.
I like to know when some piece of commercial software suddenly decides to phone home. It's also potentially a good trojan warning.
This is actually a very good idea. It's the ISPs who choose which modems to use and their interests lie in reining back bandwidth usage, so they can put pressure on the modem manufacturers.
With a firewall in the cable modem itself, the cable company will be able to remotely configure it, and conceivably stop any kind of traffic they want to stop. Don't want you using P2P applications? Just firewall those ports! It's not like you "own" the cable modem anyway (most people just lease one). And even if you do own, they can just write a clause into the contract giving them rights to remotely configure it.
Before you know it, cable modems without such firewalls will be banned from the network.
Sorry, I'm not installing any piece of hardware that I don't own, is under direct control of the cable company, and can be used to filter my outgoing traffic. Not in a fucking million years. And definitely not in the name of "stopping spam."
"Stop spam" has become the cyber equivalent of "Save the children." It seems we're willing to throw away far too much in return for too little benefit.
Firewalls work both ways, in and out. Which side is "in" and which side is "out" is also just a matter of definition and which network connection you connect to which port.
I think what they meant to discuss is "egress filtering" and this is not by any means a new idea. see "Consensus Roadmap for Defeating Distributed Denial of Service Attacks" at http://www.sans.org/dosstep/roadmap.php from February 2000 for one prior example of this concept.
the same.
today:
1. infect PC
2. zumbify it
3. ???
4. profit!
with that crap ideia in place:
1. infect PC
2. zumbify it
2,5. run some code to change the modem settings from the lan side.
3. ???
4. profit!
On the other hand, i mean, the regular user hand:
1. buy a PC and pay for an exorbitant adsl service
2. use it
with that crap ideia in place:
1. buy a PC and pay for an exorbitant adsl service
2. get lots of legitime services blocked because of crap implementantions of crap ideia.
And given the rock-solid nature of the platform in question, there's no way the bot software would ever be able to reprogram the `reverse firewall' to let the floods out anyway. Uh uh, no way.
I thought Verisign was a digital security company. Yet they don't know how a firewall works... and these people go around signing security certificates. Wow am I ever impressed.
For some reason evil monopolistic companies and stupid uneducated companies seem to always be the same.
Hypocrisy is the 8th deadly sin.
reverse firewalls are like 'inflammable'
True. But the rest (95%) of the population will just fsck up our internet because they will use the store bought UPNP enabled ones.
Otherwise known as a firewall.
meh
one-way communication that you pay a subscription to access the "content" of
brilliant.
Some would, some wouldn't.
Check other posts to see what some people think of the idea of "restricting their internet service"
Just like every open relay closed cut down on the amount of spam?
Lots of ISPs block port 25 completely.
Have you noticed a reduction in spam as a result?
A bit of a strech perhaps, but consider the problem of people who refuse to install one of the things.
How do you punish them for that?
I don't.
But like many others I have no objection to other people installing them.
It's when they insist that I buy one that I consider it a problem.
This is an impediment to the traffic flow (sabatoge) and it won't have any real effect on spam unless it gets enourmously large scale adoption, and even then it's not clear that it will work as theorized.
Large scale adoption is necessary just to test the theory.
Go ahead and laugh, I don't mind.
-- less is better
For Windows? ZoneAlarm.
Seriously, I've been using ZoneAlarm for years. I used Sygate before that, and have also tried various other proggies. ZA is the one I keep coming back to, and you can get a free version as well.
Up-to-date antivirus software and a hardware firewall will stop most of those machines from ever being used as open proxies or open relays, and you can sell it on the "hey, just buy one of those 'hub' thingies, and you can connect more than one computer to the internet at the SAME time!" (from past experience, try to stand back so when their jaws drop they don't hit your shoes).
Even non-techies are cheap...they'll bite, especially on a pitch made by their personal geek friend.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
I'm something of an inveterate language geek, and now a professional linguist (translator), and I read your post and the linked page with some interest.
Coming away from the linked page, I found myself thinking a couple things. For one, if the Latin speakers of the time considered "virus" a non-count noun, this clearly denotes a quite different concept from the modern one. In such a case, it makes sense for the word to change (i.e., to grow a plural when previously it had none).
For two, I find it admittedly unexciting that some English speakers should choose the "us -> i" for the plural. Sure, that might be inconsistent with the original Latin, but then so is the whole concept of the plural "virus" to begin with. (Incidentally, though the linked page was quite scandalised at the thought of anyone using "octopi", nowhere did it say what would be the correct plural; furthermore, Merriam Webster lists both "octopi" and "octopuses" as the plural forms...)
Waxing somewhat philosophical, I ask what is a word, in your view, and posit that languages change. My point is that, ten years ago, "blog" was not a word, while now it is widely understood. "Virii"/"viri" may cause some (considerable) cognitive distress, but if it has common currency, is it not a word? If it isn't, what would it take to make it one? I'm genuinely curious as to what you think, and would appreciate a response.
"What in the name of Fats Waller is that?"
"A four-foot prune."