Slashdot Mirror
Reverse Firewalls As An Anti-Spam Tool
An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""
I have Kerio Personal Firewall on my Windows machine and it prompts me about every outgoing connection (to learn it, or allow it, or block it).
Ahh, and who will control what defines an attack? Is using Freenet an attack? Bittorrent? Kazaa?
This looks like yet another way to force us to use the Internet in the way that corporations/governements want us to. No fucking thank you.
My other car is first.
Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.
But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?
Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.
You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.
I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?
The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?
Absolutely.
I'm not sure this is an option that the average windows user (and almost anyone sending out spam on their virus laden pc uses windows) would find simple.
Working as a support tech and dealing with mainly connectivity issues, I've learned that the number one issue blocking users from desirable online actities or access itself is a firewall. It used to be that the first troubleshooting step was to check the connections. Now it's become, check for firewalls.
I'm not sure the average windows user would find this a simple solution.
Great Idea! New technical concepts and products always excite me. We must keep one thing in mind however, hackers/crackers/spammers/whatever you want to call them are clever and very imaginative people. Single concepts and technologies will be overcome and bypassed. The security/spam fight needs to be a continuous and evolving process. One cannot simply rely on a single product or conceptual model to end malicious actions. When people start realizing that keeping computers secure is a process and NOT a product, the world will be a lot safer and secure.
I, being the ubergeek that I am, already have a 14k^H^H^H^H "reverse-firewall".
No hackers for me, no siree!
When things get complex, multiply by the complex conjugate.
First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.
The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.
It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.
Best slashdot comment
For about 3.2 seconds till the UPNP enabled virus tells the UPNP enabled firewall that it is an authorized app...
A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.
Strange women lying in ponds distributing swords is no basis for a system of government.
'Standards' in computing only impress those who are impressed by things like 'standards'.
Just the thing to protect the computers of... Reverse Vampires
Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.
All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.
So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.
He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.
Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).
Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
that spam is a difficult problem to solve, but that is the most idiotic idea I think I've ever encountered. That's like making it difficult to do encryption to prevent terrorists from communicating safely. Granted, "normal" people's computers are a vessel for spammers, but it's asinine to limit normal people's hardware. Why not fix the problem at the source and work on making consumer's computers secure? The day I find out my DSL modem is blocking ports or something like that is the day I wreck the thing while trying to fix it. I mean, really.
Just Put a Condom on it.
It could be worse, it could be Monday.
The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.
No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.
While it is true that the reverse firewall will stop too much traffic from a "home" computer, there are some aspects of this which raise interesting questions: 1. How much is "too much" ? How is this decided? 2. What abt proxies to circumvent this? 3. The majority of spam, generated is probably not from a home computer. 4. Modern firewalls can be configured for outbound filtering as well. How radically will the propsed scheme be different from this? Correct me if i am wrong in any of the assumptions above. If we are achieving too less while applying too much effort, the low of economy wouldnt justify this.
speaking of "floods of e-mail," one of the most entertaining things is to take my original copy of win2k without any service packs, :-)
do a fresh install,
plug in without any firewall,
and watch how fast the damn thing tries to send out mass mailings
*trying not to feed the troll*
The problem is not just to monitor the traffic, but to apply uncircumventable precautions against unallowed behaviour. For a similar, yet a lot tougher solution, my cable provider blocks a port(port 80 right now) at the Cable Broadband Router level(the other side of my connection) and similarly, a DSL provider could do the same at the DSLAM level. That most providers don't do this is that
1) it increases the per-user cpu cost at the edge of their network
2) it increases the support calls(as not a single one of them has had the balls(yet) to my knowledge to announce it in public fora(and they are similarly afraid to announce it to their users, despite that it could actually be marketed as a good thing: we protect you from this, so your bills are more likely to stay low)
Putting it on the other side of the demarc is putting provider policy control on the client's side of the link, which is generally a bad idea.
I know there are products like ZoneAlarm and such to try and make it easier for non technical users to use them, but Joe Average people will be baffled by them since they don't understand how networks work and everything that goes with that.
There is research into making computers self maintainable and repair themselves and such but its a long way away from making the Joe Average safe to use a computer on the internet. Alot more work needs to go into transparent computer adminstration systems that free Joe Average (and their administrators, family computer lackeys etc) from having to deal with computer problems that could be solved or avoided, with what we would consider common sense.
This would limit the rate of outgoing emails (or presumably anything else) to a limit that most people wouldn't hit in normal use. If implemented this limit would be configurable in the "firewall" so that users who know what they are doing can alter it.
It is different to software "reverse firewalls" such as Zonealarm as it couldn't easily be turned off by viruses and the like. But on the other hand it lets anything through once.
It would be beneficial to prevent the massing hordes of clueless broadband users from being juicy targets to the spammmer - since each zombie could only send out a pathetically tiny number per hour.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
However, the security model in 802.11 may not be enough to prevent an attacker to get access to the intranet.
you're kidding..
I personally feel that spam blocking is the burden of the receiver, just by the nature of the email protocol.
/. runs another story about SPEWS blocking yet another idiot site who decided to save money by hosting at a spamhaus. THEN nobody has the right to BLOCK spam either, so they can get their email from BBR.
All well and good, until
And no matter how inane, idiotic, and offensive it may be, I feel it is protected under the 1st amendment.
Then you have no idea what the 1st amendment is all about. Hint: If I tell you to STFU or get out of my store, I'm not violating your first amendment rights, because I'm not the government. Same goes for my email servers. 1st amendment Freedom of Speech/Assembly/etc... protection applies to the government.
I use zonealarm. Most of the time its a nice sane product, and the price can't be beaten.That gives me an alert every time a new piece of software tries to access the net, for both outgoing and incoming connections. I then get to choose whether to always allow the program to make the connection, or just allow that particular instance.
Only problem is its impractical to disallow common programs from connecting for themselves. So a trojan infecting one of these would make this feature useless. Perhaps what we need is an "allow x number of connections per y time" feature. That would stop floods and DDOS attacks at least.
These posts express my own personal views, not those of my employer
ZoneAlarmPro is best known for its ability to block to control outgoing traffic. However, lesser known is its ability to control outgoing email, by specifying which applications can send email, along with how many emails are sent at once before an alarm is raised about possible virus/worm, and the offending application is frozen by ZoneAlarm until the user intervenes & allows it permission to do so. So, the functionality of the reverse firewall to reduce spam that the author is asking for is already available.
I'd love to see a change to the SMTP spec so that the first 100k of any email is severely rate limited on a per connection basis.
So, you send out an email with a 2 MB attachment, everything works as usual, save for the slower first 100k.
How would this impact the spammers?
They would just send fewer emails with more people in the BCC list. One email gets sent from the client and then the load gets put onto the servers sending it to all the recipients.
Putting in arbitrary delays will only piss more people off. Sure, getting more people angry about SPAM may be a good thing to try and wipe it out but I think you may be going about it the wrong way.
If I point out that you are incorrect, making me a foe does not make you any more correct.
Did you select from that "form" randomly or did you want to actually make an insighful point?
(x) Users of email will not put up with it
Actually if implemented properly (allowing people to configure it) people WILL put up with it..
(x) Requires immediate total cooperation from everybody at once
No. Every user that gets one of these things helps.
(x) Lack of centrally controlling authority for email
Huh?
(x) Open relays in foreign countries
No. Every user that gets this helps.
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
I think this is practical. Just like a regular firewall is practical. (Might as well make this thing a proper full blown hardware firewall)
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
Pardon?
(x) This is a stupid idea, and you're a stupid company for suggesting it.
Yes - very amusing. We're all laughing at your stupidity.
This is not a fix-all solution. But it's a simple solution that would help to alleviate some of the spam problem.
groklaw, wired and slashdot. The holy trinity of work based time wasting.
I just think it's funny that VeriSign's "chief scientist" said we should use "reverse firewalls" ... I'll foil his plans by installing a reverse router with dual reverse Ethernet switches between my hosts and my cable modem. And I'll connect it all using my reverse CAT6 cables. This way, by the time a packet arrives at the reverse firewall it will already have been reversed...in which case...uhhh...it will be re-reversed and forwarded normally. Yup.
I'm gonna go to reverse sleep now.
"A clear conscience is usually the sign of a bad memory."
Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.
If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.
Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.
but a firewall is a piece of software which allows or denies packets based on their properties; it cares not in which direction they are flowing.
A reverse firewall, then, is just a firewall. It's like the difference between a slash and a forward slash (pet peeve). In fact, if you use an iptables or ipchains firewall, you only need a few extra rules to implement this on your gateway machine.
Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
But this filtering is quite difficult to do, especially with static rules.
For example, from our webproxy we allow connects to certain ports only. The proxy can connect to ports like 80 and 443 (and some high port ranges).
This works well 99% of the time, but sometimes sites setup a second server on a port like 81 and it cannot be connected.
There could be some magic like "the proxy software is allowed to do it but another process on that machine isn't". That is like ZoneAlarm.
However, I question the utility of this approach, because when a cracker is able to install a trojan process that does outgoing connects, who guarantees me that he will not be able to defeat this magic filter?
yeah just like all the other "personal firewalls".
I believe there is a future for this afterall:
"welcome to the setup of your personal firewall. To install some personal settings please anwswer the following questions:
- Do you click on banners.
Yes / no / Banners?
- Do you use floppies and CD's provided by your idiot neighbour.
Yes / no / also from my uncle
- Is your default webpage www.msn.com.
Yes / no / Banners?
- You have created a personal webpage about your hobbies.
Yes / no / with my cat
- Running Outlook and Outlook express.
Yes / no / I like it
- Paid for more space on the hotmail account.
Yes / no
- You made friends with a Gorrila.
Yes / no / I like him because he is purple
- Do you trust company popups that trie installing software.
Yes / no / They are here to help me run the internet arent they?
Thank you for filling out these questions, your personal setting will now be choosen. While we are doing that please fill in as many square boxes below as possible and a few email adresses from YOU and your friends so we can GIVE you information for FREE......
Setting found, If one of the questions above was not no your personal firewall will be put in the L-User setting, dis-engaging internet connection now, thank you, go read a book or play solitaire........still here? the setting was permanent, shoo, SHOO, rebooting now......
Message from god, Please logoff, rebooting the Universe
I stand corrected, yes, your analysis is correct in regard to the abandonment of SMTP recommendation.
Sam
blog.sam.liddicott.com
I set up a firewall at a medium-sized company and the only machine which was allowed to connect to some remote machine on port 25 was the mail server. In a similar vein, the transparent proxy was deliberately set up to break LookOut Express HotMail over HTTP.
Simple things like that, default to deny for both inbound and outbound, virus checking on the mail server: they all greatly reduce the risk of these Windows plagues.
And I thought it was all pretty much standard practice.
I personally think that individuals should take more responsibility for their equipment. It's not really the ISP's business to put in firewalls - perhaps if the users were to pay for the additional service, then the ISP can provide... The individual can always put in a firewall themselves which would only allow port 25 connection to their ISP's mailserver.
Perhaps - a "manditory" additional fee for a firewall for those who do not have an operational firewall?
Just thinking aloud....
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
Obviously, if the firewall rather than the PC becomes the main point allowing or denying access to the network then attackers will concentrate on the firewall instead. Lots of consumer-level firewalls are likely to have 'easy-to-use' features which can be exploited. Probably even a firewall control panel accessed from Windows, so all you need to do is crack the PC and wait for the user to enter the firewall password once.
Arguing that we should use reverse firewalls to stop exploited PCs sending out traffic to the network is an admission that expecting security on the PC itself is doomed and we should rely on something, anything else - that doesn't run Windows. I think it would be better to attack the real problem and try to make the typical PC as hard to crack as the typical consumer firewall. For those stuck with insecure systems (or systems which make it very hard for a naive user to keep his PC secure) a reverse firewall might be a useful sticking plaster.
-- Ed Avis ed@membled.com
And the cable companies would NEVER use it to shut down things they don't like, e.g., online gaming servers, p2p programs, etc.
If someone says he and his monkey have nothing to hide, they almost certainly do.
I've been using Zone Alarm to do this for years. And as I recall, Windows XP SP2 will include a bi-directional firewall. While it would be nice to have this implemented into a set-it-and-forget-it hardware solution, apps like Zone Alarm are are free and quite effective.
Further, any effective hardware implementation will have to keep logs or send alerts because personally, I want to know what's being prevented from going out.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
A "hardware" firewall is just a software firewall on another machine. As such, it's still complex to keep it setup correctly. You can get close to a default good condition, but it's not perfect.
"but it also requires the user to accept or reject applications requesting access (and knowing users, they will just click accept all the time)."
You got it. There is no easy practical way to actually know what all the requests, even when presented with them, actually *mean* right then at the exact second you need to make an executive decision on allow/disallow. You have the tool to do this, but not the knowledge to make the decision intelligently without a LOT of prior research, it is not default "clear" to most people. For one, you as joe user have to know which host/process/connect/in/out is cool or not. The firewall will do what you tell it to do, that part is not difficult, it's binary, yes or no, but if you don't *know* intuitively,in advance of being forced to make a decision, you have to *guess* if you want to continue surfing.
"Reverse" firewall huh. That sounds a lot like Egress filtering to me. Don't all real firewalls do that?
I wouldn't trust stateful packet inspection on my "modem" as far as I could throw it. The firewall built into my old (not-so)Efficient 5861 DSL router was horrible. It had no statefuly packet inspection, so you were letting in packets on ports outside the realm of established connections. The firewall built into my Cayman 3546 is smarter, but not very configurable at all. It's either on or off and I could map some ports, but it's not nearly as configurable as others.
The only thing I trust is my PF/IPF firewalls in place around the crappy DSL modem firewalls.
More than just tying the application to the port (email client to port 25) Zone Alarm warns if an excessive amount of email is about to be sent by the previously authorized client. My normal mail goes without a peep; my distributions to a mailing list gets a Zone Alarm confirmation.
With a compromised spam factory, such a volume warning may serve to wake up even the most naive user. OTOH, I wouldn't be surprised at a, "Oh that Zone Alarm thing? Yeah, it does that every night..."
With a firewall in the cable modem itself, the cable company will be able to remotely configure it, and conceivably stop any kind of traffic they want to stop. Don't want you using P2P applications? Just firewall those ports! It's not like you "own" the cable modem anyway (most people just lease one). And even if you do own, they can just write a clause into the contract giving them rights to remotely configure it.
Before you know it, cable modems without such firewalls will be banned from the network.
Sorry, I'm not installing any piece of hardware that I don't own, is under direct control of the cable company, and can be used to filter my outgoing traffic. Not in a fucking million years. And definitely not in the name of "stopping spam."
"Stop spam" has become the cyber equivalent of "Save the children." It seems we're willing to throw away far too much in return for too little benefit.