Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reverse Firewalls As An Anti-Spam Tool

Posted by timothy on from the to-each-his-own dept.

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

23 of 513 comments (clear)

  1. A better idea... by SixDimensionalArray · · Score: 5, Insightful

    Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.

    But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?

    1. Re:A better idea... by PetoskeyGuy · · Score: 5, Informative

      Enhanced SMTP better known as ESMTP is not hypothetical. It's out there, it works, mail clients know about it. It's optional and most ISP's I've used don't have strong authentication. They could, but choose not to. Search Google for Ehanced SMTP or you'll find an ESMTP mail server.

      It seems your proposing the same argument the article does. Basically security needs to be enabled by default. The internet is no longer a place where you can trust. They are suggesting a hardware fix, your suggesting software.

      Either way it will most likely require some pretty big players like AOL or Microsoft to implement it before it would achieve critical mass. Designing a different way of doing things isn't hard, it's getting everyone else to agree to it and use it.

      AOL started implementing SPF to stop spam. If AOL/MSN/Yahoo all decide to stop accepting mail that doesn't come form SPF using sites, adoption should happen in about a fortnight.

    2. Re:A better idea... by Jahf · · Score: 4, Insightful

      That's your fault for not implementing a checking algorithm when the users are changing their passwords.

      We had a password checker for our users (when I was at an ISP) that prevented stupid user dictionary attacks back in 1994/1995. A little user hassle at that bottleneck prevents a world of hurt later on.

      --
      It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
  2. Off by default by Kris_J · · Score: 4, Interesting
    Where my mother works, they're all allowed to have VPN access (I know this because I'm getting ADSL so she won't be dialling in directly anymore), but it's not on by default, you have to make a request to turn it on.

    Similarly, few individuals have a desperate need to run their own mail server, so ISPs should only allow mail connections to their own mail servers unless the user asks otherwise. How hard is that? Someone tell me this wouldn't have a major impact on spam zombies.

    You could do the same for pretty much every unpopular service and just have an account page where users can specifically turn on services they need.

    1. Re:Off by default by ottothecow · · Score: 4, Interesting
      Yes

      He is right.

      ISP's should block port 25, that is a definate yes at this point in time. But, when a user wants port 25, they should be able to ask and recieve.

      Your average cable/DSL user is probobly still using their free yahoo or hotmail account to check email. Maybe they made an ISP account now that POP3/SMTP is offered, but they probobly have no need for an external mailserver.

      The next guy up--the one who wants the mailserver--is either someone who knows enough about the internet and can deal with the attacks on their system, or some corporate exec who is told that he needs to do this to check his email. They could have a little quiz about security and if you do well, you get port 25, if you dont do well you can either take a little online class or maybe just buy a NAT box (maybe with a reverse firewall).

      --
      Bottles.
    2. Re:Off by default by gerardrj · · Score: 4, Insightful

      There are several very good reasons to use your own email server instead of your ISPs:

      1. You can use any domain name(s) you want so you don't every have to change your address as you change ISPs.

      2. Your ISP (or anyone else) can't read your mail while it's sitting on your own server. They can read it when it sitting on their server.

      3. SPAM prevention. when you run your own server you can alias your account as many times as you wish, and are able to add/delete aliases instantly and at will. When you give a unique address to each entity. If you get spam on an address, you delete it and create a new one.

      4. No limits on message content or size. Many ISPs limit the size of attachments. Granted, SMTP is not meant as a file transfer protocol, but that's not a reason to arbitrarily limit the size of messages.

      5. Notification. When you own the server and new mail comes in you have have the server forward the mail to multiple places, or run scripts to notify you on a pager, via telephone, etc.

      6. Reliability. At least with My ISP, my mail server has a higher availability than theirs. Because of the load on the server from SPAM, it goes down fairly regularly and is frequently backlogged. Sure this is just poor admin on their part, but with my own server it doesn't affect me.

      --
      Article X: The powers not delegated... by the Constitution...are reserved...to the people
    3. Re:Off by default by Phil+Karn · · Score: 5, Insightful
      If your ISP is intrusive enough to read your email, then they can just as easily read it as it comes into your private mailserver.

      Many (most?) MTAs now support the STARTTLS SMTP command. Set up your own mail server, create a self-signed certificate, and a remarkable fraction of your email will be automatically encrypted during the transfer. Even much of my incoming spam is encrypted in this way. Since it comes from all over the world, this actually serves as a useful mask for anyone doing traffic analysis.

      Your ISP could still intercept your mail with a man-in-the-middle attack, but that's far less likely than browsing your mail files on their server.

      I'd quickly find a new ISP if this was the case.

      Well, mail server unreliability is a problem with many ISPs. Even though my ISP's server works most of the time, I still can't log in and run "mailq". I do that regularly with my own server, and I depend on it.

      Not only is it bad netiquette to send massive attachments, but most servers will block them at the other end.

      While I personally avoid sending large attachments, I can't reasonably object when it's done between consenting parties. So I don't see this as a valid argument against personal mail servers, but rather a strong argument in favor since the ISP's mail admin doesn't have to be a consenting party.

      Have you heard of fetchmail?

      Do you really want it to poll every minute? When you run your own mail server, you don't have to decide between overhead and quick notification of incoming email. Maybe you don't see the need to be notified of new email that quickly, but what right do you have to impose your personal preferences on others?

      The bottom line is that I feel very strongly that there are many perfectly valid reasons for individuals to run their own mail servers, and no ISP should deny them this right as long as they don't bother anyone else, e.g., by sending spam.

      This isn't just about the right to run personal email servers. It's about something much more important and fundamental: preserving and protecting the end-to-end model that made the Internet such a success. If we permit ISPs to encroach on the end-to-end principle for what may appear to the naive person to be "worthy" reasons, it won't end until it becomes almost impossible to innovate with new and useful end-to-end services.

  3. Oh yeah, router manufacturers will buy this... by cleverhandle · · Score: 4, Interesting

    I suppose the router manufacturers will take this step, which would certainly generate more tech support calls and higher engineering costs, out of the goodness of their hearts?

    The manufacturers are in a beautiful position on the spam/virus issue - they just route the packets, virii are Microsoft's problem. Why rock the boat?

    1. Re:Oh yeah, router manufacturers will buy this... by comet_11 · · Score: 4, Informative

      For the love of jesus, I hate any slashdot article relating to viruses. I have to read through comment after comment using the accursed "virii".

      "Virii" is, and let me put this gently, not a goddamn word. I say this not just for your sake, but in the hope that at least a hundredth of the people operating under this painful warping of the english language. Read this, I beg you, and stop making me - and anyone who knows the word - cringe.

      --
      By reading this comment, you immediately waive any and all rights regarding it.
  4. Re:And who will control what to control? by dhakbar · · Score: 5, Insightful

    Force?

    You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?

  5. Reverse firewalls? by afay · · Score: 4, Insightful

    First of all, the linked article simply describes a firewall blocking some outgoing traffic with easy rate limit rules (i.e. no email after x messages sent in y amount of time). There's no need to call it a reverse firewall. It's a firewall, plain and simple. Just because most people allow all outgoing traffic doesn't mean that if you block some you've invented a new type of firewall.

    The other article is really describing a completely different thing. They use the same term, reverse firewall, but they talk about firewalling each individual machine inside a lan. Basically, they suggest a firewall on each machine to protect the internal network from attacks that originate inside it. Completely different use of the term.

    It sort of looks like the submitter just googled for "reverse firewall" and posted the first match. Or actually it appears to be the 4th match. Anyway, regardless, the two links seem to be talking about different things. Both of them have merit, but neither seems particularly innovative. I do like the first articles idea of rate limiting outgoing email on home router boxes by default. Seems like it would solve a lot of spam problems.

    --
    Best slashdot comment
  6. Great Reverse Firewall for Mac OS X by toupsie · · Score: 4, Informative
    If you have got a Mac, there is a program called "Little Snitch" that is an excellent reverse firewall. While I am not worried as much about my Mac becoming a part of a botnet, it is amazing to see how often my installed software packages want to "phone home". I have even caught third party web advertisers wanting to open ports outside of 80 and 443.

    A cable modem with a reverse firewall sounds nice but I would rather handle this at the CPU level. I want to choose what to block and accept.

    --
    Strange women lying in ponds distributing swords is no basis for a system of government.
  7. reverse firewall? what? by rritterson · · Score: 5, Interesting

    Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.

    All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.

    So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.

    He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.

    Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).

    Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
  8. Virus could disable software firewall by erice · · Score: 4, Interesting

    The virus is already on the inside with "root". It would be trivial for the virus to simply disable the firewall before spewing.

    No, for a "reverse" firewall to make any sense, the firewall must be on a different machine.

  9. Re:And who will control what to control? by Capt'n+Hector · · Score: 4, Informative

    Put away that tin foil hat. Would you say the same thing about normal firewalls? After all, normal firewalls don't allow traffic from Bittorrent, most online games, etc etc etc without configuration. So.... "Who will control what defines an attack?" The answer is, as always, you.

    --
    Quid festinatio swallonis est aetherfuga inonusti?
    Africus aut Europaeus?
  10. Re:And who will control what to control? by bhima · · Score: 4, Funny
    Sorry I can't help myself....

    Can it it be configured to block port 1984?

    --
    Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  11. Re:This isn't normal behavior? by Christopher+Cashell · · Score: 5, Insightful

    Even for LAN firewalls, this is, or should be, normal behavior.

    I know I've had my firewall setup to block outgoing port 25 traffic that doesn't come from the mail server for a long time now. I also log outbound port 25 requests, and twice this has alerted me to when one of my users was infected with a mass-mailing trojan.

    Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.

    If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.

    Come on, guys. Let's all do our part to stop spam. Every little bit helps.

    --
    Topher
  12. Re:Obligitory form-letter post by Artega+VH · · Score: 4, Informative

    Did you select from that "form" randomly or did you want to actually make an insighful point?

    (x) Users of email will not put up with it
    Actually if implemented properly (allowing people to configure it) people WILL put up with it..

    (x) Requires immediate total cooperation from everybody at once
    No. Every user that gets one of these things helps.

    (x) Lack of centrally controlling authority for email
    Huh?

    (x) Open relays in foreign countries
    No. Every user that gets this helps.

    (x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
    I think this is practical. Just like a regular firewall is practical. (Might as well make this thing a proper full blown hardware firewall)

    (x) Countermeasures should not involve sabotage of public networks
    (x) Countermeasures must work if phased in gradually
    Pardon?

    (x) This is a stupid idea, and you're a stupid company for suggesting it.
    Yes - very amusing. We're all laughing at your stupidity.

    This is not a fix-all solution. But it's a simple solution that would help to alleviate some of the spam problem.

    --
    groklaw, wired and slashdot. The holy trinity of work based time wasting.
  13. I dunno, chief. by mcco7614 · · Score: 5, Funny

    I just think it's funny that VeriSign's "chief scientist" said we should use "reverse firewalls" ... I'll foil his plans by installing a reverse router with dual reverse Ethernet switches between my hosts and my cable modem. And I'll connect it all using my reverse CAT6 cables. This way, by the time a packet arrives at the reverse firewall it will already have been reversed...in which case...uhhh...it will be re-reversed and forwarded normally. Yup.

    I'm gonna go to reverse sleep now.

    --
    "A clear conscience is usually the sign of a bad memory."
  14. Dangerous twaddle by cardpuncher · · Score: 5, Insightful

    Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.

    If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.

    Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.

  15. Just to be pedantic by fishbot · · Score: 4, Informative

    but a firewall is a piece of software which allows or denies packets based on their properties; it cares not in which direction they are flowing.

    A reverse firewall, then, is just a firewall. It's like the difference between a slash and a forward slash (pet peeve). In fact, if you use an iptables or ipchains firewall, you only need a few extra rules to implement this on your gateway machine.

  16. New??? by really? · · Score: 4, Interesting

    Perhaps it's just me, but egress filtering is the default behaviour on all FW boxes I set up. And I'm not even that much of a harcore security geek.

    --

    "Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
  17. Re:This isn't normal behavior? by 13Echo · · Score: 4, Informative

    It is strange that people working for free, I am talking open source here, do not produce something that is useful for home users. All the OSS firewalls I have looked out require you to have a good to expert knowledge (depending on firewall) of networking in order to effectivly use them. They all seem to be just creating replacements for professional products rather than somehting that is useable by the average Joe.


    You mean, like Firestarter?

    http://firestarter.sourceforge.net/

    It doesn't require any knowledge to configure the firewall.