Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reverse Firewalls As An Anti-Spam Tool

Posted by timothy on from the to-each-his-own dept.

An anonymous reader writes "VeriSign's principal scientist Phillip Hallam-Baker believes one answer to stopping spammers and even crackers is by using reverse firewalls. He says reverse firewalls should be embedded in every cable modem and wireless access point for home users. "A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out," Hallam-Baker said. Apparently, a reverse firewall would reduce the value of recruiting your home PC as a member of a botnet because "normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail. ""

8 of 513 comments (clear)

  1. A better idea... by SixDimensionalArray · · Score: 5, Insightful

    Perhaps simply modifying mail protocols (migrating away from SMTP, POP3, IMAP etc.) to more robust and secured ones would be easier than having to create a product just to limit what you can do with your own machine and network connection.

    But that would be silly now, wouldn't it? Sure, it would cost a lot a migrate your mail clients and mail servers to a hypothetical industry-standard "enhanced SMTP" or something like that, but wouldn't we all be better off in the long run?

    1. Re:A better idea... by PetoskeyGuy · · Score: 5, Informative

      Enhanced SMTP better known as ESMTP is not hypothetical. It's out there, it works, mail clients know about it. It's optional and most ISP's I've used don't have strong authentication. They could, but choose not to. Search Google for Ehanced SMTP or you'll find an ESMTP mail server.

      It seems your proposing the same argument the article does. Basically security needs to be enabled by default. The internet is no longer a place where you can trust. They are suggesting a hardware fix, your suggesting software.

      Either way it will most likely require some pretty big players like AOL or Microsoft to implement it before it would achieve critical mass. Designing a different way of doing things isn't hard, it's getting everyone else to agree to it and use it.

      AOL started implementing SPF to stop spam. If AOL/MSN/Yahoo all decide to stop accepting mail that doesn't come form SPF using sites, adoption should happen in about a fortnight.

  2. Re:And who will control what to control? by dhakbar · · Score: 5, Insightful

    Force?

    You do realize that this isn't a discussion about a law to make it illegal to connect to the internet without such a reverse firewall, don't you? How is this guy's (not so hot) idea forcing you to do anything?

  3. reverse firewall? what? by rritterson · · Score: 5, Interesting

    Reverse Firewall? As far as I know, a wall of fire would be flaming on both sides.

    All kidding aside, all capable firewalls do have outbound protection built into them. Consumer software firewalls monitor which programs are allowed to access the internet, for example, and enterprise-level firewalls allow you to define heuristics to block certain traffic patterns.

    So, basically, the article is just suggesting a new name for an old concept. Really, the author wants consumer networking devices to have more capable firewalls.

    He's missing something: home PCs aren't spam-generators, they are spam relays. The spam has to be getting in somehow, and that is something a normal firewall should be able to stop. On top of that, they have downloaded a trojan or been hit by a worm to turn them into relays in the first place, which is something a firewall + AV should prevent.

    Also, it's probably just as easy to educate 75% of the people how not to become a spam relay as it is to get 75% of the people to buy something with a reverse firewall and then train them how to use it (most people I know just put their computers into the DMZ when they play games because they don't know how to forward ports).

    Sure, layered security is a good thing, but I see this as likely to generate many headaches with not much benefit

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
  4. Re:This isn't normal behavior? by Christopher+Cashell · · Score: 5, Insightful

    Even for LAN firewalls, this is, or should be, normal behavior.

    I know I've had my firewall setup to block outgoing port 25 traffic that doesn't come from the mail server for a long time now. I also log outbound port 25 requests, and twice this has alerted me to when one of my users was infected with a mass-mailing trojan.

    Anyone who runs a firewall and does not currently have it set up similar to this should block outgoing port 25 connections that do not originate from your mail server immediately.

    If you're running any reasonably modern firewall (or using Linux and iptables for your firewall) this is fairly trivial to setup.

    Come on, guys. Let's all do our part to stop spam. Every little bit helps.

    --
    Topher
  5. I dunno, chief. by mcco7614 · · Score: 5, Funny

    I just think it's funny that VeriSign's "chief scientist" said we should use "reverse firewalls" ... I'll foil his plans by installing a reverse router with dual reverse Ethernet switches between my hosts and my cable modem. And I'll connect it all using my reverse CAT6 cables. This way, by the time a packet arrives at the reverse firewall it will already have been reversed...in which case...uhhh...it will be re-reversed and forwarded normally. Yup.

    I'm gonna go to reverse sleep now.

    --
    "A clear conscience is usually the sign of a bad memory."
  6. Dangerous twaddle by cardpuncher · · Score: 5, Insightful

    Apart from the annoying debasement of the word "scientist", this really does reveal VeriSign's view of the function of the Internet and, unfortunately, it's becoming more common.

    If I buy an "Internet" service I have a reasonable expectation of being able to run any service I can encode in IP packets and have that service routed transparently end to end. I *should* be able to run a VPN, remotely mount filesystems, use VoIP or even run a mailserver if I want to. If I can't it isn't an Internet.

    Increasingly, ISPs seem to think that providing a link to their web proxy and a POP3 mailbox constitutes an adequate service. It might be for some people, but it's not the Internet, it's CompuServe revisited. It's good for ISPs though, because they can start charging you extra for "services" which simply involve them removing rules from your compulsory firewall.

  7. Re:Off by default by Phil+Karn · · Score: 5, Insightful
    If your ISP is intrusive enough to read your email, then they can just as easily read it as it comes into your private mailserver.

    Many (most?) MTAs now support the STARTTLS SMTP command. Set up your own mail server, create a self-signed certificate, and a remarkable fraction of your email will be automatically encrypted during the transfer. Even much of my incoming spam is encrypted in this way. Since it comes from all over the world, this actually serves as a useful mask for anyone doing traffic analysis.

    Your ISP could still intercept your mail with a man-in-the-middle attack, but that's far less likely than browsing your mail files on their server.

    I'd quickly find a new ISP if this was the case.

    Well, mail server unreliability is a problem with many ISPs. Even though my ISP's server works most of the time, I still can't log in and run "mailq". I do that regularly with my own server, and I depend on it.

    Not only is it bad netiquette to send massive attachments, but most servers will block them at the other end.

    While I personally avoid sending large attachments, I can't reasonably object when it's done between consenting parties. So I don't see this as a valid argument against personal mail servers, but rather a strong argument in favor since the ISP's mail admin doesn't have to be a consenting party.

    Have you heard of fetchmail?

    Do you really want it to poll every minute? When you run your own mail server, you don't have to decide between overhead and quick notification of incoming email. Maybe you don't see the need to be notified of new email that quickly, but what right do you have to impose your personal preferences on others?

    The bottom line is that I feel very strongly that there are many perfectly valid reasons for individuals to run their own mail servers, and no ISP should deny them this right as long as they don't bother anyone else, e.g., by sending spam.

    This isn't just about the right to run personal email servers. It's about something much more important and fundamental: preserving and protecting the end-to-end model that made the Internet such a success. If we permit ISPs to encroach on the end-to-end principle for what may appear to the naive person to be "worthy" reasons, it won't end until it becomes almost impossible to innovate with new and useful end-to-end services.