Proposal for an ISP Firewall Law

A Seat Belt For Internet Users

The following cheap, simple and effective measure would reduce almost all forms of criminal activity on the internet. Government legislation is required to make it happen.

A law to make all Internet Service Providers (ISPs) implement a user-configurable firewall at the ISP level would cut internet crime such as spam, viruses, identity theft, hacking, denial of service attacks and cyber-terrorism.


How it would work

An ordinary internet connection through an ISP provides features that are not needed for browsing the web or sending emails. For people who only use the web and email these extra features are an unnecessary danger because they can allow a computer to be attacked and compromised resulting in it being controlled by somebody else, such as the author of a worm. An ISP could let each customer easily switch these features on or off by providing a user-configurable firewall. This firewall would run on a computer at the ISP site but be controlled by the user. New users would be protected by this firewall until they choose to switch the features on and vulnerable new computers could be patched and configured without risk of attack. Experienced users might want to completely open the firewall after making their computers secure. This firewall would be under the total control of the user not the ISP. A simple web page with tick boxes would be sufficient to control the firewall.

Firewall Settings
Adjust the safety of your internet connection. Add ticks to
increase safety. Remove ticks to give computers on the internet
more access to your computer. Empty all the boxes to remove
the firewall completely.
Disallow fake internet addresses
(Block incorrectly addressed packets to make DDOS difficult.)        
Speak when spoken to. (Stop all worms etc.)
(Block all incoming connections.)        
Prevent my computer being used to directly send spam
(Block all port 25 except outgoing to the ISP email server.        
This would also constrain email viruses such as Sober.I.)        
Block attacks on my Microsoft Windows computer
(Block ports 135..445 to prevent accidental file sharing, common        
attacks and prevent worms such as Sasser and Blaster.)        

Why not just run personal firewalls?

Many internet users do not, and should not be required to, understand how a firewall works and why it is unwise to use the internet without one. With the internet becoming essential for access to basic services rather than a playground for the technical elite the barriers to its use need to be reduced in the same way that shops should be built to be accessible to disabled people.

Personal firewalls can be accidentally or maliciously compromised even if they are meticulously maintained and configured. So an extra layer of protection can be useful even for an expert user. Allowing users to filter unwanted traffic at the ISP would reduce wastage of bandwidth between the ISP and the user.

The hardware and skill required to establish and maintain a firewall is more logically situated at the ISP than multiplied into thousands of user's homes. This could also reduce energy consumption if users are running hardware firewalls.

Providing a non-technical user with an internet connection but no firewall can result in their computer being compromised. This impacts not only the user but the rest of the internet in the form of spam and denial of service attacks which can't be effectively countered by a personal firewall at the receiving end. Compromised computers send 30% of spam, are used for denial of service attacks and can be used to conceal other internet crime. A reduction in the number of compromised computers on the internet would benefit internet users who already have good firewalls.

Why make this a Law?

This firewall is similar to fitting seat belts in cars. Seat belts are a legal requirement because they are cheap but significantly benefit the user and society. Selling a car without a seat belt endangers the driver and imposes an unnecessary cost on society. Likewise ISPs should be forced to provide a firewall with every internet connection. Knowledgable users who want to run more dangerous applications could easily switch it off.

The reduction in crime this firewall would provide will not happen until the government legislates because the people who most need a firewall are the ones who do not understand computer security and will therefore not request or pay for one. So an ISP that implements it could be at a competitive disadvantage when selling to these people. The law would extend the ISP business to the provision of firewalls. Tackling internet crime is the responsibility of government it should not be something every individual has to fight on their own.

The argument that there is no point introducing a national law when the crime is often international and therefore nothing to do with the national government is flawed. New laws are often copied by other countries. A law in one country provides leadership and encourages other countries to do likewise. So a national law can reduce the corresponding international crime to which that country is subject. The national economic impact of the preventable computer crime originating from compromised computers inside the country is anyway considerable.

Denial of service attacks from within the national border can potentially inflict more damage than those from abroad because filtering is more easily applied to large geographic groups of computers and the legitimate users of a web site are often close to it. So blanket filtering of a geographic region can not be applied to all local computers without cutting off a disproportionate number of the legitimate users. It may therefore be in the national interest to apply more resources to reducing the number of compromised computers within the national borders rather than those in other countries.

Features the firewall could control

The two main features the firewall should control are 'Speak when spoken to' and 'Disallow fake internet addresses'. These are ordinary firewall functions given non-technical names. For each of these the user would be given an On/Off choice on a web page. Other options could be provided by the ISP to meet detailed needs such as preventing spam or accidental file sharing. To keep it simple the broad design of the page could be : More boxes selected gives more protection and all boxes empty removes the firewall.

Speak when spoken to

With a normal internet connection every computer on the entire internet can start a conversation with your computer. This is unnecessary for the web and email because these conversations are initiated by your computer not by a computer on the internet. A firewall can be set to permit conversations started by your computer and block any internet computer from starting a conversation with yours. This eliminates the possibility of attacks from all computers except those your computer has recently spoken to, which is virtually every computer on the internet.

Disallow fake internet addresses

All computers connected to the internet have to have a unique internet address. Information is normally sent over the internet in packets with an envelope showing both the internet address of the sender and the internet address of the receiver. This allows the computers that deliver the packets to pass them on to the right computer and for the computer that receives the packet to send its reply back to the right computer. Compromised computers can cause problems by putting an incorrect sender address on their packets. This makes it more difficult to defend against and track down the compromised computer and can deceive computers into thinking they have received information from a computer which hasn't actually sent it. A firewall can block incorrectly addressed packets being sent to and from your computer.

Some simple denial of service attacks where a computer is flooded with so many fake requests for information that it is unable to function properly, are made easier by the ability of computers on the internet to give a fake sender address. Switching this off would make attacks from compromised computers more difficult.

The impact of this firewall on internet crime

Even without elaboration these two small features would have a dramatic impact on internet crime.

Consider, as a simple example, the Sasser worm. The first variant of this worm was released on 30th April 2004. Sasser only infects certain versions of Windows. Sasser instructs its host computer to try to contact other computers, fairly randomly, to find one running a vulnerable copy of Windows. When it finds a vulnerable computer it breaks in and makes a copy of itself onto the new host which then starts doing the same. The first variant of Sasser had no malicious intent other than to copy itself to as many computers as possible. In the month following release about 500,000 computers were infected causing an estimated 900 million USD of damage world-wide. A firewall that rejects incoming connections 'Speak when spoken to' is totally effective in preventing infection by Sasser. Supposing the ISPs had all provided this firewall for their users, a user would have had to have switched this protection off to be infected by Sasser. Guessing that two thirds would have switched off the firewall we have still made 300 million USD from just this one worm. Even allowing considerable margin with these estimates gives a worthwhile figure irrespective of any other benefits.

Apart from reducing the speed and spread of traditional worms such as Sasser the firewall would also make email viruses less prevalent. These are often produced by people who want to have control over computers not just to try to infect as many computers as possible. But to obtain control either the infected computer contacts the author or the author contacts the infected computer. For a virus on a newly infected computer to contact its author it has to have an address to contact. So by embedding their address in the virus the author is forced to take responsibility for the virus and the internet community can easily trace and cut off their address. Alternatively, if the infected computers can be contacted from the internet the author can scan sections of the internet and detect and take control of any infected computers. This means they do not have to put their address in the virus and can deny responsibility for it. So a 'Speak when spoken to' rule will make life difficult for people who want to exploit email viruses.