I totally agree that ISPs should provide free, unfettered access
to all ports/protocols/directions if that's what the user wants
but it fosters problems having these switched on by default.

The intention of my 'switches' is to put the user in control not
give the ISP free reign to meddle with our internet connectivity.
I probably didn't explain very well how these 'switches' would work.
I see them set on a simple 'firewall settings' web page using two
check-boxes. This would be custom displayed for a particular user of
the ISP. This would be easy to do because the ISP's machine will know
who the user is and can present them with their personal settings to
change when they visit the 'firewall settings' web page. The firewall
can load and apply these settings to their connection whenever they
log on to the internet. So technically very simple. The two switches
'Speak when spoken to' and 'Disallow fake internet addresses' are just
a jargon free way of presenting some very ordinary firewall functions.
So the whole thing would be cheap and technically trivial to implement.

As you have spotted some end-user applications such as ICQ and
presumably Bit Torrent require the ability to accept incoming
connections. I don't yet have a satisfactory technical solution to
these connections because it seems that the firewall should be capable
of temporarily opening to a particular IP address when requested by
the computer behind the firewall. There ought to be a good solution
to this.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/241/26357#26357