Erik Norgaard wrote:
Does anyone know of a firewall product with this capability?
Thanks for your suggestions, sorry for not responding before, I have
been away. I have become aware that there is a number of options. For
those with interest in the background (who knows if your government has
similar ideas) below.
Cheers, Erik.
More than two years ago the danish congress passed an anti-terror law
that should give authorities better access to data and secure traces of
communication.
But, the technical side was so complicated that they decided to pass it,
and then leave it to the ministry to write the content! Yup, they pass
the law, then write it - or actually, let someone else write it. So much
for democracy.
Some of the new stuff is:
* Police can request log data without requiring permission from a judge.
* Communication must be logged such that it is posible to trace source
and destination of every data exchange, while content is not logged.
The first was initially to allow police access to passenger lists where
there is no time to wait for a permission, but since this easy access to
data is so convenient, why not just give a general permission and assume
police knows when to use it?
The log requirement affects all electronic communication: Telephone,
E-mail and other network connections.
Obviously this was critisised from the beginning, large ISP's have
argued that the effort is worthless if only they have to log, while all
small ISP's and companies argue that the cost is huge and does not scale
with company size and civil rights groups argued that the invasion of
privacy was too masive to justify the purpose.
The first thing that was done was to exclude pretty much everything
except ISP's: Public institutions, including libraries and schools,
private companies, government institutions etc.
When it comes to ISP's it is a bit messy, what is an ISP? It has become
popular to create local community networks and share costs. An ISP has
been defined as an entity providing internet access to more than 100
paying clients (it is important that people pay).
So now, everone aggree that the law is flawed and won't provide any
extra protection - any terrorist can access his webmail account from the
public library and he will be secured anonymity. Anyone wanting home
network protection should share out his wireless network for free, there
is no logging requirement and he can now rightfully claim that it was a
drive-by hacker that did whatever.
What is left to do is as little as posible - while still complying with
the law. Obviously, once the packet has left my network it is beyond my
control. We know that pretty much anything is spoofable, but I can only
log the information I have access to.
So this boils down to:
1. Log initiation of connection
2. Log termination of connection
3. Log change of identity (ie. PNAT)
4. Log e-mail envelope information
(1-3 also apply to phone calls)
Most MTA's log envelope information, so this is really not a problem.
When it comes to initation of a connection this simply means log the
first packet - whatever.
The problem of logging termination of connection: Some protocols like
udp and icmp are stateless, there is no termination which means that all
packets must be logged. For tcp the problem is to determine when a
connection is closed: It may be timed out, terminated by loss of
connection instead of regular closing the connection. To catch that one
would actually have to log all packets and then throw away all but the
first and last.
The problem of change of identity is that government want to be able to
identify the individual hiding behind the firewall. It is usually
unlikely that two people independently connect to the same server at the
same time one with legal objectives while the other with less acceptable
objectives - in particular when handling smaller networks. But, to be
sure entries in the NAT table must be logged to create the excact
mapping. To catch entries that exists only a few seconds, one need
direct access to the nat table.
This is still not enough. It is also necesary with strict control of the
assignment of ip addresses such that at any given time it is posible to
identify the host with a given ip address. The easy way is static ip.
But ip's can be spoofed. Static arp table will prevent that, but the mac
address can be spoofed too.
Eventually, the only reliable way to stay in control of the identity on
the home LAN is by requirering authentication and preferably setup a VPN
connection.
These problems actually also apply to ordinary coorporate networks,
after years of focus on server security, the biggest threat comes from
the inside: You want to secure that empolyees does not connect
unauthorized equipment, that laptops and portable devices are on
separate networks or isolated and scanned thoroughly before admitted to
the local network, that the visiting business partner is isolated on a
separate network etc. all to isolate and prevent internal spreading of
malicious software etc.
--
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
