Undesired outbound data "leaking" - the next frontier?

[Stephen Gutknecht \(firewalls\)]

If this issue is just "new to me" and has already been covered in detail,
please excuse this post.

The recent thread on this mailing list, "Personal firewalls not so safe",
was initiated by a poorly written ZDNet story.... Needless to say, this
story has now been picked up by the mainstream press and I've now seen it
posted to four firewall-related lists.  Of course, most the people who are
posting it intend to give it as an example of "bashing personal firewall
over real stand-alone boxes" and not even reading it...  as the story is
really about installing trojan horses on your client machines, and a
in-the-middle firewall can't protect against this!  In fact, personal
firewalls are actually ahead of the game (compared to a in-the-middle
firewall).

Undesired outbound data leaking (UODL)
=======================================
Despite the ZDNet story not being to my liking - it does not associate the
problem with the cause, there is a _real issue here_.  I will call the
problem "Undesired outbound data leaking" - UODL.

The basic technical issues is that "most existing firewall installations"
generally don't block outbound data, especially on a common destination port
(say 80).  This isn't a security issue as much as a "privacy" or "user
education issue."  But it is an issue, one that I have see growing for some
time.

Steve Gibson has really been the one I would give credit to for "waving the
flag" and giving this issue the most attention.  First he focused on
applications that gave out information about your computer usage ("spyware"
in Steve's terminology).  Now he has focused on the claims of personal
firewall products and their blocking/authorizing of outbound traffic.  See
Steve Gibson's related site:

  http://grc.com/su-leaktest.htm


Is this a "new class of problem"?
==========================================
Some of the basic issues:

  -- With the Internet now the center of computing... it is very easy to
send outbound data.
  -- The term "trojan horse" is getting stretched more and more each day.
Anti-virus program vendors have not really dealt with "non threatening" data
being sent out.  Unless a program "spreads itself", it isn't really
considered a "virus" .. but that doesn't mean that the program isn't doing
something that most users would consider "bad" ("spyware" being an example).


My Questions
==============
Assuming you consider this an issue that is only going to get larger, how do
we (as firewall engineers) deal with it?

Solutions I can see off the top of my head:

  1)  Allow only outbound traffic to pre-authorized destinations and keep a
list of only those allowable destinations on your firewall.  Using "net
nanny" (censoring) type technology for security purposes.
  2)  Develop a list "safe client pc programs" and some type of scanning
technology to detect "undesired" programs.

Again, we aren't talking virus here... we are talking something more subtle.

One thing that bugs me about this whole thing.  Is the term "firewalling"
really correct for this?  Is it really more "privacy protection" or as I
have described it "Undesired outbound data leaking" (UODL)?  Is there
already established terminology to describe such issues?

  Stephen Gutknecht
  Renton, Washington
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]