Freedom and Firewalls
I'm no longer who I appear to be - they won't let the real me out on the Internet any more. Confused? Probably not as confused as I've been lately.
It seemed like a good idea at the beginning - during that golden moment in a project when the imagined wonders to be accomplished still retained enough substance to conceal the dark menace of unexpected difficulties lurking in the hazy shadows. I started out thinking I was working on a computer project, but have since discovered that it was a digital education in freedom and responsibility.
I've been learning the Linux operating system (largely by trial and error) as part of a larger project to add Internet services to my software products. (The majority of servers on the Internet run on Linux.) One of the conundrums of developing network software is that once customers are actually using the product, the development environment where it was created is no longer appropriate. All the "I wonder what will happen when I do this" experiments which development systems are obliged to suffer, not to mention the novel events that can occur while debugging early versions, tend to be incompatible with the reliable performance and availability that many users seem to think are important.
One of my Internet projects was finally ready for commercial use, which marked the point where I needed to move the whole Internet project off my development system, and onto its own dedicated hardware. I spent weeks building the new server and getting it running in parallel with the old server.
It should have been a simple matter of changing the network addresses in various computers to swap identities, allowing the new server to take over where the old one left off. And on certain levels it worked as planned. Unfortunately I didn't yet know enough about what I was trying to do, to have a plan that would do what I wanted. Once again I was provided an opportunity to learn the hard way the difference between what I wanted to do, and what needed to be done.
I quickly discovered that the change over was going to be a lot more complicated than I'd led myself to believe. The part of the transition I'd been focused on - shifting Overall Technology's external connection to the Internet - went pretty smoothly. I changed the names and dot number addresses of the computers, connected the new server to the DSL line, and it worked. What I hadn't adequately considered was the effect the change was going to have on my personal access to the Internet.
Up to that point I'd been using one fairly powerful computer for all of the Linux parts of the project. The same Linux computer was running the firewall, web-server, x-windows user interface (the Linux graphic UI), my personal email and web-browser, as well as acting as the domain master and proxy server for back-end application engines running on another machine. While none of the hardware had to be moved in the physical world, when the firewall, web-server, and proxy server functions were shifted to the new dedicated server, my personal machine lost its direct connection to the Internet. My personal machine now had to go through a separate firewall machine to reach the outside world - and the firewall machine had its own set of values and priorities that didn't entirely agree with those of my personal machine.
When it had its own direct connection, my personal machine was an individual - free to do as it pleased and responsible for its own actions. It could access any website on the planet, download any new drivers or software it found interesting, and exchange emails with any other computer out there in the rough and tumble connected world. It also had to take personal responsibility for its own well-being, and exercise reasonable precautions to protect itself from the potential dangers of life on the digital frontier.
A broadband connection with minimal restrictions made the digital world my oyster. Megabytes of email flowed in and out of my computer each month. I used the greatest reference library humanity has ever created to look up information as varied as the telephone numbers of local businesses, potential prescription drug interactions, the arcane details of encryption algorithms, Athenian philosophical justifications for their conquest of Melos following the Peloponnesian war, and the order in which episodes of The Avengers were originally broadcast by the BBC over 30 years ago.
I surfed websites from the profound to the profane with impunity. I watched streaming videos of stand-up comics and news events, sleazy multimedia advertisements and scholarly presentations. Web cams around the world allowed me to check out the traffic along a local route I was about to travel, or watch cars driving on the "wrong" side of the road through an intersection on the other side of the world. I could digitally visit the crowds on sunny beaches, or see what was happening in Antarctica. I could even remotely control robotic arms that stacked blocks in Australia, or tended a garden in California.
I could choose to play games, hang out in chat rooms, bid in auctions, or listen to music that can't be found in a record store. Or I could choose not to. It was my decision. All that changed when my personal machine surrendered the individualism and personal responsibility of its direct connection, for promises of safety and security on a restricted intranet behind a firewall.
The attraction of retreating behind a firewall is understandable. We're endlessly told that the Internet has become a dangerous place. The mainstream media is rightly terrified of competition from the Internet, and delights in spreading the alarm about viruses, vandalism, and data theft on the Internet.
The "law enforcement" system protects computer vandals from the wrath of their victims, and then fails to hold those few who do get themselves caught accountable for even a tiny fraction of the harm they've caused. The protected criminality on the Internet hasn't yet become sufficiently harmful to convince users to accept the kinds of heavy handed regulation that government has repeatedly attempted to impose. Authoritarians fear the anarchic freedom of the net far more than crimes committed against citizens. They have little interest in discouraging cyber criminals since their primary objective is to create a crisis that can be used to justify the regulation, and eventual suppression, of freedom on the net.
Denied any effective means of discouraging cyber criminals, potential victims are obliged to employ defensive measures like firewalls. But the idea of giving a firewall exclusive responsibility for protecting all of the computers on a local network has some hidden costs and limitations. There are multiple computers on the network behind my firewall, with varying capabilities of protecting themselves from vandals and data thieves. In the past, those computers that were unprepared for the dangers of the outside world were simply restricted from access to that world - just as it was once accepted practice to restrict children from access to inappropriate aspects of the adult world.
An artificial equality among computers is imposed on a firewall protected network, with the same level of firewall protection provided to one and all, regardless of each machine's actual needs and abilities. As a result, the firewall must be configured to provide the level of protection needed by the lowest common denominator - the most vulnerable data and the least secure hardware.
The primary justification for the firewall is to protect the machines behind it. But providing that level of protection requires that the firewall inspect every packet that appears at its interface, and decide whether to accept or reject it based on a set of rules. Having control over every packet passing between the protected network and the outside Internet gives the firewall a great deal of power and control. It can decide to pass a packet on to its intended destination, divert it to a different destination, bounce it back to its source, or make it disappear altogether. It can also decide to record everything it does in its logs, or only record those things it's been told to watch for.
One of the security measures the firewall employs is to make itself the common identity for all of the machines on the network. The idea is that the identities of the individual machines on the protected network should be meaningless to the outside world, and so the firewall provides a common identity for all. As packets from machines on the local network pass through the firewall, the firewall substitutes its own identity for that of the original source. It does the swap in reverse for incoming packets. This relieves the productive computers of any responsibility for cooperating in the masquerade. It also eliminates any necessity for the productive machines to even be aware that their output is being manipulated. Each machine is allowed to continue thinking it's a unique independent individual - as long as it doesn't actually try to be one.
The firewall's behavior is determined by the rules. The standard approach is to block everything by default, and then add rules to only allow access to specific ports and services. The rules can be invisible or intrusive depending on how well they match the needs of the machines being protected. Those who closely fit the target profile of the rules may not even know the firewall is there. Those who vary from the target profile will likely find that their otherwise legitimate activities have been blocked. The service or port they want to use might be blocked because it can be exploited by malicious outsiders, or misused by someone inside the protected network. It might be blocked because whoever controls the firewall never bothered to provide the rules necessary to allow it, or because someone decided - for whatever reason - that computers on the protected network should not be allowed to use it.
One of the claimed advantages of a firewall is that the concentration of power and responsibility makes it easy to maintain. New rules can be imposed on the entire network from a single central location, without having to deal with each productive computer as an individual. This concentration of power becomes an obvious avenue for abuse. Adding a rule for political or emotional reasons becomes no more difficult than adding one to block a potential security risk.
Policies that would be difficult or unreliable on an individual level can be easily implemented at the firewall level - regardless of the willingness, or ability, of the individual machines and users, or whether the policy resulted from well reasoned intentions, misunderstandings, or mistakes. This also makes it possible to impose policies from the firewall level that would be actively resisted at the individual level. The capabilities and perceived rights of the individual machine are meaningless if the firewall won't allow those capabilities and perceived rights to be exercised.
Firewalls are commonly configured with rules to pass through any packets between machines in the "trusted-space" of the protected network. However, it's simply a matter of changing the rules to have the firewall do whatever is desired to any trusted-space traffic routed through it. This can be a useful investigative tool if any "trusted" machines are suspected of being infected by viruses or other outside influences. While the initial justification for a firewall is usually to protect against external dangers, it can easily become a tool for controlling activities in the trusted-space of the protected network - if that is the desire of those in control of the firewall rules.
Some of the machines that now must be protected on the local network are inherently insecure, and weren't previously allowed access to the Internet. Since the firewall must protect all computers on the local network from external dangers regardless of whether those computers are ever used to access the outside world, the firewall's rules must be determined by the least secure machine. My personal machine is far more secure than some of the others, but it's now denied the advantages of its superior capabilities because it must share the firewall with less capable machines.
As a direct result of having surrendered its direct access for promises of safety behind the firewall, the machine I've been using to participate in the connected community is no longer allowed an independent identity outside the firewall, and is now unable to access a number of previously available - and otherwise legal - services that the increasingly authoritarian firewall rules are now blocking.
As the author of the firewall rules in my system, I have more direct control than most networked users. If I find the restrictions on my freedom unacceptable, I can rewrite my rules, reconfigure my network, or even disable the firewall completely. But even though it's unlikely any master of the rules could be more accommodating of my desires as a user, I still find myself debating with myself over tradeoffs between security and freedom. The basic nature of the firewall predisposes the master of the rules in me toward erring on the side of excessive restrictions, while the user in me tends to favor greater freedom.
Those who have surrendered their freedom for the protection of firewall rules that are outside of their control, have little alternative than to humbly accept whatever access the rules allow. They can only hope whoever does control the rules, doesn't arbitrarily decide to further enhance the security of the network by blocking their access privileges entirely.
We're told that individuals should no longer take personal responsibility for their own well-being. We're told that we should surrender our individual freedoms, and fundamental right of self-defense, in return for the promises of safety offered by a "law enforcement" firewall. Those who give up their individual freedoms will find that the offer costs them far more than they ever suspected. After they've imprisoned themselves behind the "law enforcement" firewall, those who hoped to buy safety with their freedom will also discover that all of their carefully crafted escape clauses have suddenly become void.
StumbleUpon
Reddit