FIREWALL

Previous page
Table of content
Next page

FIREWALL? WHERE'S THE FIRE?

The Annoyance:

I have antivirus software running on every computer on my network, so why do I need a firewall? Buying and installing all this stuff is annoying.

The Fix:

Antivirus software and firewalls are two different animals, and they protect you from two different types of attacks. Antivirus software locates and eliminates viruses, which are destructive programs sneaked on to your computer (usually through your email). A firewall protects you from attacks by ne'er-do-wells who are trying to enter your computer while you're on the Internet. Because evildoers use both methods of attack, you need both forms of protection.

WINDOWS XP FIREWALL HALTS NETWORK TRAFFIC

The Annoyance:

I added a Windows XP computer to our network. The Help files tell me how important it is to have a firewall on the computer, and they explain how to enable the built-in firewall. However, friends tell me that if I use the built-in firewall, none of the other computers on the network will be able to access the Windows XP computer. Why would an important tool such as a firewall not work on a network?

The Fix:

Your friends are right. The firewall built into Windows XP stops network communications (unless you're running Windows XP Service Pack 2). Isn't that an interesting way to design an operating system feature? Maybe Microsoft doesn't know about the explosive growth of small networks.

WHAT'S AN INTERNET ATTACK?

Internet attackers use software that randomly selects an IP address and automatically attempts to access the computer linked to that address. (They don't specifically target your computer because they think you have the instructions for finding a long-lost gold mine in a file on your hard drive.) If the attempt fails (a firewall blocks entry), the software moves on to the next IP address. However, if the attempt succeeds, the intruders have access to your computer and its contents. Everything they do occurs in the background, so you won't even notice. Some of the things intruders have done include the following nefarious acts:

  1. Sending executable files containing viruses to your computer.

  2. Renaming or removing files needed to run your computer and its software.

  3. Copying your documents back to their own systems and looking for personal and sensitive information they can use (e.g., identity theft schemes).

  4. Sending enormous files or an enormous number of small files (not necessarily dangerous in themselves) to fill all the free space on your hard drive.

  5. Accessing your computer multiple times in rapid succession, causing the computer to become so overwhelmed that it becomes nonresponsive and frozen. This is called a Denial of Service (DOS) attack.


If the firewall has been automatically enabled (which occurs frequently when you use the Internet Connection Wizard in Windows XP), you should disable it. Open the Properties dialog box for the Local Area Connection, click the Advanced tab, and make sure the box in the Internet Connection Firewall area is unchecked (see Figure 7-1). Then install a software firewall or a firewall-enabled router (if you're using a router to share your Internet connection).

Figure 7-1. Disable the Windows XP Internet Connection Firewall if you're running a network.


WINDOWS XP SERVICE PACK 2 OFFERS IMPROVED FIREWALL

The Annoyance:

Our Windows XP computer is running Service Pack 2, and the advertising blurbs say the new firewall lets you have a network. I enabled the firewall, but other computers still can't access the XP machine. What happened?

The Fix:

With SP2, Microsoft added setup options to the built-in firewall. To let network computers access this computer, use the following steps:

  1. Open the Properties dialog box for the Local Area Connection and click the Advanced tab.

  2. Click the Settings button to open the Windows Firewall dialog box.

  3. Click the Exceptions tab and check the File and Printer Sharing box (see Figure 7-2).

Figure 7-2. Enable network communications by making an exception to the firewall's data blocking.


It's beyond the scope of this book to discuss all the security settings available in Windows XP Service Pack 2, including the firewall. However, you should investigate some of the other firewall settings that allow you to use the Remote Assistance and Remote Desktop features. The Help files for SP2 provide instructions and explanations. You'll also need to configure the firewall if you want to play Internet games or take part in online conferences.

SHARED TELEPHONE MODEMS NEED FIREWALLS

The Annoyance:

Our network uses Internet Connection Sharing to share a telephone modem. Do I have to have a firewall on every computer on the network?

The Fix:

Nope, you only need to protect the computer that has the modem (the host computer). The host is a gateway, and a firewall on the gateway guards the computers on the network side of the gateway like Cerberus guards the entrance into the underworld.

Hound of Hell

If you're not up on mythology, Cerberus is a fierce, three-headed dog that guarded the entrance of Hell to prevent the living from entering the world of the dead. In some ancient documents, the dog's name was spelled Kerberos. Companies that run Windows 2000 or 2003 domains use a security process named Kerberos to authenticate users and prevent unauthorized entry into the network. Taking this to its logical conclusion, it means that corporate network systems are a form of Hell, a statement that some system administrators find accurate and even satisfying.


WINDOWS XP FIREWALL FOR BROADBAND-BASED ICS

The Annoyance:

We have a cable modem, but we didn't buy a router. Instead, we attached the cable modem to a Windows XP computer and set it up as an ICS host. Can I use the built-in Windows XP firewall to protect the entire network?

The Fix:

Yes, but make sure you enable it on the right network adapter. To share a cable modem (or a DSL modem) without a router, the host computer has two network adapters: one connects to the hub where the other computers meet and the other connects to the modem. Enable the built-in firewall on the adapter connected to the modem.

SAFEGUARDING OLDER COMPUTERS

The Annoyance:

The four computers on our network share a router without a firewall. Two of the computers, however, run Windows XP SP2 and use the built-in firewall. The other two computers run Windows 2000 Professional and 98SE. Do they have a version of the built-in firewall?

The Fix:

No, you'll have to install a software firewall on the computers running Windows 2000 Professional and 98SE. I use ZoneLabs' ZoneAlarm, and for most home networks the freebie version of ZoneAlarm does the job. Another well-known software firewall is Internet Security Systems' Black Ice. Symantec and McAfee, best known for their antivirus software, also offer good firewall programs.

  • Zone Labs (http://www.zonelabs.com/store/content/home.jsp)

  • Internet Security Systems (www.iss.net/)

  • Symantec (http://www.symantec.com/index.htm)

  • McAfee (http://www.mcafee.com/us/)

ROUTERS CAN PROTECT YOUR NETWORK

The Annoyance:

We use a router with a built-in firewall for shared Internet access. Do I still have to install firewall software on all the computers on the network?

The Fix:

No, the router blocks malicious intruders at the gateway, which protects all the computers on the network.

Warning: Most hardware-based firewalls block only incoming traffic. This approach doesn't provide bidirectional security (see "Software Firewalls Go Both Ways").

STATEFUL INSPECTION CAN TELL WHO'S LYING

The Annoyance:

We're considering adding a router with a firewall to our network. Some of the routers say they use "stateful inspection." Is this an important feature worth paying for?

The Fix:

Stateful inspection is a firewall technique that makes sure the data coming through the firewall is truthfully describing itself. Different types of data use different virtual ports on a computer, and a firewall lets data come through some ports and closes other ports. For example, a stateful inspection firewall will make sure that the data that uses the HTTP port (the protocol of Internet web pages) is really HTTP, and not some dangerous programming code. Because Internet hackers don't announce their data packets with a reference that says "there's dangerous stuff in this data packet even though it says it's HTTP," stateful inspection is important. (If you're curious about the technical stuff, see the sidebar "Ports and Data.")

PORTS AND DATA

Computers send and receive data through ports. You've already worked with ports because you've connected a printer to a parallel or USB port, or you've attached a modem or handheld device to a serial or USB port.

Besides these physical, visible ports, your computer has thousands of virtual ports. A virtual port is a software service. However, all ports, both physical and virtual, exist to accept and send data.

Virtual ports are numbered from 0 to 65536, and the ports between 0 and 1024 are reserved for use by certain services. For example, Hypertext Transfer Protocol (HTTP), which is the protocol you use when interacting with a web page, usually uses port 80. Ports work by "listening" for data and will automatically accept data if it's the right type of data for that port.

Internet intruders use ports to send and receive data between their computers and your computer. They use software that tests certain ports by pretending to send data of a type supported by that port. This practice is called port scanning, and it's the most popular method of testing whether a computer is vulnerable to attack. The intruders scan the ports on computers and determine the services currently listening for connections and the specific ports they're listening on. (A port that is listening is deemed open and willing to accept data.) The Internet hacking software uses that information to make the data stream they send resemble the appropriate type of service for the listening port. Virtual ports are dumb, and they'll accept the incoming technical information that says the data stream is of a certain type.

Firewalls that use stateful inspection check the data passing through ports to catch data packets that identify themselves as being appropriate for the port, but really aren't. When the firewall discovers that the data packets are faking the datatype, they stop the transmission.


SOFTWARE FIREWALLS GO BOTH WAYS

The Annoyance:

Some people tell me that a software firewall is preferable to the Windows XP firewall or a firewall on a router. Isn't blocking data from the Internet the same thing no matter which type of firewall you use? I mean, either the data is allowed through or it isn't; who cares what type of firewall does the blocking?

The Fix:

Your logic is impeccable. If you want to block unwanted data trying to get to your computer from the Internet, a firewall is a firewall is a firewall.

But hold on a minute. You talked about blocking data trying to get into your computer. What about data trying to get out? Can you think of times that you don't want to send data to another computer on the Internet? No? Well, suppose you pick up a virus that gathers your files and sends them to some hacker's computer? Suppose you download a really nifty software program or game and you don't know that it's programmed to send sensitive and private information to some punk who will use it to steal your identity, or use your cookies to gain access to a web site that has your credit card numbers.

Most hardware firewalls worry only about incoming data streams; they don't give a hoot about stuff moving from your computer to the Internet. Software firewalls ask your permission before letting any software send data from your computer to the Internet.

Tip: You can configure some hardware firewalls to protect you from unwanted outward-bound data transmissions. However, you usually have to know a lot of technical gunk to get the configuration right. Play it safe and go with a software firewall.

STOP FIREWALL POP-UP NOTIFICATIONS

The Annoyance:

The software firewall I installed on all the computers on our network drives everyone crazy. A pop-up appears every few minutes to announce that the firewall has blocked access to the computer from the Internet. I would rather risk an intruder than have to click OK to clear the pop-up window every couple of minutes.

The Fix:

Don't worry; you can stop the pop-ups. But aren't you amazed at how often somebody tries to access your computer? The thought that some or most of those attempts are attacks is scary.

All software firewalls offer an option to suppress the pop-up notifications about incoming data streams, and you usually have the option to save the information to a log file. Check the Help files to learn the exact steps.

DON'T BLOCK OUTGOING FIREWALL POP-UP NOTIFICATIONS

The Annoyance:

Every so often, my firewall software opens a pop-up message to ask me whether some program can send information to the Internet. It's always OK because the program needs to get to the Internet (for instance, it's the Microsoft Help Files program). Is there a way to turn off the notifications?

The Fix:

Your firewall asks for permission when it doesn't know how you feel about a specific program. By default, most software firewalls assume you want to let your browser access the Internet, so they configure themselves to permit the browser to send data without asking your permission. Any other program that isn't on the list requires your permission.

When you give permission for a program to access the Internet, always select the option to give the program permanent permission. Then you'll never be asked again. You can also preconfigure your firewall with the names of programs (in addition to your browser) that should automatically be allowed to send data from your computer. Check the Help files to learn how to add programs to the list of preapproved data senders.

APPROVED OUTGOING PROGRAMS ASK FOR PERMISSION AGAIN

The Annoyance:

My antivirus and accounting software both check the vendors' web sites periodically for updates. I configured the firewall to let these programs access the Internet, and selected the option to make it a permanent permission. Today, the firewall asked me if the accounting software could access the Internet. Doesn't the firewall have the same definition of "permanent" that I do?

The Fix:

The program changed and your firewall is asking permission again to make sure it's OK to let the changed program send data from your computer to the Internet. In fact, you can probably find a note on the pop up that says the program has changed since the last time you gave it permission to send data to the Internet.

Programs change when you download upgrades to the software, and for both antivirus and accounting software programs, this is a frequent event. The firewall's approach is a good protection scheme because it prevents the possibility that some virus or other maleficent program is using the name of an existing software program to accomplish some horrific deed. If you didn't recently upgrade the software, don't give permission.

CHECK THE PROGRAM BEFORE YOU GIVE PERMISSION

The Annoyance:

Sometimes my firewall pop up tells me that some program is trying to exchange data with another computernot with the Internet. In fact, sometimes the pop up warns me that the program is asking for server rights. This sounds very scary.

The Fix:

Some programs, mostly utilities built into Windows, are designed to implement network tasks. For example, you might see a pop-up reference to Generic Host Process for Win32 (which lets computers on the network access each other) or to the Spooler Service (which lets you send data to a remote printer). Most of the program names contain a reference to Microsoft or Windows, but do some homework (search the Internet or search Microsoft's web sites) before you give permission.

WHICH COMPUTERS SHOULD HAVE A SOFTWARE FIREWALL?

The Annoyance:

We've decided on a software firewall for our network. Do I have to install a copy on every computer on the network?

The Fix:

Maybe yes, maybe no. If your computers directly access the Internet through a router (without a built-in firewall), each computer needs a copy of the firewall. If you're using ICS, only the computer that hosts the Internet connection needs a firewall.

TEST THE FIREWALL

The Annoyance:

How can you tell whether the firewall works properly?

The Fix:

Test it. Several web sites exist for testing firewall effectiveness. One of the best is from Gibson Research Corporation (www.grc.com/). To test your firewall, click the Shields Up! link on the home page, and then scroll down the page and click the Shields Up! link. Click the Proceed button to begin the test. Select the tests you want to run (File Sharing and Common Ports are the most important). GRC attempts all sorts of tricks to break into your computer and then posts its results. You can see the results of my File Sharing test in Figure 7-3, and the results of my Common Ports test in Figure 7-4. If you don't see similar results when you test your computer, you need to reconfigure your firewall.

Figure 7-3. My firewall is taking care of file security.


Figure 7-4. Secured ports keep intruders out of my computer.



    Previous page
    Table of content
    Next page
    Home Networking Annoyances
    Home Networking Annoyances: How to Fix the Most Annoying Things about Your Home Network
    ISBN: 0596008082
    EAN: 2147483647
    Year: 2006
    Pages: 90
    Authors: Kathy Ivens
    BUY ON AMAZON
    Documenting Software Architectures: Views and Beyond
    C++ How to Program (5th Edition)
    Introduction to 80x86 Assembly Language and Computer Architecture
    Information Dashboard Design: The Effective Visual Communication of Data
    Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
    Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy