Firewalls

Since the very first computer networks were developed, people have been finding ways to break into them. Corporate computers store valuable financial and competitive data. Individual computers may be used to store Quicken or Microsoft Money files that contain information about credit cards, bank accounts, and other confidential data.

Any time a computer running Windows XP Professional is connected to a network, there is a threat of outside intrusion. The risk of intrusion on private networks with trusted users tends to be minimal, especially when administrators prevent individual users from sharing resources located on their personal computers and restrict resource sharing to highly secure network services. When private networks are connected to the Internet, the risk grows considerably.

Corporate Firewalls

To protect corporate networks from outside intrusion, network administrators and engineers deploy firewalls. A firewall is a device or computer that protects a network by blocking unknown or dangerous network traffic and only allowing trusted traffic to pass through to the computers running on the corporate network. Typically, corporations employ one or more network administrators or engineers dedicated to the task of maintaining network communications and security, alleviating the computer administrator from such concerns.

The Internet Connection Firewall

Dial-up Internet access is temporary and is terminated whenever the dial-up session closes. Each time a new dial-up session is initiated, a new IP address is assigned to the computer. Because cable and DSL access is always on, the computer is connected to the Internet any time it is powered on. Because of the manner in which most ISPs assign IP addresses, it is unlikely that the computer IP address will change much over time.

The increased amount of connection time and the constancy of the IP address assignment makes the computer more vulnerable to attack from intruders located on the Internet. Windows XP Professional provides the ICF (Internet Connection Firewall) as a means of combating this threat.

ICF is designed to protect against intrusion from the Internet. It does so by protecting a computer connected to the Internet from scans and unsolicited inbound traffic. Compared to other third-party personal firewalls, ICF is fairly limited. Unlike other personal firewalls, ICF is designed to provide baseline protection without requiring any user configuration. However, ICF does provide advanced configuration and control for administrators.

ICF is a stateful packet filter that filters IPv4 network traffic. As a stateful packet filter, it examines the header section of every data packet to determine whether the packet should be allowed to pass based on the packet's status. ICF maintains a table of all active connections. Whenever the local computer initiates an outbound connection, a new entry is added to the table and the packet is allowed to pass through. When an incoming packet is received ICF checks its state table to see if it has an entry indicating that this packet is part of a connection previously established by the local computer. If a current connection match is found, the packet is allowed to pass. Otherwise, it is dropped. Finally, if an unsolicited packet is received (one for which no matching table connection entry exists), it is dropped as well.

There may be instances where certain types of unsolicited traffic may be desirable. For example, if a Web server has been set up behind the firewall, unsolicited packets targeting port 80 must be allowed to pass through the firewall in order to reach the Web server. ICF allows administrators to create static filter entries that define which ports, if any, are allowed to receive unsolicited incoming traffic.

ICF is designed to be used on stand-alone computers that are directly connected to the Internet or on computers connected to small home and office networks that are connected to the Internet using ICS or a residential gateway. ICF is automatically installed on computers running Windows XP Professional in the following circumstances:

• The Welcome to Windows Wizard detects an Internet connection

• The Connect to Internet option is selected when running the New Connection Wizard

• The Network Setup Wizard's option to connect directly to the Internet is selected

• ICF is configured on a connection's Advanced property sheet

Enabling ICF

Only an administrator can configure ICF. ICF can be configured on multiple connections, in which case each connection will have its own set of settings. The following procedure outlines the steps required to enable ICF from an Internet connection's Advanced property sheet.

1. Click on Start and then My Network Places. The My Network Places folder appears.

2. Click on the View network connections task. The Network Connections folder appears.

3. Right-click on the network connection and select Properties. The Properties dialog for the network connection appears.

4. Select the Advanced property sheet, as shown in Figure 17.15.

   
   Figure 17.15: Enabling Windows XP's ICF

5. Select the Protect my computer and network by limiting or preventing access to this computer from the Internet option.

6. Click on OK.

Configuring ICF Port and Protocol Settings

By default, ICF allows all outbound Internet traffic to pass through the firewall. In addition, all unsolicited incoming traffic is dropped. Administrators can modify ICF settings to allow the protocols and ports associated with specific services to pass through the firewall using the steps provided by the following procedure.

1. Click on Start and then My Network Places. The My Network Places folder appears.

2. Click on the View network connections task. The Network Connections folder appears.

3. Right-click on the network connection and select Properties. The Properties dialog for the network connection appears.

4. Select the Advanced property sheet.

5. Click on the Settings button located at the bottom of the property sheet. The Advanced Settings dialog appears, as shown in Figure 17.16.

   
   Figure 17.16: Enabling specific services so that their associated ports and protocols are permitted to pass through ICF

6. A list of services appears. Table 17.1 provides a complete list of the default services defined to ICF, as well as their associated default external and internal ports. Select a service to enable it. This allows unsolicited incoming data packets to reach the service. To modify the ports and protocols associated with a specific service, select it and click on Edit. This opens the Service Settings dialog, as shown in Figure 17.17.

   
   Figure 17.17: Configuring the ports and protocol associated with a specific service

   Table 17.1: ICF Default Services

   External	Internal Port	Service Port
   FTP Server	21	21
   Incoming Connection VPN (L2TP)	1701	1701
   Incoming Connection VPN (PPTP)	1723	1723
   Internet Mail Access protocol Version 3 (IMAP3)	220	220
   Internet Mail Access protocol Version 4 (IMAP4)	143	143
   Internet Mail Server (SMTP)	25	25
   IP Security (IKE)	500	500
   Post Office Protocol Version 3 (POP3)	110	110
   Remote Desktop	3389	3389
   Secure Web Server	443	443
   Telnet Server	23	23
   Web Server (HTTP)	80	80

7. Type the name or IP address of the local server where the service resides. For some services, administrators can also configure the external andinternal port numbers associated with the service as well as TCP or UDP. Click on OK.

8. Click on Add to open the Service Settings dialog and define a new service, and then click on OK.

9. Select a service and click on Delete to remove it from the list of services.

10. Click on OK.

Administering ICF Log Settings

ICF can also maintain a log of dropped data packets and successful connections for administrative review. By default, ICF logging is disabled. The following procedure outlines the steps involved in configuring the ICF log.

1. Click on Start and then My Network Places. The My Network Places folder appears.

2. Click on the View network connections task. The Network Connections folder appears.

3. Right-click on the network connection and select Properties. The Properties dialog for the network connection appears.

4. Select the Advanced property sheet.

5. Click on the Settings button located at the bottom of the property sheet. The Advanced Settings dialog appears.

6. Select the Security Logging property sheet, as shown in Figure 17.18.

   
   Figure 17.18: Configuring ICF log settings

7. To enable logging, select one or both of the following options:

   • Log dropped packets

   • Log successful connections

8. The name of the ICF log is pfirewall.log. Its location is displayed in the Log file options section and can be changed by clicking on Browse and specifying a new folder.

9. The size of the ICF log file can be modified by changing the value (in KB) shown in the Size limit field.

10. To restore ICF logging options to their default settings, click on the Restore Default button on the bottom of the Security Logging Property sheet.

11. Click on OK.

The pfirewall.log file is a plain text file. Figure 17.19 show a sample of the entries found in a typical log file.

Figure 17.19: Examining entries recorded in the ICF log file

Specifying ICMP Settings

ICMP (Internet Control Message Protocol) is used on networks to provide error and status information. Administrators can configure ICF's ICMP settings in order to determine which, if any, requests for information ICF will be allowedthrough the firewall. The following procedure outlines the steps required to modify ICF ICMP settings.

1. Click on Start and then My Network Places. The My Network Places folder appears.

2. Click on the View network connections tasks. The Network Connections folder appears.

3. Right-click on the network connection and select Properties. The Properties dialog for the network connection appears.

4. Select the Advanced property sheet.

5. Click on the Settings button located at the bottom of the property sheet. The Advanced Settings dialog appears.

6. Select the ICMP property sheet, as shown in Figure 17.20.

   
   Figure 17.20: Configuring ICF ICMP settings

7. To configure which ICMP actions will be allowed through the firewall, select one or more of the following options:

   • Allow incoming echo request

   • Allow incoming timestamp request

   • Allow incoming mask request

   • Allow incoming router request

   • Allow outgoing destination unreachable

   • Allow outgoing source quench

   • Allow outgoing parameter problem

   • Allow outgoing time exceeded

   • Allow redirect

   Select any desired options.

8. Click on OK.

Disabling ICF

The ICF lacks many of the features found in third-party personal firewalls. Therefore, it may be desirable to disable ICF and install a different personal firewall application. The following procedure outlines the steps required to disable ICF for a network connection.

1. Click on Start and then My Network Places. The My Network Places folder appears.

2. Click on the View network connections task. The Network Connections folder appears.

3. Right-click on the network connection and select Properties. The Properties dialog for the network connection appears.

4. Select the Advanced property sheet.

5. Clear the Protect my computer and network by limiting or preventing access to this computer from the Internet option.

6. Click on OK.

Personal Firewalls

ICF provides basic personal firewall services, but it lacks many of the features found in third-party personal firewalls. For example, ICF does not provide anydefense against Trojan horse programs. These are programs that sneak their way onto the computer and then quietly communicate information back to their creator. Trojan horse programs can even provide remote control over the computer, allowing their creator to use the computer and hundreds or thousands of other computers to launch denial-of-service attacks against corporate Web sites. In addition, ICF does not provide an alerting mechanism to inform the user when an attack is occurring. For reasons like these, administrators may want to disable ICF and install a different product. Examples of third-party personal firewalls include:

• McAfee Firewall and McAfee Personal Firewall Plus

  (http://www.mcafee.com)

• ZoneAlarm and ZoneAlarm Pro (http://www.zonelabs.com)

• BlackICE Defender (http://www.iss.net)

• Sygate Personal Firewall and Sygate Personal Firewall PRO (http://www.sygate.com)

• Norton Personal Firewall (http://www.symantec.com)

Residential Gateways

A residential gateway is an external appliance used on small home or office networks to provide shared Internet access. A residential gateway provides the same set of services provided by ICS, including:

• NAT. Hides private network IP addresses from the Internet by making only the residential gateway's public IP address visible on the Internet. The residential gateway manages all Internet traffic on behalf of other network computers.

• DHCP. Assigns TCP/IP settings for all computers on the network.

• DNS. Provides name resolution services for all computers on the network.

In addition, residential gateways also provide the following network infrastructure:

• Hub. Connects two or more computers together to create a local area network

• Switch. Establishes temporary dedicated connection paths between two computers on the network that allow direct communications without affecting other network communications

• Router. Manages communications between the network and the Internet by automatically routing data packets as necessary between the two network environments

In addition, residential gateways double as hardware-based personal firewalls. Unlike software-based personal firewalls, hardware-based personal firewalls do not consume computer resources in order to operate. Software-based personal firewalls defend a computer from a threat that has already reached the computer, whereas a hardware-based personal firewall defends against the attack before it ever reaches the computer. In addition, software-based personal firewalls must be installed, configured, and maintained on a computer-by-computer basis, whereas hardware-based personal firewalls can be centrally administered, making the task of implementing security a great deal easier for the administrator.

Residential gateways can be used to connect a small home or office network to the Internet via cable and DSL connections. They are inserted between the modem and the network, acting as a filter for network traffic that passes between the modem and the network.

The following procedure outlines the steps involved in setting up a network to use a residential gateway in place of an ICS server.

1. Disable ICS on the ICS server using the Network Connection Wizard.

2. Replace the network's hub or switch with the residential gateway.

3. Connect each computer on the network to the residential gateway.

4. Restart each computer.

5. Use the Internet browser on one computer to connect to the residential gateway and configure it according to the instructions provided by the device's manufacturer. Change the MAC address assigned to the residential gateway to match the MAC address of the network adapter that was registered with the ISP. This allows the residential gateway to emulate the existing Internet connection. Alternatively, contact the ISP and register the MAC address of the residential gateway.

6. Connect the residential gateway to the cable or DSL modem and power it off and then on again.