Section 21.6. Sealing Your Computer s Firewall | iPhone: The Missing Manual, 4th Edition

21.6. Sealing Your Computer's Firewall

Believe it or not, there are even more bad things that can happen when you're online. Total strangers, next door or in Eastern Europe, can connect to your Windows PC, invisibly take control of it, and turn it into, for example, a relay station that helps them pump out millions of pieces of spam (junk email) every day. You might notice that your PC has slowed down, and you might not. But you've just become part of the problem.

How is this possible? To understand the technical underpinnings, you need to know about ports .

Ports are like TV channels. Your PC has a bunch of them, each one dedicated to letting certain kinds of Internet information pass through: surfing the Web, sending email, downloading files, playing videos , and so on. Trouble is, Internet intruders roaming around online know how to use these ports to their advantage. They use software that can slip into your PC through one of these ports.

Ready to yank your modem cable out of the wall yet? Relax. You can stop the baddies just by using a firewall , a security barrier that prevents people or programs from sneaking into your machine via your Internet connection. A firewall can be a software program or a physical piece of hardware.

Good firewalls can monitor both incoming and outgoing traffic. So, in addition to keeping out intruders, your firewall can detectand stopspyware or a virus trying to transmit information from your computer.

21.6.1. Hardware Firewalls

A hardware firewall is a physical box sitting squarely between your computer and the Internet outside so potential intruders can't see your machine. You may have one and not even know it. For example, if you've installed a router (Section 1.1.1.2) so that more than one computer can share your cable modem, you may be delighted to learn that it's probably a hardware firewall. It constantly screens the traffic to and from your networked computers.

Even if you don't have a home network, a router with a built-in firewall is a good investment, especially if you have a broadband connection. When shopping, look for a router with a firewall that includes both SPI (Stateful Packet Inspection) and NAT (Network Address Translation). Security products like the AlphaShield ( www.alphashield.com)which plugs in between your computer and your broadband modemalso monitor all Internet traffic and block any suspicious activity.

WORKAROUND WORKSHOP
Making Exceptions to the Firewall

Windows Firewall takes your security very seriouslysometimes too seriously. It may balk at letting you play online games or exchange instant messages. If you see a message like "Should AcroRD32.exe be allowed to connect to the Internet?", it means a program (Adobe Acrobat Reader, in this case) needs to go online and hunt for information or updates.

You can eliminate these annoying questions by making trusted programs (like Acrobat Reader) exceptions to the firewall's rules. Programs on the Exceptions list always pass through the firewall unhindered.

To add a program to the Windows Firewall Exceptions list, follow these steps:

First, Choose Start Control Panel Security Center Windows Firewall. (Or, if you use the Control Panels Classic view, just choose Start Control Panel Windows Firewall.) Now, in the Windows Firewall box, click the Exceptions tab and then click the Add Program button.

The firewall displays a list of programs it recognizes. If the program you want to add to the exceptions is listed, click its name and then click OK.

If you don't see the program in question, click Browse. In the dialog box that opens, navigate to and select the program's icon. Click OK. The program joins the Exceptions list, which means it can get past the firewall and talk to other computers or programs on the Internet.

Some programs, on the other hand, ask you for access. For example, the World of Warcraft online game requires you to open two of those Internet ports : TCP port 3724 and TCP port 6112. (If you're having trouble connecting your video game or any other program to the outside world, check its manual to see if it requires certain ports to be open on your computer.)

To do this advanced surgery, go back to the Windows Firewall Exceptions tab as described above. Then, in the lower part of the box, click Add Port. When the "Add a Port" dialog box opens, fill it in, as shown in Figure 21-4.

(If your firewall one day becomes so overloaded with exceptions that it feels about as secure as a piece of Swiss cheese, you can reset it back to the way it originally was by clicking the Advanced tab in the Windows Firewall box and clicking the Restore Defaults button.)

21.6.2. Software Firewalls

A software firewall is good protection, too. No wonder both Windows and Mac OS X come with such a feature built right in. (All the Internet security suites described in Section 7.2.2.1 include firewall programs as well.)

Figure 21-4. Occasionally, to get a program through the firewall, you must open the port it wants to use. On the Windows Firewall Exceptions tab, click the Add Port button. In the "Add a Port" dialog box, type a name (so you'll remember why you're opening that particular port) and enter the port number, which you can usually find in the program's manual or Web site.

Tip: If you have a hardware firewall (like a router), you don't need to turn on a software firewall too.

21.6.2.1. The Windows XP Firewall

When Windows XP first appeared back in 2001, it came with a nifty new featurebuilt-in firewall software. Unfortunately, Microsoft left the firewall turned off, and few people could find it to turn it on. So, in the interest of greater security, Service Pack 2 (which Microsoft released a few years later) automatically flips the Windows Firewall on. In fact, once you install this update, Windows XP pesters you (by popping up yellow warning balloons from the taskbar) if you turn the firewall off.

If you do have Service Pack 2 installedeither because you installed it or because you bought your computer after October 2004you can find the on/off switch for the firewall like this. Choose Start Control Panel Security Center Windows Firewall. (If you use the Control Panels Classic view, choose Start Control Panel Windows Firewall.) On the General tab of the Windows Firewall control panel, click the button next to "On (recommended)" and then click OK. The firewalls off button is here, too, if you need to shut it down for a minute to troubleshoot your Internet connection or something.

Note: If you like the sound of a sturdy, free firewall that's more powerful (because it blocks traffic coming and going through your computer) check out ZoneAlarm (www.zonelabs.com). With a friendlier interface, ZoneAlarm is often easier to use than the built-in Windows Firewall, which is set to block unauthorized traffic coming to your PC from the outside world, but it may not be much help against programs on your PC trying to sneak out to the Internet without your permission. ZoneAlarm works with systems as far back as Windows 98SE, so it gives you a firewall option if your PC is too old to run Windows XP. (And if you do have Windows XP, you can still use ZoneAlarm. The Windows Firewall is savvy enough to get out of the way when you install an alternative program.)To try the software, scroll down to the bottom of ZoneLabs' home page and click "Free ZoneAlarm and Trials." You can get the free version here or buy the $50 full-featured edition with more controls and technical support. Once you download and install the program, ZoneAlarm makes your machine invisible to other computers nosing around on the Net.

21.6.2.2. Setting up the Mac OS X firewall

Apple's system security for its Mac OS X Tiger system is even stricter than Microsoft's: Out of the box, all communication ports and services on the Mac are closed to the outside. (That's one reason the Mac hasn't attracted hackers like Windows has.) The Mac also comes with its own built-in firewall that blocks all incoming Internet traffic except for the programs you allow through.

Its factory setting is Off, though, so you need to give it a little click-start.

To turn on the Mac OS X firewall, follow these steps:

Go to System Preferences Sharing. Click the Firewall tab, and then click the Start button .

The Mac fires up its firewall software. Again, the firewall starts out blocking every sort of Internet communication, so you must turn on the ones you want to use.
In the Allow list, select the programs or functions you want to let through the firewall .

As shown in Figure 21-5, turn on the checkboxes next to, say, iTunes Music Sharing and other network services you plan to use.

Figure 21-5. Mac OS X starts out fully barricaded against Internet intrusions. However, you can let programs and services through the firewall by simply selecting them in the Firewall tab on the Sharing preferences window.

Tip: Want to make sure your computer's firewall is doing its job? Several online sites offer to knock on your computer's ports and see if there are any openings for intruders to slither through. Check out ShieldsUP (www.grc.com), Hackercheck (www.hackercheck.com ), or Planet Security's firewall check (www.planet-security.net ).