15.7. Installing a Firewall
PCs are no longer safe when directly connected to the Internet. A new, unpatched version of Windows XP typically becomes infected within 15 minutes of connecting to the Internet. Microsoft finally realized the extent of the problem, and its collection of patches in Service Pack 2 automatically flipped Windows XP's built-in firewall to "On." (Before that, Microsoft expected you to find the firewall and turn it on yourself.)
Firewalls work their magic by constantly monitoring the flow of information between your PC and the Internet. When a programyour Web browser, for instanceneeds information, it sends a request to the Internet, asking for information to be sent back to your PC. The firewall takes careful note of every request, as well as every piece of incoming information.
When the firewall finds a match between a request and an answer, it lets the answer enter your PC. But if information arrives without a matching request, the firewall assumes it's either evil, lost, or simply background noise; either way, the firewall prevents it from entering.
Firewalls come in two types, hardware and software, both described next .
15.7.1. Hardware Firewall
Letting your broadband-fed PC connect directly to the Internet is like not bothering to install a door. It's convenient when carrying in groceries, but otherwise it's a pretty unsafe arrangement.
That's where a hardware firewall comes in. A broadband router (see Section 14.1.3) works as a base-level hardware firewall by sitting between your PC and the Internet. Potential intruders can't "see" your PC, which means that none of their Windows exploits work. And since they also won't know your brand of router, their arsenal of router exploits is further limited. The triple crown protection benefit is the simple software that controls the router's traffic directing: it's small, and much easier to keep secure than Windows.
A router is a very safe investment for anybody with an always-on broadband Internet connection. The latest routers come with more advanced firewall software built in for added protection. When shopping for a router, look for one that advertises a built-in firewall with both SPI (Stateful Packet Inspection) and NAT (Network Address Translation).
15.7.2. Software Firewall
Whereas a hardware firewall sits between the PC and the Internet, a software firewall lives inside the PC itself, inserting itself between the Internet and your programs. Software firewalls come in two types: one-way, and two-way.
One way firewalls simply turn away any unrequested information coming from the Internet. That's enough to stop many worms from slipping inside your PC. Windows XP's built-in firewall (see below) is a one-way firewall. Like most one-way firewalls, it's small and easy to live with.
Two-way firewalls, like one-way firewalls, also keep things from entering your computer without permission. But a two-way firewall keeps things from leaving your computer without permission as well. That lets you catch spyware, key loggers, back doors, and other programs that slip into your PC, and then try to notify their creator of their whereabouts.
That second layer of outgoing protection places a big burden of inconvenience on you, however. The firewall asks you questions like, "Should AcroRD32.exe be allowed to connect to the Internet?" Unless you already know that AcroRD32.exe is Adobe's Acrobat Reader checking for a newer version, you're left feeling like a 5-year old in a calculus class.
Fortunately, plenty of other people feel the same way, and a search for any questionable program's name on Google usually turns up the answer immediately. Once you flag a program as Trusted, the firewall no longer bugs you about it. As a result, only your first few days with a two-way firewall are a nightmare; after that, the firewall rarely bugs you until you either install a new program or the firewall notices something evil trying to phone home.
Zone Labs (www.zonelabs.com) offers both a free and paid version of its two-way firewall, ZoneAlarm.
15.7.3. Windows Firewall
Service Pack 2 not only turns on Windows XP's built-in firewall, it also makes it difficult to turn off. For instance, the Network Connection Wizard, a requirement for setting up a new network, promptly firewalls every connection on your PC. If you manually flip Windows Firewall's On switch, Windows places a firewall on all your network-capable connections. It even protects your FireWire port from your digital camcorder.
To decide for yourself which connections the firewall protects, click Start Control Panel Windows Firewall. Windows Firewalls Properties page, shown in Figure 15-11, separates its controls into three tabs: General, Exceptions, and Advanced.
As soon as you turn on a firewall, adding that layer of insulation between your PC and the Internet's evils, the clamoring begins. Many Internet-connected programs like messengers and online games insist that you start poking holes in the firewall's protective layer so they can talk to the outside world.
Figure 15-11. Top: The General tab lets you turn on Windows Firewall. Since you want only one software firewall working at a time, Windows Firewall is smart enough to turn itself off when it spots another firewall. If you install an unrecognized firewall, come here to turn off Windows Firewall so the two firewalls don't interfere with each other.
| POWER USERS'S CLINIC |
Testing Your Firewall
Setting up and configuring a firewall is a lot of work with little visible reward. How do you know this thing's working, anyway? You could hang out on dark and dirty hacker's sites, begging the kids to break into your PC. But a safer test is to visit any of these sites:
When you give the site permission, it reads your PC's IP address and sends it a flurry of port scans , informational packets that test for commonly exploited openings. In fact, it sends so many, your company's network administrator may start screaming and pulling plugs. Limit these tests to your own PCs.
If you pass, your firewall's doing its job. If you don't pass, try reinstalling the firewall, making sure it's turned on, and then check its Exceptions list for unnecessary additions. Remember that each time you open a port on your firewall, you're adding a potential hole for intruders to locate and slip through.
Before adding a program to your firewall's exception's list, ask yourself if it's worth the risk.