 |  |
Related Links
| • | Windows XP Service Pack 2 (SP2) |
| • |
 |  |
|
It wasn't that long ago that a firewall was just another one of those technologies that you might have overheard the computer support folks at work talking about. A firewall wasn't something most people worried about using at home. After all, who was going to bother trying to break into your personal computer when the most interesting things on it were the pictures of your new baby niece and your Microsoft Money account showing a massive $593.34 investment portfolio?
Unfortunately, while today's Internet has grown into an amazing tool for research, communication, and entertainment, it has also developed into a playground for the kinds of people my grandpa would have called "miscreants." These hackers, crackers, and phishers—or whatever else you want to call them—unleash viruses, worms, and various other malicious programs (AKA "malware") on unsuspecting computer users worldwide. Even if your computer doesn't contain information of interest to hackers, you could still be a target for malware, as many try to hijack computers to use for nefarious purposes such as sending out junk e-mail or launching attacks on Web sites.
Figure 1. Accessing the Internet with no firewall running is like leaving your front door wide open—anyone can wander in.
Before you decide to close your Web browser, unplug your modem, and go back to a life of solitary, disconnected computing, take heart. Windows Firewall, in conjunction with other security tools such as virus checkers and spyware cleaners, can help keep your PC secure from online intruders.
In this column, I'll focus on the kinds of firewall questions a typical home user might have. Technically-oriented users and system administrators wanting to dig into gritty firewall details should check out the Cable Guy's excellent TechNet article, Manually Configuring Windows Firewall in Windows XP SP2. For the rest of us, let's answer the most common firewall-related questions.
A firewall is a program or hardware device that watches your network and Internet connection and helps block unauthorized access to your computer. The firewall controls what data can come across the thousands of ports that your computer can use to communicate with the outside world.
Think of ports as the equivalent of phone numbers for various departments within your PC, such as Web access, file sharing, video chat, and gaming. The firewall ensures that only essential ports are accessible to the outside world, closing off the others so that they can't be exploited by malware. You can choose to open ports needed by specific programs, such as games or file-sharing applications. Keep in mind that opening too many ports can reduce your security, however.
Software firewalls are programs that run on your computer and watch all network traffic coming into your computer. Windows Firewall, included as part of Windows XP Service Pack 2 (SP2), is one example. Several third-party software manufacturers make add-on software firewalls as well.
Hardware firewalls are built into networking devices such as routers and wireless access points. Most consumer hardware firewalls only watch traffic between the network device and the Internet—they don't block traffic between computers inside your network.
Absolutely. A system without an active firewall is vulnerable to infection by a variety of malicious programs, sometimes within minutes of connecting to the Internet. Even if you're typically very careful in your computing practices, your system can still be infected by programs that scan random Internet addresses and attempt to "slip in the back door" through open ports on your computer. A firewall is necessary to keep these random intruders from hijacking or damaging your system.
Remember, though, that the firewall is only one element in a safe computing environment. You also need to follow best preventative practices: don't open unknown attachments and avoid spyware and questionable browser plug-ins. See Jerry Honeycutt's excellent article on how Windows XP Service Pack 2 Strengthens the Defense Against Spyware. Note that he recommends scanning your computer for spyware and other unwanted software before you install SP2.
A firewall won't disable viruses and worms that are already on your system when you activate the firewall and it doesn't stop malicious e-mail attachments. For the best security, you should also run a virus checker (and keep it updated), turn on Automatic Updates, run spyware detection tools, install Web browser add-ons only from sites you have a high level of trust in, and be extremely cautious when opening e-mail attachments.
If you're using Windows XP SP2, the firewall is typically turned on by default. (Some computer manufacturers and network administrators might choose to turn it off.) You can confirm its status by opening Windows Security Center:
1. | Click Start, click Control Panel, and then click Security Center. |
2. | If the firewall is turned off, click Recommendations. |
3. | Click Enable Now in the window that recommends you turn on the firewall. A second window will open confirming that the firewall is now active. |
Figure 2. The Windows XP SP2 Security Center will warn you if your firewall is disabled.
If you're still using the original or SP1 releases of Windows XP, I strongly suggest that you upgrade to Windows XP SP2, which includes a variety of important security enhancements in addition to firewall protection. In the meantime, you'll want to turn on the firewall even before you upgrade in order to protect your computer until SP2 has been successfully installed.
Note that earlier versions of Windows, such as Windows 2000 and Windows 98, did not include a built-in firewall. If you have a computer running one of these operating systems, you should add a third-party firewall. A third-party firewall can either be a software program you install or a device such as a broadband router or wireless access point with a built-in firewall.
Windows Firewall does an excellent job of protecting most system configurations by blocking unauthorized attempts to connect to your computer. Some add-on firewall packages from third-party software publishers add an additional level of protection by blocking connections to the Internet from your computer as well. That way, programs can't send data from your computer to others without your permission.
This capability may be appealing in situations where less security-conscious users have access to your computer—roommates or kids, for example. Someone could inadvertently allow a malicious program onto your computer. Later it might attempt to send personal data from your computer or hijack it for nefarious uses. So a firewall that watches outgoing ports can both alert you to the unauthorized activity and prevent the data from being sent out. Check the firewall section in Windows Marketplace to find products that work with Windows XP.
If you have more than one computer on your network, it's a good idea to run Windows Firewall even if you have a hardware firewall in place. The hardware firewall typically manages traffic between your network and the Internet, and doesn't block traffic between individual computers on the network. If a malicious program makes it on to one of your networked computers, it could potentially spread to the other computers on your network. Windows Firewall can protect your computers from unauthorized traffic both from the Internet and your internal network.
Windows Firewall interacts with any program that sends data to other computers on your network or on the Internet. With its default settings active, Windows Firewall opens only the ports for the most common Internet communication applications, such as e-mail and Web browsing. Programs that may initially be blocked by the firewall include file-sharing and file transfer (FTP) software, multiplayer games, remote desktop-sharing programs, and advanced features such as video conferencing and file sending in instant messaging programs. You can adjust the firewall settings to open the necessary ports so you can use these programs' communication functions.
When Windows Firewall is active, a Windows Security Alert dialog box opens the first time a program requests data from your network connection, as shown in Figure 3.
Figure 3. Security Alerts allow you to choose whether to continue blocking a program, or allow it to have access to the Internet.
The dialog box shows the name of the program that it's blocking, as well as the program's icon and publisher. Below these, you'll see three buttons:
| • | Keep Blocking, which will continue to block the program from receiving data from other computers. |
| • | Unblock, which will open the appropriate ports to allow the program to communicate. |
| • | Ask Me Later, which will block the program this time, but will request permission to open the firewall ports again next time you run the program. |
If you recognize and trust the program, clicking Unblock will open the necessary ports in Windows Firewall whenever that program is running. If you don't recognize the program's name, consider searching for the program name using your favorite search engine, such as MSN Search. You might discover that the program is part of Windows. For example, the Windows XP Fax console will request ports the first time you start it. Or it might be used by another software package that you own.
If you don't have time to research the Security Alert and want to revisit the issue later, just click Ask Me Later. If you do this, the program's communications features will be disabled until the next time you run it, at which point you'll once again see Windows Security Alert.
If you've blocked a program and later decide that you want to allow it to talk to the world outside of your computer, you can manually add a program to the Windows Firewall exceptions list—the list of programs it allows to open incoming network connections. Just follow this procedure:
1. | Click Start, click Control Panel, and then click Security Center. |
2. | Under Manage security settings for, click Windows Firewall. |
3. | On the Exceptions tab, click Add Program. |
4. | Click the program you want to allow to communicate, and then click OK. If the program you want isn't listed, click Browse to locate the program elsewhere. |
You'll now see the program in the exceptions list. If you want to temporarily disable Firewall exceptions for a program that you've added to the exceptions list, just clear the check box next to that program on the Exceptions tab of the Windows Firewall dialog box. To permanently remove a program from the exceptions list, click the program name, and then click Delete.
Figure 4. You can add exceptions to the firewall's network connection blocking list.
Advanced users who know specific port numbers that need to be open to use a program or hardware device can click Add Port to open these ports in the firewall, independent of which programs are running. These ports will be open all of the time, however, so this feature should only be used in the rare situations where adding a program to the exceptions list still doesn't allow the program to communicate properly.
Yes, Windows Firewall can open the necessary ports for Internet and local area network games. However, there is a snag with some games that prevents you from seeing the Windows Security Alert that asks for permission to allow the game to talk to other computers.
Most games use DirectX technology to display 3-D graphics using the entire screen, without the usual window arrangement controls. Because the game has essentially taken control of the display you see on your monitor, you never see the Security Alert request—it's essentially hidden behind your game screen. Windows Firewall will block your game's network access until you tell it that it's okay to do otherwise, so it will appear to you that the communications simply aren't working, when in fact the Firewall is just waiting for your response to its (unseen) request to open the necessary ports.
If you find yourself in this situation, in most cases you can hold down the ALT key and press TAB to switch back to the Windows desktop, where you'll likely see the Security Alert request. At this point you can click Unblock and then press ALT+TAB again to return to your game.
Not all games support the ALT+TAB key press, however, so a better approach is to manually add a firewall exception for the game before you play it for the first time. The procedure for manually adding programs—including games—is outlined in the answer to the previous question.
For more detailed information on this subject, see the Knowledge Base article, Some programs seem to stop working after you install Windows XP Service Pack 2.
If you're also running a hardware firewall, you might need to open the appropriate ports for your program there as well. This procedure differs with each device, so you'll need to consult the documentation that accompanied your networking device for specific instructions on how to do so. With typical home network routers, this generally involves accessing a settings Web page that's built into the networking device.
If that's not the problem, your best bet is to visit the support Web site for the program you're trying to use and search the support database for help related to "firewall" or "network ports."
Every port you open makes your computer more vulnerable. However, opening a few ports in order to play a game or run a video conferencing application, for example, still leaves your system protected against the most common intruders. When you add a program to Windows Firewall, it only opens the necessary ports when that program is actually running; once you exit the program, the ports are then closed.
When you manually open specific port numbers, these remain open all of the time. For maximum protection, you should consider closing them when not in use by clearing the check box next to that program on the Exceptions tab of the Windows Firewall dialog box.
If you're not running Windows Firewall, and Windows Security Center can't detect the firewall that you're using, you'll receive a firewall security alert. To turn off the alert, just follow this procedure:
1. | Click Start, click Control Panel, and then click Security Center. |
2. | In Windows Security Center, click Recommendations. (If the Recommendations button does not appear, Windows Firewall is turned on.) |
3. | Select the I have a firewall solution that I'll monitor myself check box, and then click OK. |
Windows will no longer notify you of your firewall status.
Figure 5. If you're using a third-party or hardware firewall that's not detected, you can tell Security Center to stop monitoring your firewall status.
