5-Minute Security Advisor - Simple Firewall Setup for Home Office Users

Updated : May 7, 2002

Firewalls used to be used only for large corporate networks—but then again, Internet connections used to only be for large networks, too. Now that high-speed, always-on Internet connectivity is becoming more and more common, so too are attacks against connected computers. Firewalls help protect you against such attacks by screening out many types of malicious traffic. In addition, firewalls can help keep your computer from participating in attacks on others without your knowledge. The good news is that consumer-level firewalls provide good security without requiring that you be a computer security expert. In fact, Windows XP includes a robust firewall, the Internet Connection Firewall, as part of the operating system, and setting it up is literally a single-click operation.

On This Page

Why Do I Need a Firewall?
What Can a Firewall Do For Me?
The Hard and the Soft
Setting Up ICF
Other Firewalls
Setting up a Residential Gateway
Better Some Security than None…

Why Do I Need a Firewall?

Before we talk about specifically why firewalls are important for home security, we've got to cover some background on Internet communications. In many respects, the Internet can be compared to the phone system. Instead of communicating with phones, over the Internet we communicate with computers. Every time you call someone, you call from a specific phone number; likewise, every time you communicate with another computer, you do so from an IP address. Every communication going across the Internet must be attached to an IP address. Otherwise the receiving computer would have no idea where to send its reply. One very important difference between a computer and a phone is that, by default, the computer will always answer a call whether or not you want it to. For example, if you receive a call from "Hackers-R-Us" you probably would just let the phone ring. By default, your computer has no choice-- it has to answer their call.

Figure 1: By default, when your computer is connected, it has to listen and respond to any communication it receives from anyone on the Internet

When using a modem and connecting through a dial-up connection, this is not a big problem. Your computer is usually only connected for a short period of time, and, due to the way most dial-up service providers work, your computer will get a different IP address each time you call. This makes it fairly difficult, but not impossible, for a malicious attacker to get into your computer. However, if you have a broadband connection such as DSL or a cable modem, your computer is connected to the Internet 24/7.

Figure 2: an unprotected home network. Any computer in the world can contact this computer by IP address.

What Can a Firewall Do For Me?

What if you had a person at home who could filter your telephone calls? You could tell him to completely ignore all incoming calls except from trusted sources. Or, you could tell him to block phone calls from specific sources, or to specific people in your household. Well, there is such a thing for a computer network; it's called a firewall.

The famous Jargon Dictionary has a great entry for firewall: "a dedicated gateway machine with special security precautions on it, used to service outside network connections and dial-in lines." Firewalls serve two useful purposes: they filter what traffic comes into your network from the outside world, and they control what computers on your network may send there.

The Hard and the Soft

The first step in setting up a firewall is simple: decide whether a hardware or software solution will work best for your needs. Firewall products come in many different forms, from freely available software for your computer to tamper-resistant industrial units. Whether you buy a certified firewall or not, all No matter what kind of firewall you buy, all firewalls provide the same basic feature: control of inbound and outbound traffic.

When making this decision, here's what you should be asking:

1. Am I running Windows XP? If so, you already have a built-in firewall, the Internet Connection Firewall (ICF), so you may not need to buy anything additional.

2. Do I want to share my Internet connection between multiple computers? If you do, you either have, or will have, your computers networked together. In that case, you can use Windows' Internet Connection Sharing (ICS) feature to share the connection. (If you want to know how to turn on ICS for Windows 2000, see this step-by-step guide.)

3. Do I want to be able to share my connection without using one computer as a firewall? Perhaps you want to share your Internet connection, but you don't want to have to use one particular computer as the gateway—ICS only works when the computer running it is powered up and on the network. Instead, you can buy an inexpensive appliance that acts as a gateway for sharing connections—these so-called "Internet access routers" or "residential gateways" almost always include firewall functionality.

For maximum security, you can install a hardware firewall to protect your home office network, then combine it with ICF or another software-based firewall. Software firewalls can be configured for individual machines, so that each machine on your network can have different network permissions if that's what you need. In addition, software-based firewalls can alert you when software on a firewalled machine is sending out data when it shouldn't. Hardware-based firewalls are typically very flexible and powerful; once you get them set up, you can leave them alone and let them work to silently protect you. Of course, getting them set up in the first place can be a difficult exercise! Combining the two types can give you tighter security than using either one alone.

Setting Up ICF

The Internet Connection Firewall for Windows XP is configured on a per connection basis. That means that if you have more than one way of accessing the internet from your computer (for example, a modem sometimes and DSL others), you will have to configure ICF separately for each connection. If you're using a broadband connection, you'll have an icon for it in the Network Connections applet (probably labeled "Local Area Connection", perhaps with a number after it). Here's how to turn on ICF:

1. Navigate to the Start menu and open the Control Panel.

2. Find and open the Network Connections applet.

3. Right click on any connection that you want to enable ICF for and select Properties

4. Go to the Advanced tab and check the box to protect your computer. (This article has a video that will show you the process, if you need further help!)

Figure 3: the Advanced Settings properties tab for a specified network connection.

That's all it takes. ICF is now up and running on your system, but wait! What if you want to allow computers to connect to yours for specific reasons? For example, you could be running a web server that you wanted people outside of your home network to view. ICF will let you do this. Just click Settings button on the Advanced Properties tag of your network connection (see Fig. 3). You can choose from a variety of common services that you would like to expose to the outside world. Note that if you choose to do this, you will have to stay up-to-date with security updates and patches that are released for the exposed services, otherwise your computer can be easily compromised.

Action If you're running Windows XP, turn on ICF on your primary Internet connection. Then use the Internet as you always have—notice that ICF doesn't interfere with your Internet use, even though it's silently protecting you. You can also get more details on how ICF works.

Other Firewalls

If you're not running Windows XP, or if you want to have greater control (and awareness) of what your firewall is doing on your behalf, you may be better served by a separate personal firewall software package. There are a variety of good products available that enhance your computer's security. For example, Zone Alarm by Zone Labs will not only filter incoming connections, but will also filter outgoing connections by program. That means that you can specify which programs on your computer should be able to communicate over the Internet and which, if any, should be prevented from doing so.

Setting up a Residential Gateway

If you have or are planning to have a home network, you will have to create a gateway from your firewall to the rest of the network. If you are implementing a software firewall on a a specific computer, this means that you will need at least two network cards in that machine. One network card is attached to the public interface (such as a DSL or cable modem) and the other network card is attached to your internal network. You then have to configure the computer to allow traffic on one side of the network to communicate with the other. ICS allows you to do this in both Windows 2000 and Windows XP.

However, at this stage in the game, many home users decide to buy a dedicated residential gateway. These units plug directly into the DSL router or cable modem and provide the functionality of a firewall and network hub.

Figure 4: A full-fledged home network complete with a residential gateway.

A residential gateway has to be configured to act in the stead of the computer running ICS when contacting the ISP. For example, if you had a static IP address, you would have to assign that IP address to the gateway instead of your computer. You could either assign a new IP address to your computer, or, more likely instruct the computer to ask the gateway for an IP address. Like ICF gateways often have the ability to block or filter specified traffic. For example, if the family website was being run on the basement computer, the residential gateway could seamlessly direct all web site (HTTP) requests to the basement computer.

Better Some Security than None…

Of all of the choices presented here, the only one you can really go wrong with is choosing none of them. Don't make the mistake of thinking that no one will attack you, because with the rise in automated attack tools, you're as much at risk as every other computer on the Internet. Unfortunately, there is a strong sub-culture that misaligns the bravado of a deep understanding of how networks and computer security works with digital breaking and entering. Due to the popularity and ease-of-use of always on connections, home networks provide easy targets. However, by taking some simple precautions, you can protect yourself and your data.