5-Minute Security Advisor - Using the Internet Connection Firewall

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Even if you're considering investing in a third-party software or hardware firewall, you should consider using Windows XP's Internet Connection Firewall (ICF) to help secure your home or small office network. ICF is included in both Windows XP Home Edition and Windows XP Professional. As such, it is suited for small office or home network solutions, where there are relatively few users and computers that need to be protected. If you're not using a firewall, ICF provides robust protection at no extra charge. If you are using one, ICF can be used to segment your network behind the firewall or to protect specific computers that the rest of the internal network should not have access to. (If you have more than a few users, consider the Microsoft Internet Security and Acceleration (ISA) product, an industrial-strength firewall that runs on Windows 2000 and Windows .NET Server.)

Data is transferred over the Internet via the Internet Protocol (IP). Thus, every computer that is on the Internet speaks this language. If a computer is connected to the Internet, it is assigned an IP address that uniquely identifies it. IP communications go to specific ports-- for example, a request sent to a computer on port 80 is sent to its web server (HTTP). Likewise, a request sent to port 25 on the same computer is a Simple Mail Transfer Protocol (SMTP) request, so it should be handled by its mail server software. The web server never is made aware of the traffic on port 25 and the mail server is completely oblivious to the traffic on port 80.

By default, turning on ICF automatically blocks all communications originating from foreign computers to all ports on your computer. This essentially renders your computer invisible to port scanners, hacking tools that repetitively try different ports on a network address to see how a particular machine might be attacked. Hackers frequently run port scanners against DSL and cable-modem services to see whether they can find any unsecured machines; with ICF running, the port scanners will never see your machine.

If you want to enable Internet users to communicate with your machine (as you might if you're running a Web server or using a popular peer-to-peer program like Morpheus), you can choose to allow communications to specified portsby clicking on the Settings button on the Advanced tab in the properties window of your public network connection. Although the Code Red and Nimda viruses demonstrate the importance of patching services even when they are not exposed through the firewall, once you open up a port to the outside world, it is imperative you apply and keep up to date with any patches for that service. Windows Update provides an easy way to ensure that you are up to date with Windows XP services.

On This Page

Protecting a Single Computer
Protecting Multiple Computers
Letting in the Outside World
Keeping Alert

Protecting a Single Computer

If your computer is connected directly to your Internet connection, or if there is no firewall in place between the computer and the internet, you should enable ICF to limit the accessibility of your computer to unknown sources. Without using ICF or another type of firewall, your computer is exposed to all other computers on the Internet, potentially leaving your data and services open to attack.

Cc722661.min20401(en-us,TechNet.10).gif

Figure 1: Without a firewall, a computer is exposed to every computer on the internet.

If you want to cut off all unsolicited communication from other computers, simply enable ICF with its default settings by clicking the check box on the Advanced tab in the properties window of your network connection. However, if you are hosting a service that you want other computers to have access to, you will need to let ICF know that it is OK for computers to access it. The classic example is a web server. ICF is easily configurable for any services that you might be running on your computer and comes preconfigured with definitions for common protocols and services like HTTP, FTP, and SMTP. Even if the service or programs that you want to expose are not on the default list you can add them by defining the internal and external TCP ports that they utilize.

Protecting Multiple Computers

By itself, ICF can work to protect a single computer with a connection to the internet such as a computer connected directly to a DSL or cable modem. In concert with Internet Connection Sharing (ICS), also included with both versions of Windows XP, a single computer running ICF with two network cards can serve as a firewall for your entire home network.

Cc722661.min20402(en-us,TechNet.10).gif

Figure 2: A small network is sharing a protected connection by using Internet Connection Sharing.

In this environment, ICF is configured on the public network connection to the Internet and ICS is configured on the private internal network connection. If you were to configure ICF on the private card, you would be telling your computer that your private network is not to be trusted and to limit communication between it and your computer. For example, ICF would prevent communication between the ICS clients on your network and the ICS server, locking all computers on the private network away from the connection that you are trying to share!

If you have a hardware firewall that does not have a connection sharing feature, you can use ICS in concert with it to provide a similar solution. Configure your network as diagramed above, but connect the external NIC to the firewall. Just as above, configure ICS on your internal connection but because you already have a firewall, you do not need to enable ICF on the external connection to your firewall.

Letting in the Outside World

The ICF server acts as a proxy for all internal machines-- if an ICS client needs to communicate with an external machine, it asks the ICS server, which is also running ICF, to communicate for it. The server sends the request to the public network and then forwards the response back to the client. Because of this, the IP address of the client is not made public. If the external computer tries to initiate a new conversation, it will send all communication to the ICF server. This may not always be what you want. If you want Internet computers to get to a particular service on a machine on your network, like a web server, you can configure the ICF server to redirect traffic over specified ports to an internal machine. When you do, external computers send their requests from the Internet to the ICF server, which in turn forwards them to the internal computer hosting the service.

Action If you want to allow external computers to use a web server on a machine on your local network, do the following:

  1. Ensure that ICS and ICF are enabled and working properly.

  2. On the ICF server, open the Connection Properties windows for the ICF-enabled connection.

  3. Switch to the Advanced tab and click Settings.

  4. Go to the Services tab of the Advanced Settings window, check off the Web Server (HTTP) box and click Edit.

  5. In the Service Settings window, enter the name of your internal web server.

min20403

It is important to note that both ICS and ICF must be enabled to use these forwarding capabilities.

Keeping Alert

An important aspect of any firewall solution is paying attention to the traffic across your firewall. Any security solution that you put in place must be monitored to insure effectiveness. The Internet Connection Firewall has a security logging feature that can be enabled to log all dropped packets (denied), all successful connections or both. You should turn on security logging and periodically look over the logs to check for attacks..

Internet Connection Sharing and the Internet Connection Firewall provide a powerful and cost efficient solution to protect small networks both at home and in the office. Although with very little time and effort, you can put a solution in place to protect your network from most attacks, careful planning should be employed to maximize your security defenses. The Internet Connection Firewall and Internet Connection Sharing services are valuable pieces of an overall security puzzle, but should not be relied on as a sole means of defense. Using strong passwords, virus protection, and implementing physical security are some examples of additional steps that you should take to maximize your security.