Ask Us About...Security October 30, 2001

Protecting Yourself Online

by Steve Riley

Got a cable modem or DSL or satellite connection? Are you using a personal firewall? If not, then stop what you're doing and read this article right now. That high speed connection of yours is great—no more waiting for modems to connect or enduring the pain of large downloads—always-on connections will change the way you use the Internet at home. But did you realize that always-on Internet connections are juicy targets for bad guys looking to take over your computer? If you don't take a moment to secure your computer, it most likely will become the target of attack.

On This Page

The Problem
Windows XP's Internet Connection Firewall
Personal Firewalls for Other Versions of Windows
Defense in Depth

The Problem

An always-on Internet connection is a tempting target for an attacker. Dial-up connections are hard for attackers to use effectively: they're slow and usually brief, and the connection's IP address is different each time you call. Cable, DSL, and satellite connections don't have these same limitations. Because your IP address doesn't change (or changes only rarely), your fast permanent connection to the Internet is quite attractive: the attacker can return to your computer again and again. Some attackers just want to make life hard for you and crash your computer or look through your files for personal information. Others might be looking for computers connected (perhaps over a virtual private network) to corporate networks; a compromised home computer becomes an advertised yet unwitting gateway between the attacker and his/her target. Still others might be amassing hundreds or thousands of home computers from which to launch a distributed attack against a single computer somewhere else on the Internet. Permanent high-speed connections make all of these possible for malicious attackers.

Historically, protecting a computer from attack meant investing lots of time and money in additional hardware and software. While this makes sense for business networks, small home networks and individual users don't need this kind of protection and probably don't really care to spend all their copious free time maintaining it. Over the past couple years a new form of software-based protection has emerged: the personal firewall. These low-cost (sometimes free) programs create a barrier around your personal computer that makes it quite difficult for someone to penetrate. In this article you'll read about the Internet Connection Firewall included in Windows XP and third-party personal firewalls that run on Windows 2000, Windows Millennium Edition, Windows 98, and Windows 95.

It's important to understand one thing, however. No firewall—whether a small free personal firewall or a multiple-thousand dollar enterprise firewall array—will make your computers impervious to attack. Firewalls, like locks and walls and moats and dragons, create barriers to attack—they get in the way of someone trying to take control. By making it difficult for an attacker to get into your computer, by making him/her invest lots of time, you become uninteresting. Personal firewalls very effectively block most bad guys from getting anywhere. But it is impossible to fully prevent all intrusion: all software has bugs, and someone might find an obscure bug in your firewall that allows them to pass through. Don't let this discourage you from installing a firewall, though! Besides using an up-to-date virus scanner, a personal firewall on your always-on home computer is one of the most effective ways to keep yourself—and your Internet neighbors—protected.

Windows XP's Internet Connection Firewall

Windows XP includes a new feature called the Internet Connection Firewall (ICF). It's on Windows XP Home and Professional editions, and will also be on Windows Server 2003. Following are three different definitions of ICF.

• A simple definition. ICF allows outgoing communications that originate from your computer (and the corresponding incoming replies) while blocking everything else.

• For the technically curious. ICF is a stateful-inspection packet filter. Here's a brief description of how it works, using web surfing as an example:

  1. You enter a URL in your browser.

  2. Your computer sends a request out to the Internet, addressed to the destination web server.

  3. ICF sees that traffic is leaving your computer; it remembers the specifics of the connection.

  4. The web server creates a reply, addresses it to you, and sends it back.

  5. ICF sees the incoming traffic and compares its specifics to what it saw before. If they match, ICF allows the reply through. This is the "statefulness" of stateful-inspection.

  6. Your browser displays the page you requested.

• For those who live and breathe TCP/IP. ICF's engine uses addresses, ports, sequence numbers, and flags in its state table. For TCP, the outgoing request must have only the SYN flag turned on; incoming replies must have only the "ACK" and "SYN" flags turned on; the next outgoing packet must have only the "ACK" turned on. If this sequence is violated, ICF terminates the connection. Also, ICF will drop any incoming packet (including "ACK-SYN") that can't be associated with (using addresses, ports, and sequence numbers) a previous outgoing "ACK." ICF also drops any incoming unsolicited "SYN" unless it matches a user-defined exception (see the next section). When ICF discards packets, it does so silently; it never returns an "RST."

ICF "forgets" about a particular state between the client and a server when:

• It sees a special connection-termination sequence for TCP-based communications ("ACK-FIN," "ACK," "ACK-FIN," and "ACK")

• A period of inactivity (a "timeout") for UDP-based communications

Essentially, ICF only allows in that which is a reply to a previous request that went out. ICF blocks and discards all other incoming traffic. It seems simple, but it's an extremely effective method for protecting a computer. Even enterprise-class firewalls operate with the same basic principle. This method means that ICF blocks these kinds (among others) of potentially dangerous communications:

• Scans. Attackers often scan computers looking for vulnerabilities, especially the popular well-known cable modem subnets. Because incoming scans are "unsolicited" (that is, don't match something in ICF's traffic memory), they're blocked.

• Many (but not all) Trojans. Say you get infected with a Trojan horse program. Many of these announce their existence to some database somewhere. If an attacker tries to connect to the Trojan on your computer, ICF will block it. Note that this applies only to Trojans in which the attacker makes the first connection to the infected computer; other Trojans that make the first connection to the attacker will open a connection in ICF's memory, allowing the attacker to reply. This is why you need a virus scanner in addition to ICF—good-quality virus scanners also prevent you from getting infected with Trojans in the first place.

• File sharing and anonymous connections. Windows networking is intended to allow easy file sharing between computers; anonymous connections are used for discovering a computer's name and list of available file shares. Of course, on the Internet you really don't want to do this; ICF prohibits these kinds of connections.

Enabling ICF

Since ICF is integrated into the TCP/IP stack on Windows XP, enabling it is as simple as selecting a checkbox. Follow these steps:

1. Open Network Connections in Control Panel.

2. Right-click the network connection you want to protect. Usually this will be called "Local Area Connection" unless you've renamed it.

3. Choose Properties in the pop-up menu and click the Advanced tab in the dialog.

4. Select Protect my computer and network by limiting or preventing access to this computer from the Internet.

That's really all there is. You don't need to reboot or do anything else; ICF is now running.

If you have a home network where one computer is running Internet Connection Sharing, you'll want to enable ICF on at least that computer. Optionally, for additional security, you can run ICF on all the other computers behind the one sharing the connection, but this will prevent you from sharing files between the computers in your home network.

Making Exceptions

You might want to run a web server on your computer. If so, then you need to allow incoming connection requests so that people can view your web pages. ICF allows you to make exceptions for certain kinds of incoming traffic; you can also define your own.

Once you've enabled ICF, the Settings button in the dialog becomes active. This is where you can configure a number of ICF options, including the exceptions for incoming connections. On the Services tab there are predefined exceptions for several services which will allow incoming connections on the specified ports:

Selecting any of these services tells ICF to allow incoming connections to your computer on the corresponding port. (The first packet must have only the "SYN" flag set or it will get dropped and the connection from the outside computer will fail.)

Say you have only one computer at home and you want to run a web server on it. Simply select Web Server (HTTP) in the list. Now ICF will allow incoming connections to the web server service on your computer, while still blocking all other non-allowed traffic. But instead say you have one computer running Internet Connection Sharing (call this the "gateway computer") and you've turned on ICF here, but you want to run your web server on a different computer on your home network. ICF allows this scenario. After you select Web Server (HTTP), click Edit. Enter the name or IP address of the computer running the web server. People on the Internet will make their web requests to your gateway computer, and when ICF sees those incoming requests, it redirects them to the computer you specified.

You can also create your own exceptions. You'll need to do this if you want to allow things like incoming NetMeeting or Windows Messenger audio/video connections, play games over the Internet, or use the file sharing capabilities of many instant messenger programs. To create a custom exception:

1. On the Services tab, click Add.

2. Enter a description of the service. This can be anything you want.

3. Enter the name or IP address of the computer running the service. If the service is on the same computer as ICF, just enter localhost.

4. In External port number for this service, enter the port number associated with the service you're running. If you don't know this number, you can find it in the help that comes with the software. (There are thousands of well-known and not-so-well-known ports; it's impossible to list them all here.)

5. Select the appropriate protocol, either TCP or UDP. Again, consult your software's help. Generally, most software uses TCP; some multimedia programs use UDP.

6. Enter the same port number in Internal port number for this service. (ICF supports "port redirection"; this is one of those things that you know how to do if you need it but very few people ever will.)

You don't need to disable and re-enable ICF after turning on exceptions—they take effect immediately.

Logging Activity

ICF doesn't display on-screen alerts when it blocks traffic. It does, however, log its activity to a file. The Security Logging tab allows you to configure how the logging works. Ordinarily ICF will log dropped packets (incoming traffic that ICF blocked) in %WINDIR%\pfirewall.log. You can:

• Disable logging

• Log successful connections in both directions—this is just the connection that's logged, not every single packet

• Change the location of the log file

• Change the maximum log file size. When the maximum is reached, existing log entries in the file are deleted, starting with the oldest

The entries in the log file are space- and tab-delimited; you can import the file into Excel to make it easier to read.

Configuring ICMP

ICMP was once used extensively to communicate status information between computers. These days, pretty much only the PING utility uses ICMP. Ordinarily ICF blocks certain kinds of outgoing and incoming ICMP packets, including incoming PING ("echo") requests. This means that no one can PING you. If you want to allow your computer to respond to a PING, go to the ICMP tab and select Allow incoming echo request. Now ICF will permit the incoming PING and Windows will respond with an ICMP reply.

You might also consider allowing outgoing source quench, parameter problem, and time exceeded messages. The others present security risks and are best left disabled.

Personal Firewalls for Other Versions of Windows

ICF is a new feature in Windows XP (and Windows Server 2003). If you have an earlier version of Windows, you need to investigate and install one of the many third-party personal firewalls. This is a burgeoning market, with several different products that are constantly updated and enhanced. Your best approach would be to search for recent reviews of personal firewall products to help you decide which one to use. Try these web sites:

• c|net — https://www.cnet.com

• ZDNet — https://www.zdnet.com

• Home PC Firewall Guide — https://www.firewallguide.com

• Practically Networked — https://www.practicallynetworked.com

• SpeedGuide — https://www.speedguide.net

Also, try searching for "personal firewall reviews" with your favorite search engine.

Defense in Depth

Defense in depth is a military practice that applies directly to information security. To rely on a single piece of software or a single device to provide all protection is insufficient: compromise that single layer and there is no more security.

Protecting your home computer isn't a one-time task. You need to be diligent here: install a personal firewall, install and frequently update a virus scanner, and keep your computer up-to-date with security patches. Visit https://www.microsoft.com/technet/security/bulletin/notify.mspx and subscribe the Microsoft Security Notification Service. When you receive notice of a security patch ("hotfix") that applies to your computer, install it right away.

Personal Firewalls and Corporate Networks

Corporate networks also employ layers of defense. Often there will be some traffic screening at the router connecting the network to the Internet, one or more enterprise-class firewalls, virus scanning engines on the e-mail servers, and some kind of intrusion detection mechanism.

An interesting bit to consider is whether personal firewalls make sense in corporate networks. Enterprise firewalls and personal firewalls operate at different defensive layers: enterprise firewalls protect entire networks, personal firewalls protect individual hosts; so in one sense, combining the two seems appropriate. Personal firewalls will, however, block certain corporate network activity: some organizations periodically scan corporate clients for conformance to password policies, for instance; personal firewalls will interfere with this operation. Firewalls like ICF that block all incoming connections will interfere with LAN-based applications that need to send notices to client computers (printer status messages and Exchange new mail notification are two examples). Your organization's security policy will need to describe whether personal firewalls are permitted and how they should be configured.

ICF in Windows XP obeys Network Location Awareness and can be disabled via Windows Server 2003 Active Directory Group Policy. Mobile users don't have to remember to enable or disable ICF as they roam about. They can leave ICF enabled, being protected while at home or traveling; at the office, group policy can disable ICF whenever a computer is attached to the corporate network.

Please send any feedback or questions regarding the content of this column to Microsoft TechNet

.