Connecting your naked PC to the Internet is like leaving your
house unlocked--eventually, someone will wander in, rifle your underwear
drawer, and empty the jewelry case. To make your system's points of
entry more Net secure, install one of the many free software firewalls
now available, and set up a hardware-based firewall for backup.
Firewalls are difficult to understand and configure, even for
experienced computer users. If you've been putting off installing a
firewall, or if you aren't sure how to determine whether your firewall
is protecting you fully, I'm here to explain it all.
According to Merriam-Webster, the original meaning of
fire wall
was "a wall constructed to prevent the spread of fire." Computer
firewalls are constructed to prevent unwanted intrusions from the
Internet into your PC. But unlike fire, Net threats don't leap onto your
machine through mere proximity. They arise when someone exploits a
combination of your PC's unique IP (Internet protocol) address and one
or more of the thousands of TCP (transmission control protocol) and UDP
(universal datagram protocol) ports that serve as the door to your
system.
Anytime you use a browser, an e-mail program, or other software to
retrieve information from a Web site, ISP, or remote server, the data
flows through one or more of these ports. Whether the malefactor is a
teenage hacker trying to access your PC, a bit of spyware attempting to
talk to a remote server, or a Windows XP Messenger Service spam pop-up,
their strategy is the same: Find an open port leading into your PC, or
trick your system into opening one.
Firewalls watch these thousands of ports--present in both dial-up
and broadband Internet connections--and deny access to unauthorized
traffic. Hardware-based firewalls are usually integrated into router and
gateway products and sit between your PC and a cable or DSL modem.
Software-based firewalls run on your PC. Hardware firewalls are great
for protecting a network of PCs that share a broadband connection.
More important than the router's actual firewall, however, is the
fact that it usually incorporates an NAT (network address translation)
server that hides your networked computers' IP addresses (and thus,
their existence) from anyone outside the local network.
For this reason alone, a hardware firewall is a wise investment
for broadband users, even those who have only one computer. You can
obtain a four-port cable/DSL router such as Linksys's BEFSR41 or
D-Link's DI-704P for just $40 to $50, and models that include a wireless
access point cost only a bit more (
PC World's Product Finder page lists a number of
routers that are currently available ).
A Firewall on Every PC
Hardware routers are highly configurable: You can usually set them
to block all incoming and outgoing traffic except through a few key
ports you designate. Programming an external device to protect your PC
is a lot of work, however.
Firewall software that runs on your PC is
easier to set up and maintain. Besides blocking uninvited traffic at
your ports, software firewalls can prevent programs that run on your
computer (including such malefactors as Trojan horses, spyware, and
backdoor software) from sending data to remote servers, and from
accepting incoming connections.
If you connect to the Internet exclusively through a dial-up
modem, an external, hardware-based firewall won't do you much good. A
software firewall is perfect for protecting a dial-up connection.
Windows XP users may be tempted to rely exclusively on the operating
system's integrated Internet Connection Firewall. To enable it, click
Start, Control Panel, Network Connections (in XP's Category View, first click
Network and Internet Connections). Then right-click the Internet connection you want to protect, choose
Properties, Advanced, put a check next to the option
Protect my computer and network by limiting or preventing access to this computer from the Internet, and click
OK.
Withhold your sigh of relief, however. Though it's better than no
firewall at all--and compatible with any others you may use--XP's
firewall monitors incoming connections only. Should Back Orifice,
NetBus, or any other backdoor program find its way onto your PC, XP's
firewall will do nothing to stop it from granting scoundrels remote
access to your system.
Pick Your Freebie
I've used four no-cost firewalls on various PCs: Kerio Personal
Firewall 2; Outpost Firewall Free, from Agnitum Limited; Sygate Personal
Firewall 5.1; and Zone Labs' ZoneAlarm 3.7. Though they differ in the
features they offer and the help they provide, all of these programs
will stoutly defend your PC . A software firewall is easy to
install, but it requires a brief training period as the firewall
detects your browser, e-mail, network, and other programs that attempt
to connect with remote servers.
All four software firewalls pop up warning dialog boxes when a
program attempts to connect for the first time. You simply click the
button that permits or disallows the connection. Most also provide an
optional check box so you can turn your choice into a permanent,
automatic firewall rule.
After you've gone about your usual online business for a day or two,
creating firewall rules along the way, you may not need to interact with
your firewall again until you add or upgrade an Internet utility.
The trick to responding appropriately to firewall warnings and
creating effective rules is knowing which programs are safe and which
are not. You'll easily recognize many of the more-common applications by
name--Outlook, Internet Explorer, and Netscape, for example. Other
programs, however, aren't exactly household names.
For example, many of
Windows XP's networking features are handled by a program called
svchost.exe, a fact that none of us should be expected to know (though
you do now). Conversely, spyware and other unwanted pests may use
safe-sounding or familiar names like "clever screensaver" that entice
you to grant them network access. What's a firewall jockey to do? For
starters, avoid the temptation to be lax. Instead, deny access to any
program that you're at all unsure about--you'll have plenty of chances
to change your mind later.
If your knowledge of which programs are safe is shaky, choose a
firewall that provides more information about the program in question
than just its file name. Kerio and Sygate don't offer many hints as to
whether a detected program is safe, and they eschew nonfirewall bonus
features. This arrangement may suit expert users, but novices will
benefit from a more informative firewall.
ZoneAlarm offers a bit more information about detected programs,
including a link in the warning dialog box to a description of the
program in question on Zone Labs' Web site .
ZoneAlarm also preconfigures itself by default to permit connections
from Internet Explorer and Windows XP's svchost.exe component,
minimizing the number of decisions you'll need to make about granting
these applications Internet access.
Outpost's pop-up dialog box creates a permanent rule for you by default, but you can opt out of the rule by clicking the
Allow once or
Block once
buttons instead. Despite being laden with nifty features such as ad and
pop-up blocking and e-mail attachment protection, Outpost provides the
same minimal information about the detected program as do Kerio and
Sygate.
Fine-Tuning Filters
Once you've completed the basic firewall configuration, you may
want to change, delete, or fine-tune the rules you created. All four of
these firewalls maintain a list of rules or known programs.
Kerio: Right-click the program's system tray icon and choose
Administration, Firewall, Advanced. In the list of known programs, select the program whose filter rule you want to modify, and click
Edit to open the 'Filter rule' dialog box.
To switch the program's basic default status, select either
Permit or
Deny
at the bottom of the dialog box. Other options let you restrict the
remote server IP addresses and incoming and outgoing ports that the
program uses. If you know what those are and why you'd want to specify
them, you're probably reading this column just to see what errors it
contains. The rest of us can live with the default settings. Click
OK to save any changes.
Outpost: Right-click the program's system tray icon and choose
Options, Application. Select a program in the list of blocked, partially allowed, and trusted applications, and click
Edit. Choose
Always block this app or
Always trust this app
to move it to the appropriate category. Your best step, however, may be
to select a trusted application and move it to the partially blocked
list (by clicking
Edit and choosing
Create rules using preset, Browser,
for example); this maneuver grants the program Internet access, but
under a constrained set of rules.
The browser rule set (Outpost also
comes with rules for e-mail, instant messaging, and other programs)
limits an app to the handful of inbound and outbound protocols (TCP or
UDP) and ports needed by a Web browser, thereby minimizing the damage a
malicious Web site or HTML e-mail message can do.
Sygate: To change program rules,
right-click Sygate's system tray icon and choose Applications. In the
list of known applications, right-click the program whose rule you want
to modify, and choose either Allow or Block. Choosing Ask tells Sygate
to prompt you to allow or deny Internet access every time the program
seeks it.
ZoneAlarm: To modify program permissions, right-click the ZoneAlarm system tray icon and choose
Restore ZoneAlarm Control Center (or just switch to it, if it's already running). Select
Program Control on the left, and then select the
Programs
tab at the upper-right. To change one of the program's four settings
(the ability to access remote servers or to act as a server itself in
both the Internet and Trusted Zones), click the check mark (allowing
access), the X (blocking access), or the question mark (instructing
ZoneAlarm to ask you each time the program seeks access); then choose a
new default action from the pop-up menu.
Working With Windows Networks
Another setting you may want to change, or at least check, is how your firewall works with networks of Windows PCs:
Kerio: By
default, this firewall disables Windows networking because enabling it
would allow other PCs on the local Windows network to access your shared
folders and printers only after you entered their IP addresses. To
allow access to a particular PC, right-click Kerio's system-tray icon
and choose
Administration,Microsoft Networking. To enter a single trusted address, click
Add, select
Single address in the 'Address type' list, enter the allowed IP address in the 'Host address' field, and click
OK.
If your Windows network is shielded from the Internet by a router-based
firewall that blocks the Windows Networking UDP ports (137-139), you
can safely allow any computer on the local network to access your shared
files and printers, by unchecking
From Trusted Addresses Only and clicking
OK.
Outpost: Right-click Outpost's system-tray icon, choose
Options,System, check
Allow NetBios communication, and click
OK.
If your computer connects directly to the Internet, leave this option
unchecked to avoid broadcasting your PC's existence beyond the firewall.
Sygate: By default, Sygate allows
other PCs on a Windows network to browse--but not access--your files and
printers. To enable sharing, right-click the firewall's system tray
icon and choose
Options,Network Neighborhood. From the drop-down list, select the network interface you use to connect to the Windows network, check
Allow others to share my files and printer(s), and click
OK. Sygate's default setting allows only PCs on the local network to browse and access your files and printers (choose the
Security tab to view this and other settings).
ZoneAlarm:
This firewall grants file and printer sharing access to trusted
computers by default--all you have to do is fill in the IP addresses of
those machines. To do so, right-click the ZoneAlarm system-tray icon and
choose
Restore ZoneAlarm Control Center (or just switch to it, if it's already running). Select
Firewall on the left, and then choose the
Zones tab at the upper-right. Click
Add,IP Address, enter the IP address of the system you want to add to the Trusted Zone, and click
OK.
Revision Control: Firewall Free-for-All
With nothing to lose and everything to gain, you should install one of these free firewalls on your PC.
Kerio Personal Firewall 2: The perfect firewall freebie for power users,
Kerio Personal Firewall 2 lets you fine-tune application rules to restrict access to and from specific IP addresses and ports; 2MB.
Outpost Firewall Free:
Agnitum's no-cost
firewall brims with extra features, including ad and pop-up blockers,
Web site content filtering, mail attachment filtering, and a
surf-speeding DNS cache; 2.5MB.
Sygate Personal Firewall 5.1:
Sygate's no-frills interface provides fine-grained control over how and when applications can connect to remote servers; 5.2MB.
ZoneAlarm 3.7.202:
Zone Labs'
novice-friendly firewall includes a mail-scanning feature that
quarantines dangerous Visual Basic Script (.vbs) attachments; 3.6MB.
Send your questions and tips to
nettips@spanbauer.com. We pay $50 for published items.
Click here for more Internet Tips. Scott Spanbauer is a contributing editor for
PC World.
