If your machine connects to the Internet, it really should have a firewall. If it’s connected to the Internet full-time, as with a cable modem or DSL, it really really should have a firewall. Most of the people who have fallen victim to snooping attacks from the Internet are people without a firewall.
Here are three ways to get yourself a firewall:
A router is an inexpensive box that distributes the signal from a single cable modem (or DSL) to one, four, eight, twelve, or more computers on your network. As a delicious benefit, most routers these days contain a built-in firewall. The beauty of a hardware firewall like this is that first of all, it’s always on, and second of all, it protects the entire computer simultaneously.
In the following paragraphs, you’ll be reading about software firewalls. But a hardware firewall is even better. Some people, in fact, buy a router even if they don’t intend to share the cable modem’s signal with other PCs—they get it just for its firewall protection.
In general, in fact, you can pretty much tune out of the following firewall discussion if you’re protected by a hardware firewall. That is, unless:
You’re on a small-office or home network. In this case, your router will protect your network from nastiness coming in from the Internet—but a software firewall can protect your PC from other PCs on your network. If little Timmy up in his bedroom downloads some virus-infested bit of file-swapware, your machine will still be safe.
You use a laptop, and you travel with it. If you carry your machine around, it may be worth using a software firewall, because when you’re away from your home, you’ll no longer be protected by your router.
If you’re confident that your hardware router is all you need, then you’ll have to turn off the Windows firewall, which means whistling past a warning that says, “Turning off Windows firewall may make this computer more vulnerable to viruses and intruders.” Thanks to your router, that’s not actually true.
Windows XP has included firewall software from the very beginning (it used to be called Internet Connection Firewall). Unfortunately, in the original Windows XP, the firewall’s factory setting was Off, and finding its deeply buried On switch required three weeks and the assistance of a sherpa. (“It’s like we gave you a car with seat belts that were really well hidden,” admits a Windows product manager. “You had to open a secret panel and press three buttons to make them appear.”)
In SP2, you can’t miss the presence of the firewall. It comes already turned on, and, if it somehow gets turned off, the Security Center offers a direct link to the Windows Firewall control panel. (Of course, you can also open it at any time by choosing Start→ Control Panel→Windows Firewall.)
Now, if you really wanted complete protection from the Internet, you could always just disconnect your PC from the modem. Of course, that might be a little too much protection; you’d be depriving yourself of the entire Internet.
Instead, you can open individual ports as necessary. Ports are authorized tunnels in the firewall that permit certain kinds of Internet traffic to pass through: one apiece for email, instant messages, streaming music, printer sharing, and so on. (Part of what made the original Windows XP so insecure was that Microsoft left a lot of these ports open, to the delight of evildoers online.)
On a computer with Service Pack 2 installed, far more of these ports are left open and exposed to the Internet than before. (Microsoft has equipped the firewall with ready-to-use tunnels for several exceptions: the Files and Settings Transfer Wizard; File and Printer Sharing; your local, in-house network; America Online; EarthLink; and your computer’s FireWire connector, if it has one.)
The Windows firewall works like this: Each time a piece of software tries to get onto the Internet, the Windows firewall will pop up a dialog box that lets you know. As shown in Figure 10-3, Windows wants to know if it’s OK for this piece of software to burrow through the firewall to go about its business. The golden rule: If you recognize the name of the software (for example, an online game), go ahead and grant permission by clicking Unblock. If you don’t (for example, PsatNetQuery.exe), click one of the other two buttons.
Note
If you’re an online gamer, you’ll be seeing a lot of this dialog box. Internet attackers were especially fond of using the ports that interactive online games open.
On the other hand, if you’re using a public PC (in a library, say), you might never be asked permission. That’s because some administrator has turned on the “Don’t allow exceptions” option shown in Figure 10-4 at top. That means, “No holes in the firewall, ever. This is a public terminal, and we can’t permit God-knows-what activity to corrupt our system.”
Figure 10-3. When a new program wants to get online, this box appears. Click Unblock to open a port through the firewall, which will close each time you finish using the program. Click Keep Blocking if you don’t even know which program is doing the asking. And click Ask Me Later if you want to deny permission this time, but you want to be asked again the next time you run the program.
If you grant permission, then each time you use that software, Windows will briefly open up a special port for that kind of activity, and then seal the port closed again when you’re finished.
When that little Security Alert box opens up, there will be times when you make the wrong decision. You’ll deny permission to something that looks fishy, and then find out that one of your programs no longer works. On the other hand, maybe you’ll approve something that has a recognizable name, and then you’ll later find out that it was actually a trick—an evil program deliberately named in order to get your approval. That, unfortunately, is life in the Windows fast lane.
Fortunately, you have a second chance. At any time, you can take a look at the list of authorized holes in your Windows firewall, using the Windows Firewall control panel (Start→Control Panel→Windows Firewall). When you click the Exceptions tab, you see something like Figure 10-4 at bottom: a list of every program that has been granted an open port in the firewall.
Figure 10-4. Top: Here, in the new Windows Firewall control panel, you can turn the Windows firewall on or off. You should turn it off (despite the stern warning) if you’re using a non-Microsoft firewall (like Zone Alarm). Bottom: The Exceptions tab and the Advanced tab list all of the programs and ports that Windows Firewall is permitted to open—but only when these programs are actually requesting Internet access. These are holes in your firewall that you or Microsoft has deemed to be safe. Use the checkboxes to temporarily turn exceptions on or off; use the Delete button to get rid of them entirely.
Using this list, you can also add a program manually (rather than waiting for it to ask permission at the time of launching). To do so, click the Add Program button, and choose the program’s name from the list that appears.
Similarly, you can open individual ports by number. Click Add Port; you’ll be asked to type in a name for this exception (anything you want) and to type in the port number. In this situation, Microsoft assumes that you know the port number, either because somebody gave it to you, because the manual for some piece of software provides it, or because you’re just a super-smart geek.
For all its convenience and its excellent price ($free), the Windows firewall has a significant drawback: It’s only one-way protection. It blocks attacks from the outside, but doesn’t stop spyware (once your PC has been infected) from sending data out.
That’s why many PC fans opt for a sturdier firewall, like the equally free but far superior Zone Alarm (http://www.zonelabs.com). Zone Alarm protects your PC from both incoming and outgoing data.
Unfortunately, installing a non-Microsoft firewall creates a few complications of its own. If you’re using a big-name firewall program like Zone Alarm, Windows is smart enough to take notice, turn off its own built-in firewall, and step out of the way. (Having two software firewalls is asking for trouble, as your programs may not be able to get online at all.)
But if you’re using a lesser-known firewall program, or one that you got before SP2 came out, the Security Center might not recognize it. In that case, it’s your responsibility to manually turn off the Windows firewall so it doesn’t conflict—or to update your firewall software to a version that’s Security Center savvy.