Internet Tips: Ultimate Network Security--How to Install a Firewall

Connecting your naked PC to the Internet is like leaving your house unlocked--eventually, someone will wander in, rifle your underwear drawer, and empty the jewelry case. To make your system's points of entry more Net secure, install one of the many free software firewalls now available, and set up a hardware-based firewall for backup.

Firewalls are difficult to understand and configure, even for experienced computer users. If you've been putting off installing a firewall, or if you aren't sure how to determine whether your firewall is protecting you fully, I'm here to explain it all.

According to Merriam-Webster, the original meaning of fire wall was "a wall constructed to prevent the spread of fire." Computer firewalls are constructed to prevent unwanted intrusions from the Internet into your PC. But unlike fire, Net threats don't leap onto your machine through mere proximity. They arise when someone exploits a combination of your PC's unique IP (Internet protocol) address and one or more of the thousands of TCP (transmission control protocol) and UDP (universal datagram protocol) ports that serve as the door to your system.

Anytime you use a browser, an e-mail program, or other software to retrieve information from a Web site, ISP, or remote server, the data flows through one or more of these ports. Whether the malefactor is a teenage hacker trying to access your PC, a bit of spyware attempting to talk to a remote server, or a Windows XP Messenger Service spam pop-up, their strategy is the same: Find an open port leading into your PC, or trick your system into opening one.

Firewalls watch these thousands of ports--present in both dial-up and broadband Internet connections--and deny access to unauthorized traffic. Hardware-based firewalls are usually integrated into router and gateway products and sit between your PC and a cable or DSL modem. Software-based firewalls run on your PC. Hardware firewalls are great for protecting a network of PCs that share a broadband connection.

More important than the router's actual firewall, however, is the fact that it usually incorporates an NAT (network address translation) server that hides your networked computers' IP addresses (and thus, their existence) from anyone outside the local network.

For this reason alone, a hardware firewall is a wise investment for broadband users, even those who have only one computer. You can obtain a four-port cable/DSL router such as Linksys's BEFSR41 or D-Link's DI-704P for just $40 to $50, and models that include a wireless access point cost only a bit more (PC World's Product Finder page lists a number of routers that are currently available ).

A Firewall on Every PC

Hardware routers are highly configurable: You can usually set them to block all incoming and outgoing traffic except through a few key ports you designate. Programming an external device to protect your PC is a lot of work, however. Firewall software that runs on your PC is easier to set up and maintain. Besides blocking uninvited traffic at your ports, software firewalls can prevent programs that run on your computer (including such malefactors as Trojan horses, spyware, and backdoor software) from sending data to remote servers, and from accepting incoming connections.

If you connect to the Internet exclusively through a dial-up modem, an external, hardware-based firewall won't do you much good. A software firewall is perfect for protecting a dial-up connection. Windows XP users may be tempted to rely exclusively on the operating system's integrated Internet Connection Firewall. To enable it, click Start, Control Panel, Network Connections (in XP's Category View, first click Network and Internet Connections). Then right-click the Internet connection you want to protect, choose Properties, Advanced, put a check next to the option Protect my computer and network by limiting or preventing access to this computer from the Internet, and click OK (see FIGURE 1

FIGURE 1: Enable Windows XP's firewall, but only until you install a better one.
).

Withhold your sigh of relief, however. Though it's better than no firewall at all--and compatible with any others you may use--XP's firewall monitors incoming connections only. Should Back Orifice, NetBus, or any other backdoor program find its way onto your PC, XP's firewall will do nothing to stop it from granting scoundrels remote access to your system.

Pick Your Freebie

I've used four no-cost firewalls on various PCs: Kerio Personal Firewall 2; Outpost Firewall Free, from Agnitum Limited; Sygate Personal Firewall 5.1; and Zone Labs' ZoneAlarm 3.7. Though they differ in the features they offer and the help they provide, all of these programs will stoutly defend your PC (see "Firewall Free-for-All" below for download and feature details). A software firewall is easy to install, but it requires a brief training period as the firewall detects your browser, e-mail, network, and other programs that attempt to connect with remote servers.

All four software firewalls pop up warning dialog boxes when a program attempts to connect for the first time. You simply click the button that permits or disallows the connection. Most also provide an optional check box so you can turn your choice into a permanent, automatic firewall rule (see FIGURE 2

FIGURE 2: Opt for a permanent rule to tell the firewall when not to ask for permission.
). After you've gone about your usual online business for a day or two, creating firewall rules along the way, you may not need to interact with your firewall again until you add or upgrade an Internet utility.

The trick to responding appropriately to firewall warnings and creating effective rules is knowing which programs are safe and which are not. You'll easily recognize many of the more-common applications by name--Outlook, Internet Explorer, and Netscape, for example. Other programs, however, aren't exactly household names. For example, many of Windows XP's networking features are handled by a program called svchost.exe, a fact that none of us should be expected to know (though you do now). Conversely, spyware and other unwanted pests may use safe-sounding or familiar names like "clever screensaver" that entice you to grant them network access. What's a firewall jockey to do? For starters, avoid the temptation to be lax. Instead, deny access to any program that you're at all unsure about--you'll have plenty of chances to change your mind later.

If your knowledge of which programs are safe is shaky, choose a firewall that provides more information about the program in question than just its file name. Kerio and Sygate don't offer many hints as to whether a detected program is safe, and they eschew nonfirewall bonus features. This arrangement may suit expert users, but novices will benefit from a more informative firewall.

ZoneAlarm offers a bit more information about detected programs, including a link in the warning dialog box to a description of the program in question on Zone Labs' Web site (see FIGURE 3

FIGURE 3: ZoneAlarm alerts you the first time a program tries to access the Web.
). ZoneAlarm also preconfigures itself by default to permit connections from Internet Explorer and Windows XP's svchost.exe component, minimizing the number of decisions you'll need to make about granting these applications Internet access.

Outpost's pop-up dialog box creates a permanent rule for you by default, but you can opt out of the rule by clicking the Allow once or Block once buttons instead. Despite being laden with nifty features such as ad and pop-up blocking and e-mail attachment protection, Outpost provides the same minimal information about the detected program as do Kerio and Sygate.

Fine-Tuning Filters

Once you've completed the basic firewall configuration, you may want to change, delete, or fine-tune the rules you created. All four of these firewalls maintain a list of rules or known programs.

Kerio: Right-click the program's system tray icon and choose Administration, Firewall, Advanced. In the list of known programs, select the program whose filter rule you want to modify, and click Edit to open the 'Filter rule' dialog box. To switch the program's basic default status, select either Permit or Deny at the bottom of the dialog box. Other options let you restrict the remote server IP addresses and incoming and outgoing ports that the program uses. If you know what those are and why you'd want to specify them, you're probably reading this column just to see what errors it contains. The rest of us can live with the default settings. Click OK to save any changes.

Outpost: Right-click the program's system tray icon and choose Options, Application. Select a program in the list of blocked, partially allowed, and trusted applications, and click Edit. Choose Always block this app or Always trust this app to move it to the appropriate category. Your best step, however, may be to select a trusted application and move it to the partially blocked list (by clicking Edit and choosing Create rules using preset, Browser, for example); this maneuver grants the program Internet access, but under a constrained set of rules. The browser rule set (Outpost also comes with rules for e-mail, instant messaging, and other programs) limits an app to the handful of inbound and outbound protocols (TCP or UDP) and ports needed by a Web browser, thereby minimizing the damage a malicious Web site or HTML e-mail message can do.

Sygate: To change program rules, right-click Sygate's system tray icon and choose Applications. In the list of known applications, right-click the program whose rule you want to modify, and choose either Allow or Block. Choosing Ask tells Sygate to prompt you to allow or deny Internet access every time the program seeks it.

ZoneAlarm: To modify program permissions, right-click the ZoneAlarm system tray icon and choose Restore ZoneAlarm Control Center (or just switch to it, if it's already running). Select Program Control on the left, and then select the Programs tab at the upper-right. To change one of the program's four settings (the ability to access remote servers or to act as a server itself in both the Internet and Trusted Zones), click the check mark (allowing access), the X (blocking access), or the question mark (instructing ZoneAlarm to ask you each time the program seeks access); then choose a new default action from the pop-up menu.

Working With Windows Networks

Another setting you may want to change, or at least check, is how your firewall works with networks of Windows PCs:

Kerio: By default, this firewall disables Windows networking because enabling it would allow other PCs on the local Windows network to access your shared folders and printers only after you entered their IP addresses. To allow access to a particular PC, right-click Kerio's system-tray icon and choose Administration,Microsoft Networking. To enter a single trusted address, click Add, select Single address in the 'Address type' list, enter the allowed IP address in the 'Host address' field, and click OK. If your Windows network is shielded from the Internet by a router-based firewall that blocks the Windows Networking UDP ports (137-139), you can safely allow any computer on the local network to access your shared files and printers, by unchecking From Trusted Addresses Only and clicking OK.

Outpost: Right-click Outpost's system-tray icon, choose Options,System, check Allow NetBios communication, and click OK. If your computer connects directly to the Internet, leave this option unchecked to avoid broadcasting your PC's existence beyond the firewall.

Sygate: By default, Sygate allows other PCs on a Windows network to browse--but not access--your files and printers. To enable sharing, right-click the firewall's system tray icon and choose Options,Network Neighborhood. From the drop-down list, select the network interface you use to connect to the Windows network, check Allow others to share my files and printer(s), and click OK. Sygate's default setting allows only PCs on the local network to browse and access your files and printers (choose the Security tab to view this and other settings).

ZoneAlarm: This firewall grants file and printer sharing access to trusted computers by default--all you have to do is fill in the IP addresses of those machines. To do so, right-click the ZoneAlarm system-tray icon and choose Restore ZoneAlarm Control Center (or just switch to it, if it's already running). Select Firewall on the left, and then choose the Zones tab at the upper-right. Click Add,IP Address, enter the IP address of the system you want to add to the Trusted Zone, and click OK.

Revision Control: Firewall Free-for-All

With nothing to lose and everything to gain, you should install one of these free firewalls on your PC.

Kerio Personal Firewall 2: The perfect firewall freebie for power users, Kerio Personal Firewall 2 lets you fine-tune application rules to restrict access to and from specific IP addresses and ports; 2MB.

Outpost Firewall Free: Agnitum's no-cost firewall brims with extra features, including ad and pop-up blockers, Web site content filtering, mail attachment filtering, and a surf-speeding DNS cache; 2.5MB.

Sygate Personal Firewall 5.1: Sygate's no-frills interface provides fine-grained control over how and when applications can connect to remote servers; 5.2MB.

ZoneAlarm 3.7.202: Zone Labs' novice-friendly firewall includes a mail-scanning feature that quarantines dangerous Visual Basic Script (.vbs) attachments; 3.6MB.

Send your questions and tips to nettips@spanbauer.com. We pay $50 for published items. Click here for more Internet Tips. Scott Spanbauer is a contributing editor for PC World.

Subscribe to the Security Watch Newsletter

Comments