Security

Configure IT Quick: WinXP's Internet Connection Firewall

Learn how to enable and configure Windows XPs Internet Connection Firewall.


With the advent of broadband, an increasing number of homes and small businesses are finding it easy to connect their LANs to the Internet. While this provides many outstanding benefits, it does increase the possibility of your network being attacked by unlawful users with malicious intentions. To help you thwart such an attack, Microsoft has integrated an Internet Connection Firewall (ICF) software package with its latest operating system, Windows XP. In this Daily Feature, I’ll show you how to enable and configure the ICF to effectively protect your home or small-business network from hackers looking to wreak havoc on an unsuspecting LAN.

Enabling the Windows XP ICF

Figure A


Enabling the ICF is a straightforward process. First, access the Local Area Connection Properties in Windows XP. Right-click the My Network Places icon, select Properties, right-click the Local Area Connection icon, and then select Properties. In the Local Area Connection Properties dialog box, click on the Advanced tab. As shown in Figure A, enabling the ICF is as simple as selecting the option and clicking OK.

When the ICF is enabled, a red border will surround the Local Area Network icon. At this point, the software will be active, using the default configuration settings to protect your system from intruders.

Configuring the Windows XP ICF

Figure B
You’ll use these four tabs to configure the ICF for your environment.


After enabling the ICF, you’ll need to configure it for your computing environment. Click on the Settings button located in the lower-right corner of the dialog box where you enabled the firewall (see Figure A) to gain access to the four tabs in the Advanced Settings dialog box: Services, Programs, Security Logging, and ICMP (see Figure B).

Services tab
The Services tab allows you to select the network services that users located outside of your network can use. For example, if you would like to host your own Web site, you can select the Web Server (HTTP) service, allowing users to access the site from the Internet. If you have an e-business with a secure site to collect payment information, you would also want to select the Secure Web Server (HTTPS) service.

Figure C
When you click OK, the new service will be displayed in the Services list.


In addition to the default services, you can add a service. Click the Add button, which will open the Service Settings dialog box, shown in Figure C. Enter a descriptive name for the service, the IP address of the computer that is hosting the service on your network, and the TCP or UDP port that this service uses.

Once you have decided which services to select, you must provide the IP address of the network computer that is hosting the service. Highlight the service, click the Edit button, and enter the IP address in the appropriate field. The Service Settings dialog box will look like the one shown in Figure C, except the description and default TCP or UDP port will be filled in and cannot be changed. If you’re using a different port number, you’ll have to add the service. To do so, click on the Add button on the Services tab. You’ll be presented with a window similar to the one in Figure C, where you can enter the appropriate information.

Programs tab

Figure D
You might use this feature to allow access to programs that are hosted on your network.


The Programs tab, shown in Figure D, allows you to make a program available to users who are located outside of your network.

Figure E


To add a program to the ICF, click the Add button on the Programs tab. The Program Settings dialog box will be presented, as shown in Figure E. You must enter a description of the program, the TCP or UDP server port number, and the TCP or UDP port range that the program will use. To modify an existing program configuration, you must highlight the appropriate program and click the Edit button on the Programs tab.

Security Logging tab

Figure F
You can select the location to store the log file as well as specify a size limit for the log file.


The Security Logging tab allows you to configure the firewall logging functions. As shown in Figure F, you can log the unsuccessful inbound connection attempts and the successful outbound connections.

ICMP tab

Figure G


The ICMP tab, shown in Figure G, lets you configure how the computer will share information with other computers on the network or Internet using the Internet Control Message Protocol. The descriptions of each request option are as follows:
  • Allow Incoming Echo Request allows the computer to respond to another machine that has sent a ping command.
  • Allow Incoming Timestamp Request will reply to each message that the computer receives with a confirmation message that includes a timestamp.
  • Allow Incoming Mask Request allows the computer to listen for and respond to requests for more information about its public network.
  • Allow Incoming Router Request lets the computer share information about the routers that it recognizes.
  • Allow Outgoing Destination Unreachable causes the computer to display a destination unreachable message when it doesn’t receive information coming from the Internet.
  • Allow Outgoing Source Quench will ask the sender to reduce the rate at which it is sending data when the computer can’t keep up with the amount of data being received.
  • Allow Outgoing Parameter Problem causes the computer to discard data with a bad header and display a bad header error message.
  • Allow Outgoing Time Exceeded allows the computer to reply with a timeout message when the computer discards a message due to a timeout.
  • Allow Redirect lets the data that the computer sends be rerouted if the default route changes.

Conclusion
The Windows XP ICF is a solid product and, when configured correctly, it does a very good job of protecting your home or small-business network from external attacks. However, one major flaw that ICF has is that it doesn’t stop traffic to outbound Internet connections. This missing piece could allow a hacker to remotely control a network computer or use it as a zombie in a DDoS attack. To completely secure your network, you might look into using an additional firewall software package. One such product is ZoneAlarm Pro, which is made by Zone Labs and has a retail price of $39.95 for a single user license.

While this flaw would make me hesitant to use ICF as the only firewall protection for my small-business network, I’m sure that Microsoft will correct the omission through service packs or future releases of the product. Once it does this, ICF will be a very good choice of firewall software that the cost-conscious home user or small business will appreciate.

Editor's Picks

Free Newsletters, In your Inbox