Windoes Vista: Securing Your Internet Connection with a Firewall

French | Spanish | Portuguese | Italian | German | Japanese | Chinese | Korean | Russian | Arabic

If your network is connected to the Internet, securing your Internet connection is a vital step in securing your network. To secure the Internet connection, you need to implement a firewall on it. If your network has multiple Internet connections, you need to implement a firewall on each connection. If you use Internet Connection Sharing ICS to share the connection, you have an easy solution available: Windows Firewall is fully integrated with ICS. You should also use Windows Firewall on any other Internet connections that computers on your network have- for example, if your network connects via a shared broadband connection, but one or two computers have additional dial-up connections, you need to implement Windows Firewall on those dial-up connections as well as on the shared broadband connection. Windows also implements Windows Firewall on all internal network connections for additional security. Windows enables Windows Firewall by default, so Windows Firewall should be running unless you’ve explicitly turned it off. If you need tight security, or you don’t entirely trust Windows Firewall, or both, you can add a hardware firewall to the network. You can either implement a hardware firewall on its own, or you can use it to harden a network protected by a software firewall such as Windows Firewall. See a book about firewalls for advice on choosing a hardware firewall. Check that the hardware firewall supports Universal Plug & Play UPnP if you want to be able to use programs such as Messenger across it. Make sure you haven’t bound File and Printer Sharing to the network adapter for your Internet connection. Display the Networking page of the Properties dialog box for the connection and verify that the File and Printer Sharing for Microsoft Networks check box in the This Connection Uses the Following Items list box is cleared. If not, clear it, then close the Properties dialog box and restart your Internet connection if it’s currently connected. Once your firewall is in place, check that it’s working. One easy method is to run the free probe tools at the Gibson Research Corporation website http://www.grc.com. This offers several free checks, including ShieldsUP!, PortProbe, and File Sharing Probe, designed to help you identify weaknesses in your security arrangements.

The security measures discussed so far in this section are adequate for most home and home-office networks. But what about networks that need really high security- corporate networks, governmental networks, and military networks? What do they use? This sidebar discusses some of the common techniques for securing networks. You could apply some of these measures to your home or homeoffice network if you felt the need- actually, you could just conceivably apply all of them. But as you’ll see, that’d be extreme.

As mentioned earlier in this article, there’s a foolproof way of making your computer truly secure from being hacked: Disconnect it from any network, unplug the modem, and seal the computer in a leadlined room in a bunker deep underground. There you can compute in near-total security.

Most people don’t find this approach practical. But many high-security installations do follow this approach to a certain extent: Vital networks and workstations are kept physically isolated and protected. This isolation may involve anything from a secure room or secure area of a building to a secure site protected by a patrolled and mined boundary fence.

For security, many networks aren’t connected to the Internet at all. They may be completely isolated, or they may have secure connections to other high-security networks via private communication lines.

If the network has any Internet access, it’ll be through at least one hardware firewall. Only users with a valid reason are allowed to access the Internet, and this access is likely to be through a proxy server, a computer that filters requests for web pages and retrieves those that are for permitted sites. A proxy server also stores the most frequently accessed web pages so that it can deliver them quickly when a user requests them.

Any publicly accessible servers and services are kept outside the firewall in what’s called a demilitarized zone DMZ in a tribute to Kuwait, Korea, or Berlin, depending on your historical preference. The DMZ is created by placing the computers that need to be in it between the firewall and the Internet connection. Computers placed in the DMZ contain no sensitive data and are locked down tightly so that people who access them can manipulate them only in approved ways and cannot use them to attack computers located inside the firewall. The computers in the DMZ are checked frequently to make sure they haven’t been cracked and taken over.

E-mail- again, only if it’s used, and usually it’ll be available only for some users- goes through an e-mail gateway that filters both incoming and outgoing messages to prevent messages from being sent to or arriving from forbidden addresses and to prevent inappropriate material from entering or leaving the network. For example, an e-mail gateway might check the content of incoming and outgoing messages, blocking or referring to an administrator any messages that fell afoul of its rules. Almost certainly, it would also scan all attachments for viruses and for content.

All files coming into the network- whether via an Internet connection, a network connection, or on physical media- are scanned for viruses and to make sure that their content is appropriate to its destination. Any executable files, and all new code, are tested in simulated environments to make sure they perform as they should before they’re introduced to the working environment.

All personnel are closely evaluated for security before being employed. Access to the secure site or area requires an identity check. And personnel’s actions at work are likely to be monitored or recorded.

As you can see, you could apply some of these measures to your home or home-office network. But in most cases you’ll do best to stick with the simpler and less stringent measures outlined in the previous section.

Configuring Windows Firewall with Advanced Security

Earlier in this article, you saw how Windows Vista enables Windows Firewall by default and protects your network connections and Internet connections. On many computers, you’ll want to leave Windows Firewall that way, simply enjoying the protection it gives without changing its settings. On other computers, however, you may need to configure Windows Firewall manually, either to allow incoming traffic sent to certain programs or ports to pass to specific computers on your network as described in Article 28 or to set up rules for outbound traffic or rules for connection security. You may also need to monitor the connections that Windows Firewall allows and those it blocks. This section introduces you to configuring Windows Firewall. It’s a big topic, and because Windows Firewall comes configured adequately for most purposes, you may not need to explore it at all.

Windows Firewall’s Default Settings

Windows Firewall’s default settings are as follows:

Outgoing Traffic Allow all traffic unless it matches a rule that tells Windows Firewall to do something with it for example, to block it.

Incoming Traffic Allow traffic that is a response to a request for example, your computer requests a web page, and the server sends it or traffic that matches a rule. Otherwise, block all traffic.

Opening Windows Firewall with Advanced Security

To configure the advanced features of Windows Firewall, you use the Windows Firewall with Advanced Security program. To launch this program, take the following steps:

1. Choose Start Control Panel. Windows opens a Control Panel window.

2. In Control Panel Home view, click the System and Maintenance link. Windows opens a System and Maintenance window.

3. Click the Administrative Tools link. Windows displays the Administrative Tools window.

4. Double-click the Windows Firewall with Advanced Security item, and then authenticate yourself to User Account Control. Windows displays the Windows Firewall with Advanced Security window .

If the Windows Firewall with Advanced Security item at the top of the left pane isn’t selected, click it. Windows Firewall with Advanced Security displays its Overview pane.

Understanding the Domain Profile, Private Profile, and Private Profile

The Windows Firewall with Advanced Security overview shows you the status of your computer’s three profiles and indicates which profile is active.

Domain Profile The domain profile applies only when your computer is connected to a domain-based Windows network, which Windows Vista Home Edition normally won’t be. By contrast, Windows Vista Business Edition computers will normally be connected to such a network, and Windows Vista Ultimate Edition computers often will be.

Private Profile The private profile applies when your computer is connected to a private Windows network, such as your home network. A private network is one that’s protected from the Internet to some extent- for example, the network is behind a router or gateway and a firewall. A private network normally contains computers that are known and trusted. For example, you’ll normally control which computers are attached to a home network or home-office network.

Public Profile The public profile applies when your computer is connected to a public network, such as a citywide wireless network or a wireless network in a coffee shop. A public network is one that is directly connected to the Internet without protection. The first time you connect to any particular network, Windows Vista displays the Set Network Location window to prompt you to decide which type of network it is. Follow these steps:

1. Choose the Home item or the Work item for a private network; the security level of each is the same, but having separate Home and Work items lets you distinguish between two different locations for example, your home and your office more easily. Choose the Public Location item for a public network.

2. Click the Customize the Name, Location Type, and Icon for the Network link. Windows displays the Customize Network Settings window .

3. In the Network Name text box, type a descriptive name for the network.

4. In the Location type area, select the Public option button if the network is public. Otherwise, select the Private option button.

5. To change the icon Windows displays for the network, click the Change button. Windows displays the Change Network Icon dialog box. Select the icon you want, and then click the OK button. Windows closes the Change Network Icon dialog box and returns you to the Customize Network Settings window.

6. Click the Next button, and then authenticate yourself to User Account Control to apply the change. Windows displays the Successfully Set Network Settings window.

7. Click the Close button. Windows closes the window.

Configuring the Private Profile and Public Profile

To configure the private profile and the public profile, take the following steps:

1. In the left panel, right-click the Windows Firewall with Advanced Security item, and then choose Properties from the context menu. Windows displays the Windows Firewall with Advanced Security on Local Computer Properties dialog box. This dialog box contains four pages:

• The Domain Profile page, the Private Profile page, and the Public Profile page each contain the same set of controls, but apply to the three different profiles. Normally, you’ll want to set the private profile and the public profile but not the domain profile.

• The IPSec Settings page contains IP Security IPSec settings.

2.Start by configuring the private profile. Click the Private Profile tab. Windows displays the Private Profile page .

3. In the State group box, choose settings for the firewall’s state:

Firewall State In this drop-down list, select On to turn the firewall on. Select Off if you need to turn the firewall off. It’s seldom advisable to turn the firewall off except temporarily while you’re trying to resolve connectivity issues on your local network.

Inbound Connections Choose Block the default setting to block all connections except those that you have told Windows Firewall to pass, Block All Connections to block all connections for example, for extra protection, or Allow if you need to allow all connections. Allow is a dangerous setting because it removes the protection that the firewall offers.

Outbound Connections Choose Allow the default setting to allow all connections that aren’t specifically blocked. Choose Block to block all outbound connections for example, if you’re trying to contain malware on your computer.

4. In the Settings group box, click the Customize button. Windows displays the Customize Settings for the Private Profile dialog box , in which you can choose the following settings and then click the OK button:

Firewall Settings In the Display a Notification drop-down list, choose Yes or No to control whether Windows Firewall should display a notification to the user when it blocks a program from receiving incoming connections. Usually the notification is helpful, because it lets the user know why a program may not be working and gives him or her the choice of unblocking it. For some users, however, you may prefer to suppress the notification.