Advertisement

Summary:

This article describes the Internet Connection Firewall (ICF) that is included with Windows XP Home Edition and Windows XP Professional prior to service pack 2.

More Information:

Description of Internet Connection Firewall

Internet Connection Firewall is software that you can use to set restrictions on the information that is communicated between your home or small office network and the Internet.

If your network uses Internet Connection Sharing (ICS) to provide Internet access to multiple computers, it is a good idea to turn on Internet Connection Firewall on the shared Internet connection. However, you can turn on Internet Connection Sharing and Internet Connection Firewall separately. It is a good idea to turn on Internet Connection Firewall on the Internet connection on any Windows XP-based computer that is connected directly to the Internet.

Internet Connection Firewall can also protect a single computer that is connected to the Internet. If you have a single computer that is connected to the Internet with a cable modem, a DSL modem, or a dial-up modem, Internet Connection Firewall protects your Internet connection. Do not turn on Internet Connection Firewall for virtual private network (VPN) connections because Internet Connection Firewall interferes with file sharing and other VPN functions.

How Internet Connection Firewall Works?

Internet Connection Firewall is a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that the firewall handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, Internet Connection Firewall keeps a table of all of the communications that have originated from the computer that is running Internet Connection Firewall. For a single computer, Internet Connection Firewall tracks traffic that originates from the computer. If you use Internet Connection Firewall in conjunction with Internet Connection Sharing, Internet Connection Firewall tracks all of the traffic that originates from the computer that is running Internet Connection Firewall and Internet Connection Sharing, and tracks all of the traffic that originates from private network computers. Internet Connection Firewall compares all inbound traffic from the Internet to the entries in the table. Inbound Internet traffic is permitted to reach the computers in your network only if there is a matching entry in the table that shows that the communication exchange began in your computer or private network.

Communications that originate from a source outside the computer that is running Internet Connection Firewall, such as from the Internet, are dropped by the firewall unless you create an entry on the Services tab to allow passage. Instead of sending you notifications about activity, Internet Connection Firewall silently discards unsolicited communications. This stops common hacking attempts such as port scanning. Such notifications might be sent frequently enough to become a distraction. Instead, Internet Connection Firewall can create a security log so that you can view the activity that is tracked by the firewall.

You can configure services so that unsolicited traffic from the Internet is forwarded by the computer that is running Internet Connection Firewall to the private network. For example, if you are hosting an HTTP Web server service, and you turned on the HTTP service on your computer, unsolicited HTTP traffic is forwarded by the computer that is running Internet Connection Firewall to the HTTP Web server. Internet Connection Firewall requires operational information (which is known as a service definition) to permit the unsolicited Internet traffic to be forwarded to the Web server on your private network.

Internet Connection Firewall Considerations

It is not a good idea to turn on Internet Connection Firewall on any connection that does not directly connect to the Internet. IF you turn on Internet Connection Firewall for the network adapter of a client computer that is running Internet Connection Sharing, Internet Connection Firewall interferes with some communications between that computer and all other computers on the network. For a similar reason, you cannot use the Network Setup Wizard to turn on Internet Connection Firewall on the Internet Connection Sharing host private connection. This is the connection that connects the Internet Connection Sharing host computer with the Internet Connection Sharing client computers. Turning on a firewall in this location would completely prohibit network communications.

You do not have to use Internet Connection Firewall if your network already has a firewall or proxy server.

If your network has only one shared Internet connection, it is a good idea to protect the network by turning on Internet Connection Firewall. Individual client computers may also have adapters, such as a dial-up or DSL modem, that provide individual connections to the Internet and are vulnerable without firewall protection. Internet Connection Firewall can check only the communications that cross the Internet connection on which you have turned it on. Because Internet Connection Firewall works on a per-connection basis, you must turn it on on all computers that have connections to the Internet to protect your whole network. If you turned on Internet Connection Firewall on the Internet Connection Sharing host computer's Internet connection, but a client computer with a direct Internet connection is not using Internet Connection Firewall for protection, your network is vulnerable through that unprotected connection.

The service definitions that allow services to operate across Internet Connection Firewall also work on a per-connection basis. If your network has multiple firewall connections, you must configure service definitions for each Internet Connection Firewall connection through which you want the service to work.

Internet Connection Firewall and Notification Messages

Because Internet Connection Firewall inspects all incoming communications, some programs, especially e-mail programs, may behave differently if you turn on Internet Connection Firewall. Some e-mail programs periodically poll their e-mail server for new mail. Some e-mail programs wait for notification from the e-mail server.

Microsoft Outlook Express, for example, automatically checks for new e-mail messages when a timer tells it to do so. If new e-mail messages are present, Outlook Express prompts you with a new e-mail message notification. Internet Connection Firewall does not affect the behavior of Outlook Express because the request for new e-mail message notification originates from inside the firewall. Internet Connection Firewall makes an entry in a table that notes the outbound communication. When a new e-mail response is acknowledged by the mail server, Internet Connection Firewall finds an associated entry in the table and permits the communication to pass. You then receive notification that a new e-mail message has arrived.

Microsoft Outlook 2000, however, is connected to a Microsoft Exchange-based server that uses a remote procedure call (RPC) to send new e-mail message notifications to clients. Outlook 2000 does not automatically look for new e-mail messages when it is connected to an Exchange-based server. The Exchange-based server notifies Outlook 2000 when new e-mail messages arrive. Because the RPC notification is initiated from an Exchange-based server that is outside the firewall (not by Outlook 2000), Internet Connection Firewall cannot find a corresponding entry in the table. Internet Connection Firewall does not allow the RPC messages to cross from the Internet to the home network. The RPC notification message is dropped. You can send and receive e-mail messages, but you must manually look for new e-mail.

Advanced Internet Connection Firewall Settings

You can use the Internet Connection Firewall security logging feature to create a security log of firewall activity. Internet Connection Firewall can log both traffic that is permitted and traffic that is rejected. For example, incoming echo requests from the Internet are not permitted by Internet Connection Firewall by default. If the Internet Control Message Protocol (ICMP) Allow incoming echo request setting is not turned on, the inbound request does not succeed, and a log entry that notes the unsuccessful inbound attempt is generated.

You can modify the behavior of Internet Connection Firewall by turning on various ICMP options, such as Allow incoming echo request, Allow incoming timestamp request, Allow incoming router request, and Allow redirect. Brief descriptions of these options appear on the ICMP tab.

You can set the permitted size of the security log to prevent an overflow that might be caused by denial-of-service attacks. Event logging is generated in the Extended Log File Format as established by the World Wide Web Consortium (W3C).

References:

For additional information about turning Internet Connection Firewall on or off, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/home/using/productdoc/en/hnw_enable_firewall.asp

For additional information about turning Internet Connection Firewall on or off, click the article number below to view the article in the Microsoft Knowledge Base:

283673 HOW TO: Enable or Disable Internet Connection Firewall in Windows XP

For additional information about Internet Connection Firewall preventing access to file and printer shares, click the article number below to view the article in the Microsoft Knowledge Base:

298804 The Internet Connection Firewall Can Prevent Browsing and File Sharing

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

306203 Internet Connection Firewall Does Not Block Internet Protocol Version 6 Traffic

For additional information about the Internet Connection Firewall security log file, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/home/using/productdoc/en/hnw_firewall_log_understanding.asp

For additional information about service definitions, visit the following Microsoft web sites:

http://www.microsoft.com/windowsxp/home/using/productdoc/en/hnw_services_add.asp

http://www.microsoft.com/windowsxp/home/using/productdoc/en/hnw_services_overview.asp

For additional information about ICMP, visit the following Microsoft Web sites:

http://www.microsoft.com/windowsxp/home/using/productdoc/en/sag_tcpip_und_icmp.asp

http://www.microsoft.com/windowsxp/home/using/productdoc/en/hnw_icmp_select.asp

 

Related Topics :

© 2013 123seminarsonly.com All Rights Reserved.