Put up the barriers

The internet can be a dangerous place to roam unprotected: the seemingly endless stream of nasties attempting to infiltrate your PC, destroy your data and steal your identity is enough to put many off conducting financial transactions online. But it doesn’t have to be like this. For no cost, a firewall can block many of the most subtle attacks, as we’ll explain in this feature.

In addition to anti-virus and anti-spyware applications, a firewall is your first line of defence against external attacks. Here we’ll show you why you need one, how to make sure you’re protected and how to ensure your firewall doesn’t prevent legitimate network traffic from getting through.

What is a firewall?
According to Windows Vista’s help tool, a firewall is ‘software or hardware that checks information coming from the internet or a network, and then either blocks it or allows it to pass through to your computer, depending on your firewall settings’.

This means any data attempting to enter your PC from the outside, be it from the internet or a local area network, must first be checked for legitimacy.

However, while this is essentially a true description of a firewall’s job, it’s only half the story. To be fully protected you must also guard against programs already residing on your PC attempting to surreptitiously access the internet for malicious purposes.

Malware such as Trojans can, once inside your PC, use it as a base from which to carry out whatever internet activities the author desires. So for full protection you will need to prevent unauthorised applications using your network connection without your permission.

Thankfully a firewall need not be an all-or-nothing solution. By configuring its settings you can take control over exactly what is allowed through in either direction.

At a basic level, most consumer firewall products operate by examining chunks of network data (packets) destined for your network or PC and checking them against a list of rules.

Those that pass the test will be allowed through, but those that fail can be either sent the digital equivalent of an official letter of rejection or silently thrown away into the void. Depending on the firewall in question, a number of more sophisticated technologies may also be used.

The Windows Firewall
If you’re using Windows XP Service Pack 2 or newer, your PC will have the Windows Firewall installed and enabled by default ­ in the original XP it wasn’t enabled by default. If you connect to the internet via a modern router, you probably have both a software firewall and a hardware firewall in place.

The standard Windows Firewall is relatively basic in operation and is designed to guard against incoming attacks.

If you’re running an earlier version of Windows, or you have XP but don’t have at least Service Pack 2 installed, we would suggest you install a firewall or upgrade your service pack as soon as possible. If you don’t want to do, you should seriously considering installing one of the third-party firewalls mentioned later on.

Vista’s Advanced Firewall
If you’re running Windows Vista, you’ll be pleased to know that it comes with a much-improved version of Windows Firewall. Many features have been added, not least is outbound packet filtering. For basic functions, the user interface is the same in Windows Vista as it is in XP. However, to access the new features you’ll need to log on with administrator privileges. Go to the control panel and select System and Maintenance and then Administrative Tools.

Here you’ll find the Windows Firewall with Advanced Security. This is the new firewall introduced with Windows Vista and is also found in Microsoft’s newer server operating systems.

The configuration options of this firewall allow you to create rules for both incoming and outgoing connections. You can also specify different firewall profiles that come into force depending on whether you are connected to a public or private network.

So, for example, you could take your laptop to a public Wifi hotspot where the public profile would come into force, beefing up security and blocking access to applications you may otherwise find acceptable while at home or in the office. These could include file shares or remote desktop control among others.

Am I protected?
To find out whether you need to fix your firewall’s configuration, the first check is to see whether it’s installed and running.

First, go to the Windows Control Panel and open the Security Center ­ in XP this is labelled Security Centre. In Vista you need to click the Security category then the Security Centre link, or type ‘Security Center’ into the Start menu search box.

The section named Firewall should be displayed in green and labelled ‘on’. Clicking on the down arrow here expands the view to show you more detail about your installed firewall. If you’re using the Windows built-in firewall it will say ‘Windows Firewall is actively protecting your computer’.

If you’re running a third-party firewall, its details will most likely be listed here instead. Configuring a third-party firewall is beyond the scope of this article, but the same basic principles apply whatever firewall you use.

If you have no firewall, or it’s not running correctly, the section banner will be displayed in red instead, while displaying a message similar to, ‘Your computer is not protected: turn on Windows Firewall’.

You will also see a link directly to the Windows Firewall Settings control panel, enabling you to turn the firewall on.

Test your protection
Of course, a green icon in Windows Security Center is simply an indication that your firewall is switched on. It doesn’t actually prove you’re protected against anything. If you’ve been making changes to your firewall configuration there could be any number of gaping holes waiting to be exploited.

The only true test of your security is to attempt to break in from the outside. There are online services that will do this (safely) for you, probably the most famous of which is Shields Up, at www.grc.com. This service won’t actually break into your PC, but it will perform a thorough security check, alerting you to any unguarded entry points, which you can then close manually.

Of course, this test doesn’t help with preventing unwanted outgoing connections. To deal with this, you’ll need to run anti-virus and anti-spyware software regularly.

Allowing an application through
It’s simple to open up your firewall to allow an application access to the internet or vice versa. Usually networked applications will tell you which settings they need to use, although this information is sometimes buried in documentation.

More user-friendly applications will offer to reconfigure the firewall for you. The Windows Firewall understands most common applications and adjusts the settings accordingly, after prompting you for permission if it’s not sure.

Manual configuration involves allowing applications access via ‘ports’ in the firewall ­ ports are numbered destinations in the firewall for network traffic. For example, web pages normally use port 80. For more detailed information on network ports, look at our previous Hands On article.

Panic button
If you think you’ve made a mess of your settings, or you find the Shields Up test is finding too many vulnerabilities, it’s easy to reset the firewall and start again. Open up Windows Firewall, click Advanced then click Restore Defaults to return the firewall to the original default settings.

Router firewalls
If your networked application isn’t working, it’s possible the Windows Firewall is blocking communication. Temporarily disabling the firewall will allow you to re-try it and find out whether this is the cause of your problem.

If you disable the Windows Firewall and find your application starts working, you’ll need to set up appropriate rules to allow it through, or open up the correct network ports. If disabling the firewall doesn’t fix your problem, there may be another firewall in place, perhaps in your router. You may also need to configure the network address translation (Nat) on your router to re-direct internet traffic to the correct PC on your network. Nat is a function of most home broadband routers; study the manufacturer’s instructions on how to configure it correctly.

If your application and router support Universal Plug and Play (UPnP), you can enable this to have the two negotiate a suitable network port that the router will map and open up on its internal firewall. UPnP is usually disabled in routers by default, so you’ll need to spend some time with the documentation.

Keep your guard up
A good firewall does its job with minimum fuss, but third-party products often like to advertise their presence with lots of pop-ups and messages. This can be counter-productive and worry you needlessly, as many applications these days need internet access to do their job. If your firewall just presents you with gobbledegook, perhaps it’s time to try a different one, as there’s no excuse for making a firewall unusable.

After installation, try running as many of your installed programs as possible to help ‘train’ the firewall ­ this should help quieten it down. Some offer ‘novice’ or ‘quiet’ modes. which will make things less hectic, but all firewalls should let you quickly enable or disable them for troubleshooting purposes.

This article was first published in June 2009.