Configuring ICF
With ICF enabled, you can click Advanced Settings and configure the firewall. A network connection icon appears with a small padlock and the word "Firewalled" to indicate that ICF is enabled, as Figure 1 shows. You can configure ICF differently for each network connection, although you must be an administrative user to create or manipulate ICF settings. You use three tabs*Services, Security Logging, and ICMP*to configure ICF.
The Services tab. The Services tab, on which the bulk of the firewall configuration occurs, lists the different preconfigured IP ports or services and whether they're enabled or disabled, as Figure 2, page 6, shows. By default, none of the preconfigured services is enabled.
By configuring the service settings, you allow or deny incoming traffic only. For example, you might disable SMTP, but that means only that remote Internet users can't use the protocol to connect to your machine. You can use SMTP for outgoing traffic regardless of whether you've enabled or disabled the protocol in ICF. ICF doesn't let you block outbound requests, which means that the firewall can do nothing to prevent malicious outbound attempts and won't block many of the most successful and widespread malicious mobile programs* including Nimda, Klez, and Code Red*when those programs run locally. The only circumstance in which ICF does block outbound traffic is when it finds packets with spoofed addresses. This feature guards against malicious XP users using false source IP addresses to hide a Denial of Service (DoS) attack.
To add an inbound service (aka a port mapping service), click Add on the Services tab. On the resulting Service Settings dialog box, which Figure 3 shows, enter a description of the service, the name or IP address of the machine or network that needs the service, and the internal and external ports that ICF should allow. Select TCP or UDP, depending on which protocol the service uses. Figure 3 shows how to let the AOL Instant Messaging program operate when ICF is enabled.
Hint: If your PC uses DHCP to get its IP address, consider entering the local loopback address of 127.0.0.1 instead of the actual IP address when adding an ICF service. Then, you won't have to update the mapped ports when the local IP address changes.
The Security Logging tab. The Security Logging tab lets you enable and disable logging and specify the name and location of the log file. ICF doesn't enable logging by default. To enable logging, select the Security Logging tab and choose Log dropped packets to log blocked network traffic and Log successful connections to track allowed traffic.
ICF writes logged events to an unfriendly World Wide Web Consortium (W3C) Extended Log File Format ASCII text file, pfirewall.log, which is in the Windows directory. ICF uses just one log file per machine, regardless of how many ICF connections you configure. For each packet it logs, ICF's log file contains fields for the date, time, action, protocol (TCP, UDP, or ICMP), source IP address, destination IP address, source port, destination port, packet size, TCP flags and other information, and ICMP information, if any. Successful connection requests will appear with either OPEN or CLOSE designations in the action field. The firewall logs any packets that it denies with a DROP designation. Most firewall administrators are especially interested in the DROP events.
The ICF log contains a lot of data but little constructive information. The log offers no intelligent diagnostic information, no exploit names, no elective levels of detail, and no highlighting of priority events. You must research which port numbers might be hostile or why certain TCP flags might indicate a malicious packet storm. Why the log commingles source and destination IP addresses and port numbers is a mystery to me.
Alerting is the process wherein a firewall immediately notifies you about critical exploit events. Many firewalls let you choose how the firewall should alert you (e.g., by using pop-up messages, email messages, pages), but ICF doesn't alert you at all. As a result, your machine might be under attack from several sources, but ICF will simply log the attacks without notifying you.
The ICMP tab. The ICMP tab lets you enable or disable nine Internet Control Message Protocol (ICMP) response behaviors. IP uses ICMP for troubleshooting and information discovery. Intruders can use the protocol to gather information about a particular network or computer (i.e., to perform a port scan) to use in an attack or to cause network traffic problems. A few early firewalls reported only UDP and TCP traffic, while failing to investigate ICMP traffic, a fact that intruders used to their advantage.
Prev. page
1
[2]
3
4
next page 
