ICF lets you determine what type of ICMP traffic to respond to and permit, and the default is no ICMP traffic. This feature lets ICF function in "stealth" mode, which reduces the likelihood that remote seekers will detect your PC. When you configure ICF to deny or disable all ICMP traffic, ICF-protected PCs don't respond to probing packets*which makes the job of a rogue intruder harder. Each of the nine ICMP options in the ICF configuration includes a brief description of why you might permit a particular ICMP option. For example, if you don't select Allow incoming echo requests, you'll prevent remote machines from pinging your machine. For more information about ICMP and the associated risks, see Orif Arkin's "ICMP Usage in Scanning" (http://sys-security.com/archive/papers/ICMP_Scanning_v2.5.pdf).
ICF: The Good
ICF works as Microsoft intended it to. The firewall blocks most uninitiated inbound connections, and ICF's limited feature set means it can act quickly and responsively. Firewalls that include many advanced features can experience performance lags. Not ICF. Also, ICF includes features that attempt to prevent incoming DoS attacks.
As I've mentioned, ICF has excellent ICMP packet handling, and the firewall neutralizes the most common ICMP attacks. ICF also includes special coding that looks for the usually successful three-way IP handshake (i.e., SYN-ACK/SYN-ACK) during network communications. Attacks that try to hold up processor utilization by completing only two of the three parts of this sequence or that use malformed pieces are virtually ineffective against ICF. Also, ICF checks for improper TCP flag settings on IP datagrams and automatically drops invalid packets. Microsoft created ICF to prevent malicious inbound packets from causing problems, and the product does a fair job and provides real protection.
ICF: The Bad and the Ugly
ICF comes up short in a few areas. Many personal firewalls have automation and intelligence to help in the fight against intruders. Most, for example, will recognize frequent attacks from the same source IP address or domain and automatically block all traffic from that location; ICF doesn't. The same attack from the same person might appear thousands of times in ICF's logs, but one event doesn't correlate to another in the firewall's programmatic functionality.
Most firewalls block inbound and outbound connections, but malware developers learned that if they can sneak inside the firewall's perimeter (e.g., by using a Trojan horse email message), they can search for open firewall ports and communicate using previously allowed ports. Almost every personal firewall leaves port 80 open to permit Internet browsing, and malware developers discovered that they can use port 80 for their own purposes without firewall software detecting their activity. Personal firewall vendors responded by letting only preapproved applications use even the open ports. Firewalls determine which applications can communicate out through open ports by consulting a database of file characteristics (e.g., filename, size, checksum, date) or querying the user. ICF doesn't include such functionality and allows almost any outbound connection regardless of which program initiates the network traffic.
Another function that ICF is missing is security zone protection. Some personal firewalls let you apply zone designations to remote machines and domains. The different zones correlate to different levels of protection. Many firewalls come with preconfigured zones with preset settings that let you quickly weigh risk decisions. You should place most Internet Web sites into a strict security zone, which some vendors call Paranoid or High Security, and other sites into a more relaxed zone, which some vendors call Trusting or Intranet, that permits more trusted activity. ICF doesn't let you block specific Web sites or place them in zones. The firewall evaluates only IP addresses and port numbers.
Today's personal firewall vendors frequently update their products with bug fixes and new vulnerability databases. Some updates appear weekly or more often. Feature-rich firewalls include antivirus scanning, privacy controls, content blocking, ad blocking, cookie blocking, email integration, and the blocking of potentially dangerous Internet content and scripting. ICF offers none of these advanced features.
Where Did That Shared Folder Go?
End users often experience frustration with some of the restrictions that their firewalls impose. ICF's failure to block outbound connections minimizes such frustration (along with protection). Nevertheless, I receive calls from ICF users who wonder why their file and print sharing isn't working. The family's shared printer doesn't work, or the shared directories aren't visible. To reenable sharing, you must add a service that allows TCP and UDP ports 135 through 139 (and perhaps port 445).
Prev. page
1
2
[3]
4
next page 
