Another common complaint is that firewalls sometimes block IM and other peer-to-peer applications. With ICF, you must remember to open ports for services that need inbound connectivity. For example, you can open a Windows Messenger session without firewall intervention, but if you try to initiate a file transfer session, ICF will block the action. When it blocks such activity, ICF provides no alert*it only writes an event in the firewall log. To use Windows Messenger to transfer files, you must add a service that lets TCP and UDP access internal and external ports 6891 through 6900. Also, when ICF is enabled, you can't use some services that generate dynamic inbound port mapping in a way that ICF doesn't expect or can't handle. To test any connection problem to determine whether ICF is involved, temporarily disable ICF, wait a few minutes, then retry the connection.
Third-Party Interactions
Microsoft created the ICS/ICF API to let third-party applications query the firewall's network status on each connection and even enable or disable the firewall's protection of a particular network connection. Microsoft's ICS/ICF API lets applications such as Windows Messenger, Remote Assistance, Windows Update, and Help and Support Center work seamlessly through the firewall. Some in the security field are rightly concerned that this API might afford malware the same courtesy.
When a program tries to disable ICF, you'll see the notification that Figure 4 shows. (You'll get this notification whether or not the program is successful.) If a program tries to turn on the firewall, you'll see the message that Figure 5 shows.
Recommended Settings
If you use ICF, I recommend that you take the following steps to get the most from the firewall:
- On the Security Logging tab, choose Log Dropped Packets to enable the firewall log.
- Change the firewall's log file name and location. Intruders have a hard time covering their tracks when you don't use default settings. If you use ICF to protect just one computer, configure the firewall to write the log file to the desktop, where you'll likely read it more often. If you manage more than one ICF system, consider directing all logs to a centralized network location. Also, increase the log's maximum size from the default of 4096KB to 10MB or larger.
- On the ICMP tab, disable any enabled ICMP packet types. You can always reenable these settings if necessary for troubleshooting.
- Minimize the number of inbound services you enable within ICF. Allowing all outbound connections is problematic enough; you don't need any unnecessary inbound vulnerabilities. Say no to services that require a wide range of open port numbers.
- Watch Microsoft's Windows Update sites for ICF updates.
If you use XP, I strongly encourage you to investigate the more sophisticated offerings from personal firewall vendors such as Internet Security Systems, Norton, McAfee, Tiny Software, Sygate Technologies, and Zone Labs. ICF's lack of outbound connection checking is a fatal flaw and severely undermines the role that a firewall should play on the desktop. Microsoft's first attempt at a firewall falls short, but the company admits that the product is intended for customers who wouldn't typically purchase and configure a firewall. Half a firewall is better than no firewall, and Microsoft is headed in the right direction. ICF prevents unrequested inbound connections and closes default file sharing to the Internet*the biggest holes in Windows OSs. Let's hope that the next version of ICF provides outbound checking, application blocking, more automation capabilities, and alerting.
End of Article
Prev. page
1
2
3
[4]
next page -->
