Understanding, configuring, and using Windows XP's firewall

In response to a continuous onslaught of malicious Internet cracking, Microsoft has included the bare-bones Internet Connection Firewall (ICF) with Windows XP Home Edition and XP Professional Edition. This firewall lacks many of the frills of commercially available personal firewalls, but if you configure it correctly, ICF can provide basic, one-way security protection against mischievous probes and malicious software (malware). Let's discuss the ICF firewall and examine configuration settings that can maximize its effectiveness in your enterprise. ICF might not win any security-industry awards, but using it will make your PC and your network safer.

Getting Started
Like many of today's personal firewalls, ICF is a stateful packet-filtering firewall, which means that it automatically permits inbound network traffic that results from previously allowed outbound connections. This feature is important because many IP services dynamically generate port numbers to assign when negotiating return paths. So, although you might connect to an FTP server on TCP port 21, the server will return a random port number higher than 1024 for the subsequent two-way communication. Typically, ICF recognizes the incoming traffic as a response to the original outbound request and permits it. ICF maintains a connection flow table in memory to document established connections. As with most stateful firewalls, the algorithm that discerns the legitimacy of the traffic doesn't work perfectly in all situations. If you use Instant Messaging (IM) or other peer-to-peer services, you'll probably have to tweak ICF's default settings.

Despite its name, ICF can prove useful for protecting a wide range of non-Internet LAN connections and nonbridged wireless pathways, as long as those connections use IP for their transport layer. The exceptions are bridged connections, private Internet Connection Sharing (ICS) connections, Infrared Data Association (IrDA) connections, and Direct Cable Connect (DCC) connections. Microsoft intended ICF to work in conjunction with its ICS service (the two services share the same API), but the two mechanisms don't have to work together. In a network with ICS, only PCs directly connected to the Internet need ICF, which is ideal for home and small-business networks.

A question I often hear from XP users is how to determine whether ICF is working. The software provides no outward sign that it's functioning and displays no Taskbar icon. Microsoft includes ICF with all XP systems, but by default, the software is enabled only on PCs that connect directly to the Internet and that you configure by using a network configuration wizard. To turn on ICF, perform the following steps:

  1. Run the Control Panel Networking and Internet Connections applet.
  2. Click Network Connections.
  3. Right-click the network connection for which you want to enable ICF (e.g., Local Area Connection), then click Properties.
  4. Select the Advanced tab, then select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.

If you have a Windows 2000 Active Directory (AD) domain, you can use a Group Policy Object (GPO) to enable or disable ICF on all machines in the domain. This GPO would govern laptops when connected to the domain, and you can continue to use ICF on those machines when you're traveling. I only wish that Microsoft had expanded group functionality and made ICF easier to configure and manage at the enterprise level.

Configuring ICF
With ICF enabled, you can click Advanced Settings and configure the firewall. A network connection icon appears with a small padlock and the word "Firewalled" to indicate that ICF is enabled, as Figure 1 shows. You can configure ICF differently for each network connection, although you must be an administrative user to create or manipulate ICF settings. You use three tabs*Services, Security Logging, and ICMP*to configure ICF.

The Services tab. The Services tab, on which the bulk of the firewall configuration occurs, lists the different preconfigured IP ports or services and whether they're enabled or disabled, as Figure 2, page 6, shows. By default, none of the preconfigured services is enabled.

By configuring the service settings, you allow or deny incoming traffic only. For example, you might disable SMTP, but that means only that remote Internet users can't use the protocol to connect to your machine. You can use SMTP for outgoing traffic regardless of whether you've enabled or disabled the protocol in ICF. ICF doesn't let you block outbound requests, which means that the firewall can do nothing to prevent malicious outbound attempts and won't block many of the most successful and widespread malicious mobile programs* including Nimda, Klez, and Code Red*when those programs run locally. The only circumstance in which ICF does block outbound traffic is when it finds packets with spoofed addresses. This feature guards against malicious XP users using false source IP addresses to hide a Denial of Service (DoS) attack.

To add an inbound service (aka a port mapping service), click Add on the Services tab. On the resulting Service Settings dialog box, which Figure 3 shows, enter a description of the service, the name or IP address of the machine or network that needs the service, and the internal and external ports that ICF should allow. Select TCP or UDP, depending on which protocol the service uses. Figure 3 shows how to let the AOL Instant Messaging program operate when ICF is enabled.

Hint: If your PC uses DHCP to get its IP address, consider entering the local loopback address of 127.0.0.1 instead of the actual IP address when adding an ICF service. Then, you won't have to update the mapped ports when the local IP address changes.

The Security Logging tab. The Security Logging tab lets you enable and disable logging and specify the name and location of the log file. ICF doesn't enable logging by default. To enable logging, select the Security Logging tab and choose Log dropped packets to log blocked network traffic and Log successful connections to track allowed traffic.

ICF writes logged events to an unfriendly World Wide Web Consortium (W3C) Extended Log File Format ASCII text file, pfirewall.log, which is in the Windows directory. ICF uses just one log file per machine, regardless of how many ICF connections you configure. For each packet it logs, ICF's log file contains fields for the date, time, action, protocol (TCP, UDP, or ICMP), source IP address, destination IP address, source port, destination port, packet size, TCP flags and other information, and ICMP information, if any. Successful connection requests will appear with either OPEN or CLOSE designations in the action field. The firewall logs any packets that it denies with a DROP designation. Most firewall administrators are especially interested in the DROP events.

The ICF log contains a lot of data but little constructive information. The log offers no intelligent diagnostic information, no exploit names, no elective levels of detail, and no highlighting of priority events. You must research which port numbers might be hostile or why certain TCP flags might indicate a malicious packet storm. Why the log commingles source and destination IP addresses and port numbers is a mystery to me.

Alerting is the process wherein a firewall immediately notifies you about critical exploit events. Many firewalls let you choose how the firewall should alert you (e.g., by using pop-up messages, email messages, pages), but ICF doesn't alert you at all. As a result, your machine might be under attack from several sources, but ICF will simply log the attacks without notifying you.

The ICMP tab. The ICMP tab lets you enable or disable nine Internet Control Message Protocol (ICMP) response behaviors. IP uses ICMP for troubleshooting and information discovery. Intruders can use the protocol to gather information about a particular network or computer (i.e., to perform a port scan) to use in an attack or to cause network traffic problems. A few early firewalls reported only UDP and TCP traffic, while failing to investigate ICMP traffic, a fact that intruders used to their advantage.

ICF lets you determine what type of ICMP traffic to respond to and permit, and the default is no ICMP traffic. This feature lets ICF function in "stealth" mode, which reduces the likelihood that remote seekers will detect your PC. When you configure ICF to deny or disable all ICMP traffic, ICF-protected PCs don't respond to probing packets*which makes the job of a rogue intruder harder. Each of the nine ICMP options in the ICF configuration includes a brief description of why you might permit a particular ICMP option. For example, if you don't select Allow incoming echo requests, you'll prevent remote machines from pinging your machine. For more information about ICMP and the associated risks, see Orif Arkin's "ICMP Usage in Scanning" (http://sys-security.com/archive/papers/ICMP_Scanning_v2.5.pdf).

ICF: The Good
ICF works as Microsoft intended it to. The firewall blocks most uninitiated inbound connections, and ICF's limited feature set means it can act quickly and responsively. Firewalls that include many advanced features can experience performance lags. Not ICF. Also, ICF includes features that attempt to prevent incoming DoS attacks.

As I've mentioned, ICF has excellent ICMP packet handling, and the firewall neutralizes the most common ICMP attacks. ICF also includes special coding that looks for the usually successful three-way IP handshake (i.e., SYN-ACK/SYN-ACK) during network communications. Attacks that try to hold up processor utilization by completing only two of the three parts of this sequence or that use malformed pieces are virtually ineffective against ICF. Also, ICF checks for improper TCP flag settings on IP datagrams and automatically drops invalid packets. Microsoft created ICF to prevent malicious inbound packets from causing problems, and the product does a fair job and provides real protection.

ICF: The Bad and the Ugly
ICF comes up short in a few areas. Many personal firewalls have automation and intelligence to help in the fight against intruders. Most, for example, will recognize frequent attacks from the same source IP address or domain and automatically block all traffic from that location; ICF doesn't. The same attack from the same person might appear thousands of times in ICF's logs, but one event doesn't correlate to another in the firewall's programmatic functionality.

Most firewalls block inbound and outbound connections, but malware developers learned that if they can sneak inside the firewall's perimeter (e.g., by using a Trojan horse email message), they can search for open firewall ports and communicate using previously allowed ports. Almost every personal firewall leaves port 80 open to permit Internet browsing, and malware developers discovered that they can use port 80 for their own purposes without firewall software detecting their activity. Personal firewall vendors responded by letting only preapproved applications use even the open ports. Firewalls determine which applications can communicate out through open ports by consulting a database of file characteristics (e.g., filename, size, checksum, date) or querying the user. ICF doesn't include such functionality and allows almost any outbound connection regardless of which program initiates the network traffic.

Another function that ICF is missing is security zone protection. Some personal firewalls let you apply zone designations to remote machines and domains. The different zones correlate to different levels of protection. Many firewalls come with preconfigured zones with preset settings that let you quickly weigh risk decisions. You should place most Internet Web sites into a strict security zone, which some vendors call Paranoid or High Security, and other sites into a more relaxed zone, which some vendors call Trusting or Intranet, that permits more trusted activity. ICF doesn't let you block specific Web sites or place them in zones. The firewall evaluates only IP addresses and port numbers.

Today's personal firewall vendors frequently update their products with bug fixes and new vulnerability databases. Some updates appear weekly or more often. Feature-rich firewalls include antivirus scanning, privacy controls, content blocking, ad blocking, cookie blocking, email integration, and the blocking of potentially dangerous Internet content and scripting. ICF offers none of these advanced features.

Where Did That Shared Folder Go?
End users often experience frustration with some of the restrictions that their firewalls impose. ICF's failure to block outbound connections minimizes such frustration (along with protection). Nevertheless, I receive calls from ICF users who wonder why their file and print sharing isn't working. The family's shared printer doesn't work, or the shared directories aren't visible. To reenable sharing, you must add a service that allows TCP and UDP ports 135 through 139 (and perhaps port 445).

Another common complaint is that firewalls sometimes block IM and other peer-to-peer applications. With ICF, you must remember to open ports for services that need inbound connectivity. For example, you can open a Windows Messenger session without firewall intervention, but if you try to initiate a file transfer session, ICF will block the action. When it blocks such activity, ICF provides no alert*it only writes an event in the firewall log. To use Windows Messenger to transfer files, you must add a service that lets TCP and UDP access internal and external ports 6891 through 6900. Also, when ICF is enabled, you can't use some services that generate dynamic inbound port mapping in a way that ICF doesn't expect or can't handle. To test any connection problem to determine whether ICF is involved, temporarily disable ICF, wait a few minutes, then retry the connection.

Third-Party Interactions
Microsoft created the ICS/ICF API to let third-party applications query the firewall's network status on each connection and even enable or disable the firewall's protection of a particular network connection. Microsoft's ICS/ICF API lets applications such as Windows Messenger, Remote Assistance, Windows Update, and Help and Support Center work seamlessly through the firewall. Some in the security field are rightly concerned that this API might afford malware the same courtesy.

When a program tries to disable ICF, you'll see the notification that Figure 4 shows. (You'll get this notification whether or not the program is successful.) If a program tries to turn on the firewall, you'll see the message that Figure 5 shows.

Recommended Settings
If you use ICF, I recommend that you take the following steps to get the most from the firewall:

  • On the Security Logging tab, choose Log Dropped Packets to enable the firewall log.
  • Change the firewall's log file name and location. Intruders have a hard time covering their tracks when you don't use default settings. If you use ICF to protect just one computer, configure the firewall to write the log file to the desktop, where you'll likely read it more often. If you manage more than one ICF system, consider directing all logs to a centralized network location. Also, increase the log's maximum size from the default of 4096KB to 10MB or larger.
  • On the ICMP tab, disable any enabled ICMP packet types. You can always reenable these settings if necessary for troubleshooting.
  • Minimize the number of inbound services you enable within ICF. Allowing all outbound connections is problematic enough; you don't need any unnecessary inbound vulnerabilities. Say no to services that require a wide range of open port numbers.
  • Watch Microsoft's Windows Update sites for ICF updates.

If you use XP, I strongly encourage you to investigate the more sophisticated offerings from personal firewall vendors such as Internet Security Systems, Norton, McAfee, Tiny Software, Sygate Technologies, and Zone Labs. ICF's lack of outbound connection checking is a fatal flaw and severely undermines the role that a firewall should play on the desktop. Microsoft's first attempt at a firewall falls short, but the company admits that the product is intended for customers who wouldn't typically purchase and configure a firewall. Half a firewall is better than no firewall, and Microsoft is headed in the right direction. ICF prevents unrequested inbound connections and closes default file sharing to the Internet*the biggest holes in Windows OSs. Let's hope that the next version of ICF provides outbound checking, application blocking, more automation capabilities, and alerting.