Windows Firewall: Bidirectional Protection

If you access the Internet using a broadbandcable modem or DSLservice, chances are, you have an always-on connection, which means there's a much greater chance that a malicious hacker could find your computer and have his way with it. You might think that with millions of people connected to the Internet at any given moment, there would be little chance of a "script kiddy" finding you in the herd.

Unfortunately, one of the most common weapons in a black-hat hacker's arsenal is a program that runs through millions of IP addresses automatically, looking for live connections. The problem is compounded by the fact that many cable systems and some DSL systems use IP addresses in a narrow range, thus making it easier to find always-on connections.

When a cracker finds your address, he has many avenues with which to access your computer. Specifically, your connection uses many different ports for sending and receiving data. For example, web data and commands typically use port 80, email uses ports 25 and 110, the File Transfer Protocol (FTP) uses ports 20 and 21, the domain name system (DNS) uses port 53, and so on.

In all, there are dozens of these ports, and every one is an opening through which a clever cracker can gain access to your computer. As if that weren't enough, attackers can check your system to see whether some kind of Trojan horse virus is installed. (Malicious email attachments sometimes install these programs on your machine.)

If the hacker finds one, he can effectively take control of your machine (turning it into a zombie computer) and either wreak havoc on its contents or use your computer to attack other systems. Again, if you think your computer is too obscure or worthless for someone else to bother with, think again.

A typical computer connected to the Internet all day long will be probed for vulnerable ports or installed Trojan horses at least a few times a day. If you want to see just how vulnerable your computer is, several good sites on the Web will test your security:

The good news is that Windows Vista includes an updated version of the Windows Firewall tool that debuted in Windows XP. This program is a personal firewall that can lock down your ports and prevent unauthorized access to your machine. In effect, your computer becomes invisible to the Internet (although you can still surf the Web and work with email normally).

The main change in Vista's version of Windows Firewall is that the program is now bidirectional. This means that it blocks not only unauthorized incoming traffic, but also unauthorized outgoing traffic. If your computer does have a Trojan horse installed (it might have been there before you installed Vista, or someone with physical access to your computer might have installed it), it might attempt to send data out to the Web.

For example, it might attempt to contact a controlling program on another site to get instructions, or it might attempt to send sensitive data from your computer to the Trojan's owner. A bidirectional firewall can put a stop to that.

The Windows Firewall in Vista also supports the following new features:

  • The IP Security (IPSec) protocol Environments that use only
  • Internet Protocol version 6 (IPv6)
  • Both incoming and outgoing firewall exceptions
  • Exceptions applied to specific computers and users
  • Exceptions applied to many different protocols (not just TCP and UDP)
  • Exceptions applied to both local and remote ports
  • Exceptions applied to specific interface types: location area network, remote access, or wireless
  • Exceptions applied to specific Vista services
  • Command-line support for controlling the firewall

From this list, you can see that Vista's firewall is a far more sophisticated tool than any of the versions that shipped with XP or its service packs. Reflecting that sophistication is a powerful new interface for working with Windows Firewall settings, exceptions, and monitoring. It's called Windows Firewall with Advanced Security (WFAS), and it's a Microsoft Management Console snap-in. To load it, press Windows Logo+R, type wf.msc, and click OK.

The home page of the snap-in presents an overview of the current firewall settings, as well as a number of links to configure and learn about WFAS. This snap-in configures the firewall by setting policies and storing them in two profiles: The Domain Profile is used when your computer is connected to a network domain; the Standard Profile is used when your computer is not connected to a domain.

The scope pane contains four main subbranches:

  • Inbound Rules - This branch presents a list of defined rules for inbound connections. In most cases, the rules aren't enabled. To enable a rule, you right-click it and then click Enable Rule (or you can click Enable Rule in the Action pane). You can also create your own rules by right-clicking Inbound Ruless and then clicking New Rule.
  • Outbound Rules - This branch presents a list of defined rules for outbound connections. As with inbound connections, you can enable the rules you want to use and create your own rules. Note, too, that you can customize any rule by double-clicking it to display its property sheet (see Figure 6.5). With this property sheet you can change the program executable to which the rule is applied, allow or block a connection, set the computer and user authorization, change the ports and protocols, and specify the interface types and services.
  • Computer Connection Security - You use this branch to create and manage authentication rules, which determine the restrictions and requirements that apply to connections with remote computers. Right-click Computer Connection Security and then click New Rule to launch the New Authentication Rule Wizard.
  • Monitoring - This branch shows the enabled firewall settings. For example, the Firewall subbranch shows the enabled inbound and outbound firewall rules, and the Connection Security, Rules subbranch shows the enabled authentication rules.