| By Ian “Gizmo” Richards |
Firewalls play a vital role in defending your computer from attack and form an essential part of your computer’s security setup.
But is your firewall actually doing its job? Are you sure it’s effective?
Monitor the information leaving your machine
These are not idle questions. More than half of the firewall setups I’ve checked over the last few months have been inadequate for one reason or another.
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!
In this article, I’ll look at the most common firewall problems and give some suggestions for overcoming them. But first, let’s look at what your firewall should be doing.
Firewalls have two main functions: inbound and outbound protection.
Inbound protection means safeguarding your PC from hackers who are trying to break into it via open ports. Ports are the doorways through which information enters or leaves your system. There can be up to 65,536 of these ports on your machine, every one of which is a potential gateway that hackers can use to enter it.
The bad guys are out there in strength looking for these open ports. Within minutes of connecting a PC to the Internet, it is likely to be probed by a hacker.
Port probing is very similar to a car thief walking along the street testing the door handles on parked cars to see whether they are locked. Sooner or later, the thief finds an unlocked door and makes that vehicle the focus of attack.
Now, a thief may not be able to steal your car even if it is unlocked. Similarly, a hacker may find an open port on your PC but still be unable to take control of the machine. Even so, open ports certainly set you up as a target.
One of the main jobs of a firewall is to “lock the doors” on your PC. That’s what inbound protection is about.
Outbound firewall protection is different. It’s there to warn you that a possibly unauthorized program on your PC, such as a Trojan, is trying to contact the Internet. This is roughly analogous to an alarm that alerts you to someone trying to steal your car.
An outbound firewall “sounds the alarm” by flashing a warning message, typically asking something like:
Program x wants to connect to the Internet. Approve or Deny.
Just like car alarms, outbound firewalls are prone to false alarms. These bogus alerts are very annoying; most of the time, the program trying to connect to the Internet is not a Trojan “phoning home” but a legitimate and perfectly harmless application, such as your e-mail client trying to send a message.
Despite its annoying character, outbound protection is a useful adjunct to your PC’s defenses. Without outbound protection, a malware program that has insinuated itself onto your PC could be using the Internet to transmit all your vital and confidential information to some remote hacker without you ever knowing about it.
OK, that’s a quick look at what your firewall is supposed to do. Now let’s dig into the potential problem areas.
Problem 1: No outbound protection
If your only firewall is the one built into your network router, then you have no outbound protection.
If your only firewall is the one that comes with Windows, then for all practical purposes you have no outbound protection.
To get outbound protection, you need a good personal firewall. Thankfully, there are some outstanding free firewalls that are as good as commercial software firewalls. (See below for links to several of these freebies.)
Problem 2: Inadequate outbound protection
The outbound protection of several well-known firewalls — including the popular freeware version of ZoneAlarm — is poor. To see how your firewall’s outbound protection rates, check out the “leak test” results at these two sites:
Upgrading your firewall may sound like an easy option, but unfortunately, the top-performing products in these tests — including the popular free Comodo and Online Armor firewalls — are quite demanding on you, the end user. Maybe too demanding.
For some users, there are better options than using a high-performing outbound firewall. One alternative is to add a standalone host intrusion prevention system (HIPS) such as PCTools’ ThreatFire (available in free and $30 Pro versions). Another is to use a policy-based security program such as SoftSphere Technologies’ $30 DefenseWall (30-day free trial available) or a sandbox program such as Ronen Tzur’s free SandBoxie.
I can’t properly address this complex issue in this column, but I will dedicate a whole article to the subject in a future issue. In the interim, you may want to try Comodo. It’s free and has a basic operating option that puts less demand on users, though this low-maintenance mode reduces outbound protection.
Problem 3: User failure
Outbound protection is effective only if the user responds appropriately to the warning messages thrown up by the firewall. The problem is that many users don’t have the knowledge required to provide the appropriate responses.
This weakness is compounded by the fact that many firewalls are most unhelpful in providing the user with guidance on how to respond to the programs’ security alerts. For example, no average user could be expected to respond appropriately to a message that reads something like this:
Program lsass.exe wants to connect to the Internet. Approve or Deny?
When regularly faced with this kind of nonsense, many users will simply answer “Approve” to everything, totally negating the effectiveness of outbound protection.
There is no point in blaming the user here. They’re just ordinary folks, not technical experts.
The problem is that the model is flawed; you cannot rely on the user’s response for security decisions.
Some firewall vendors have made progress in reducing the burden on users by applying smart techniques to reduce the number of warnings and also by providing more information to help users make an informed decision. However, while the problem can be lessened, it cannot be eliminated.
Because of these poor interfaces, firewalls that top the leak-test charts may in practice offer average users no better outbound protection than poorer-performing firewalls.
So, what can be done?
As I mentioned above, you can augment your protection using other less-demanding security options, such as a sandbox.
Another approach is to select a firewall that balances technical protection with realistic user demands. A product such as the free Sunbelt Personal Firewall (formerly Kerio) sure won’t win any prizes in the leak-test contests, but for many people it is one of the best choices. And Sunbelt is the hands-down winner over the Windows Defender firewall that most home users rely on.
It’s a simple case of the “right” firewall being a better choice than the “best” firewall for the average PC user.
Problem 4: Open ports
Most modern firewalls do a pretty good job at inbound protection and can effectively stealth your PC’s ports. That is, they can hide the existence of the ports from hackers’ probes.
However, when I test people’s PCs, I commonly find some unstealthed ports. This can be a firewall problem, but more commonly it’s the result of ports being opened by programs that were installed by the user, or it’s due to a deliberate action by the user.
Figure 1. Steve Gibson’s Shields UP! identifies your PC’s open ports.
Sometimes this is unavoidable, but just as often it is unintentional.
I suggest that you use one of these Web services to run a free port scan of your PC.
If you do have open ports, the port-scanning services will provide information that will help you pin down the cause. This is a task within the capabilities of experienced users, but many average folks will definitely need some assistance. The firewall forum at Wilders Security Forums is a good place to start.
Do check your ports. It only takes a few minutes and you may be surprised by what you find.
Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.