1. What is a firewall?
An Internet firewall is a piece of software
or hardware that helps screen out hackers, viruses, and worms, which
try to reach your computer over the Internet. If you are a home user
or small-business user, installing a firewall is the most effective
and important first step you can take to help protect your computer.
It is important to have a firewall and antivirus software turned on
before you connect to the Internet.
2. Why do I need a firewall?
If your computer is not protected when
you connect to the Internet, hackers can gain access to personal information
on your computer. They can install code on your computer that destroys
files or causes malfunctions. They can also use your computer to cause
problems on other home and business computers connected to the Internet.
A firewall helps screen out many kinds of malicious Internet traffic
before it reaches your system.Some firewalls can also help prevent
others from using your computer to attack other computers without
your knowledge. Using a firewall is important no matter how you connect
to the Internet—with a dial-up modem, a cable modem, or a digital
subscriber line (DSL or ADSL).
3. What can a firewall protect against?
Some firewalls permit only email traffic
through them, thereby protecting the network against any attacks other
than attacks against the email service. Other firewalls provide less
strict protections, and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated
interactive logins from the ``outside'' world. This, more than anything,
helps prevent vandals from logging into machines on your network.
More elaborate firewalls block traffic from the outside to the inside,
but permit users on the inside to communicate freely with the outside.
The firewall can protect you against any type of network-borne attack
if you unplug it.
Firewalls provide an important logging and auditing function; often
they provide summaries to the administrator about what kinds and amount
of traffic passed through it, how many attempts there were to break
into it, etc.
4. What can't a firewall protect against?
Firewalls can't protect against attacks
that don't go through the firewall. Many corporations that connect
to the Internet are very concerned about proprietary data leaking
out of the company through that route.
Another thing a firewall can't really protect you against are spies
inside your network. Sensitive information can easily be transferred
outside the network or organization if someone from the inside leaks
it out using disks, phones, or FAX machines.
Lastly, firewalls can't protect against tunneling over most application
protocols to trojaned or poorly written clients. There are no magic
bullets and a firewall is not an excuse to not implement software
controls on internal networks or ignore host security on servers.
Tunneling ``bad'' things over HTTP, SMTP, and other protocols is quite
simple and trivially demonstrated. Security isn't ``fire and forget''.
5. What about viruses?
Firewalls can't protect very well against
things like viruses. There are too many ways of encoding binary files
for transfer over networks, and too many different architectures and
viruses to try to search for them all. In other words, a firewall
cannot replace security-consciousness on the part of your users. In
general, a firewall cannot protect against a data-driven attack--attacks
in which something is mailed or copied to an internal host where it
is then executed.
6. How can I tell if my computer already has a
If you have Windows XP rnning on your
computer, you can check to make sure the firewall is enabled:
Click Start, and then click Control Panel.
Click Network and Internet Connections, and
then click Network Connections. (Tip: If the Network and Internet
Connections category is not visible, click Switch to Category
View on the upper left of the window.)
Under the Dial-Up or LAN or High Speed Internet
category, click the icon to select the connection that you want
to help protect.
In the task pane on the left, under Network
Tasks, click Change settings of this connection (or right-click
the connection you want to help protect, and then click Properties).
On the Advanced tab, under Internet Connection
Firewall, make sure the box is checked next to Protect my computer
and network by limiting or preventing access to this computer
from the Internet. If a check mark is in the box, the firewall
is on. If the box is clear, the firewall is off and your computer
is potentially vulnerable on the Internet.
If you have a different
version of Windows, such as Windows 2000, Windows Millennium Edition,
or Windows 98, you should obtain a hardware or software firewall
from another company and install it. You can check the manuals
of your home networking devices, such as wireless access points
or broadband routers, to determine if they include built-in hardware
firewalls. If you are uncertain whether a software firewall has
been installed on your computer, you can check in the All Programs
folder. Click Start, and then click All Programs. Look for a firewall
program that is installed. Some common brand names for software
firewalls for home users include BlackICE, McAfee, Norton, Tiny
Personal Firewall, and ZoneAlarm
7. I have a different version
of Windows, what should I do?
Versions of Windows before Windows XP
did not come with a built-in firewall. If you have a computer with
an earlier version of Windows, such as Windows 2000, Windows Millennium
Edition, or Windows 98, you should get a firewall and install it.
You can use a hardware firewall or a software firewall. The following
resources provide more information about your firewall options.
8. Hardware Firewalls
Many wireless access points and broadband
routers for home networking have built-in hardware firewalls, which
provide good protection for most home networks.
9. What else do I need besides a firewall?
A firewall will not make your computer
100 percent safe. However, a firewall provides the most effective
first line of defense. You should install a firewall first, and then
add other security measures, such as critical software patches from
Windows Update and antivirus software. You can use Automatic Updates
in Windows XP to help make sure you are installing the available patches.
See the Protect Your PC Web site for more information.
10. My computer is part of a large business, school,
or organizational network--should I enable the firewall?
You should follow the policy established
by the network administrator for your business, school, or organizational
network. In some cases, network administrators may configure all computers
on the network so that you cannot turn on Internet Connection Firewall
while your computer is connected to the network. The check box to
turn on Internet Connection Firewall in the Network Connection Properties
dialog box will be dimmed. In those cases, you should ask your network
administrator for guidance on whether you need a firewall on your
11. I have Windows XP. Can I use a firewall other
than the built-in Windows XP Internet Connection Firewall?
Yes. Windows XP users who want different
features in a firewall may use a hardware firewall or a software firewall
from another company.
12. Should I use Internet Connection Firewall
on a computer that is also behind a hardware firewall?
Yes. You should turn on the Windows
XP Internet Connection Firewall for all computers in your home network.
This helps prevent the spread of viruses or worms across your network
if a computer is infected. A computer on the network could become
infected through a separate Internet connection, such as one on a
laptop that is used on your home network and on public networks. Or
a virus could be introduced to a computer on your network by way of
e-mail or software installed from a CD or floppy disk.