Friday, 11 July 2008

Working With The Windows XP Firewall

By: Brien M. Posey, MCSE

Since the release of Windows XP, there has been a lot of hype about security, and about Windows XP’s built in firewall. Although the built in firewall certainly seems like a good step in the right direction, it can be a double edged sword. In this article, I’ll explain the good points and the bad points of the Windows XP firewall.

The Windows XP firewall is designed to block all inbound packets, unless those packets are in a direct response to a query that was sent out from the machine. The firewall is designed to help you keep hackers out of your system. As you can see in Figure A, port scanning a Windows XP machine that doesn’t have the firewall enabled reveals some information that could be useful to a hacker. However, if you enable the firewall and then perform the same port scan a second time, nothing is revealed.

Figure A






Performing a port scan on a machine without the firewall reveals some useful information

Figure B


The firewall prevents port scans.

As you can see in my figures, the firewall protects Windows XP against port scanning. Unfortunately though, there are some serious issues involved in using the Windows XP firewall that you need to be aware of.

First, the Windows XP firewall isn’t a full featured firewall. Normal firewalls allow you to specifically control each TCP and UDP port. Windows XP’s firewall doesn’t provide you with this capability. Instead, it takes a point and click approach to enabling or disabling a few common ports, as shown in Figure C. The firewall’s logging capabilities are also minimal.

Figure C

Windows XP’s firewall allows you to open or close a few common ports.

Because of the limitations that I’ve just described, the Windows XP firewall shouldn’t be used to take the place of a normal corporate firewall. Instead, it should be used as a supplement. Remember that your corporate firewall does a good job protecting your organization from external threats, but does noting to protect your organization from internal threats. On the other hand, the Windows XP firewall isn’t a suitable replacement for a corporate firewall, but it can help guard workstations from hack attempts originating from within the organization. Therefore, I recommend enabling the Windows XP firewall on your workstations, but using the Windows XP firewall in conjunction with your corporate firewall.

Keep in mind though that even the multilevel firewall architecture that I just described isn’t completely secure. The Windows XP firewall does a great job blocking inbound traffic, but makes no attempts to filter outbound traffic. This means that a hacker would have no trouble using your workstations as a part of a distributed denial of service attack. Unfortunately, there’s no way to block outbound traffic at the Windows XP level, but you can configure your corporate firewall in a manner that protects your company against being used as a pawn in a denial of service attack.

No comments: