If you're worried about the security of your home computer while accessing the internet, it's time to set up a firewall. It's a normal concern these days, but before you start installing any firewall software, you should review the basics.
What exactly is a firewall, beyond a buzzword you've heard bandied about by salespeople? Here's a pop quiz:
A firewall is:
a) Part of a computer system which prevents incoming data connections
b) A way to prevent users from accessing certain services online
c) A bad movie starring Harrison Ford
d) All of the above
b) A way to prevent users from accessing certain services online
c) A bad movie starring Harrison Ford
d) All of the above
The answer is, of course, D. If A and B seem contradictory, that's because the term "firewall" covers many different types of software which can be configured for different functionality. (And if you want to argue about C, let me stop you right there: Firewall (2006) has a 19% rating on Rotten Tomatoes and a Metacritic score of 45. Get over it.)
In this how-to, we'll show you how to get a Firewall up and running on the internet-connected PC (or the wi-fi network) in your home.
Contents |
Firewall basics
The basic firewall applications included with Windows XP, Windows Vista, Windows 7 and Mac OS X are intended mostly to prevent unauthorized access to a computer by a remote user or program. In the past, malicious "worms" have propagated using the built-in network services of unsuspecting users' computers. As a result, current versions of many operating systems enable only the most common and essential services by default. To understand how firewalls work, you should first understand how computer programs talk to each other.
On the internet, every computer has a "IP address" which uniquely identifies it as a node on the global network. When computers talk to each other -- by sending "data packets" back and forth -- each packet includes the intended recipient's IP address, so the network can deliver the data to the right place. Each program is assigned a "port number" through which it can send and receive data. Most port numbers are standardized by service, such as port 80 for web browsers (HTTP) and port 21 for FTP file transfers. Windows File Sharing and iTunes Music Sharing also have their own ports for communication.
Blocking by port
The simplest use of a firewall is to turn certain port numbers on or off, thereby enabling or preventing programs which want to communicate over those ports. When you install new software, the installation process may enable certain ports that the new software needs to function. Depending on the software, you may need to enable these ports manually. Here's how...
On Mac OS X
- Open "System Preferences..."
- Under "Personal," select "Security"
- Select the "Firewall" pane (it should say "Firewall On" in the top left; if not, click the "Start" button)
- If you've password-protected your computer, unlock first to make changes
- If the service you want to enable is in the list, click on the check box to allow it
- If the service is grayed out, select the "Services" pane and enable the service from there
- If you need to enable a different service or a specific port number, click the "New..." button and follow the instructions
On Windows
- Under "My Computer," go to "Control Panel" (Vista: open Start Menu, then "Control Panel")
- Select "Security Center," then under "Manage Security Settings for...," select "Windows Firewall" (Vista: just select "Windows Firewall")
- On the "General" tab, make sure the firewall is turned "On" and the "Don't allow exceptions" box is NOT checked
- Select the "Exceptions" tab
- If the program you want to allow is in the list, click on the check box to allow it
- If the program is not in the list, click the "Add Program..." button and follow the instructions
- If you need to enable a specific port number, click the "Add Port..." button and follow the instructions
Maintenance
To disable a port, simply uncheck the appropriate box for an existing service and save your settings. Most ports should be disabled by default, so they won't appear in the list at all.
As mentioned earlier, you can use firewall software to do more than just controlling port access. You can keep a log of incoming traffic to your computer, filter out certain types of data and add security mechanisms for specific applications. If you know what functionality you need, you can use a package like Firewall Builder to set up detailed rules for your home network.
Speaking of home networks, note that your firewall can reside on a completely separate computer from your primary desktop. If all your computers are connected by wired Ethernet to a cable modem or DSL router, they all go through that one box to communicate with the outside internet. That box may already have firewall software built into it. Consult your user's manual or contact your ISP for more information.
Tip: A firewall does NOT replace anti-virus software, and will NOT protect you from things like e-mail spam and "phishing" attacks (where malicious users attempt to trick you into giving out personal information). Always be careful when visiting strange web sites and downloading new software from the internet. If you don't trust the web site, don't trust the software.
Even though it's been around since 1998, you probably haven't heard of IPv6, the next-generation protocol for computer networking over the internet. One of the main drivers behind the development of IPv6 was to provide a larger IP address pool. (The current system, IPv4, only supports 4 billion addresses. That may sound like a lot, but it won't be nearly enough once everyone on the planet has a home computer, a video game console and an Internet-enabled phone.) IPv6 also supports other improvements, including security and auto-configuration features.
As more devices begin supporting IPv6, new network software -- including firewalls -- will be required to handle the additional features in the new protocol. This should be mostly transparent to the end-user, since many of the changes will need to be made at the hardware or operating-system level, but you should expect to install a few updates when the time comes.
