Software Firewalls

By Matthew Sarrel  |  Posted 2002-11-19 Print this article Print

Software Firewalls

With Windows XP, Microsoft introduced Internet Connection Firewall (ICF), a bare-bones firewall that shuts down access to ports to prevent hackers from scanning them. But ICF wont stop outward data transmissions (of, say, your tax returns).

At heart, all firewalls are designed to close off systems to scanning and entry, which they can do simply by blocking ports. Some software firewalls also prevent information from leaving your PC by blocking nontrusted services and applications from accessing the network.

With software, you must install a firewall on every PC that needs protection, whereas hardware firewalls centrally protect all machines in a network. Because software firewalls run locally, however, they have intimate knowledge of whats happening on systems. A hardware firewall will likely allow any e-mail traffic out over port 25; a software firewall can differentiate between Microsoft Outlook and Trojans.

Typically, the first time a program tries to access the Internet, a software firewall asks whether it should permit the communication. Some firewalls now identify common applications (such as AIM, Lotus Notes, and Microsoft Office), creating appropriate rules during setup. Ideally, after a day or two of training, a firewall will protect you with only a few interruptions—as when you install applications—but thats not what we found.

Software firewalls show their weaknesses when they encounter programs for which they have no default rule. For example, when the program Lsass.exe attempts to access the Internet, Symantecs Norton Internet Security simply tells you so and asks whether you want to allow it to proceed. How would you (or your family) answer? For programs this firewall knows something about, it tells you more: In this case, it tells you that Lsass.exe is "the local security authentication server [that] generates the process that the Winlogon service uses to authenticate users." It also tells you a bit about the machine its talking to. Is that enough to help you configure your rule?

In most cases you can opt to have your firewall ask you each time the program tries to get online. The prompts usually get so annoying most users end up making a rash decision with little more information than they originally had.

If youre unsure, you can deny access and see whether anything breaks. But we dont recommend this approach. You might, for example, block Windows from checking for security updates. Youll never notice the missing notifications for the updates that help plug newly discovered operating-system security holes.

The other danger is that things can get too fouled up for the average user to fix easily. Lets say you mistakenly deny Iexplore.exe access to the Internet. Goodbye, Internet Explorer! Recovering from such an error is often complicated and likely to make users reluctant to deny permission to anything. (See the sidebar "Whats That File?" for advice on common files.)

Matthew Sarrel Matthew D. Sarrel, CISSP, is a network security,product development, and technical marketingconsultant based in New York City. He is also a gamereviewer and technical writer. To read his opinions on games please browse and for more general information on Matt, please see

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel