Being Neighborly with a Firewall 664 ✦ Detect and alert you to unusual outbound traffic, which can indicate that your laptop has become infected by spyware To allow a particular program to send information back and forth through the firewall (also called unblocking a program), tell the utility to establish an exception. You can also allow a program through the firewall by opening one or more ports. Explaining how firewalls work The best firewalls use a combination of techniques to protect your computer in hopes that one or more of them are capable enough to find something worth blocking (or at least worth notifying you about). Here are some of the ways firewalls check data packets: ✦ Packet filter. A basic set of rules that specifies which Web addresses are permitted to communicate with a network, or which types of applica- tions are allowed to send data. ✦ Stateful inspection. A more advanced form of filtering in which the fire- wall attempts to determine if you requested incoming packets; traffic that comes to the door without a good reason to be there is considered suspect. ✦ Network Address Translation (NAT). This allows a router or hardware firewall to show just a single IP address, preventing the outside world from knowing about any and all computers connected on the protected side of the network. NAT is included in nearly all current routers as a basic protection; don’t buy a router that doesn’t provide it. Firewalls can’t block viruses attached to e-mail messages because firewalls don’t examine message content; that’s why you need an antivirus program. Similarly, a firewall can’t tell that an e-mail is an attempt at phishing, unless the message comes from an IP you identified as one you want to block. (Phishing is explained in this chapter’s “Field guide to computer diseases” section.) Windows Firewall Current versions of Microsoft Windows (all editions of XP with Service Pack 2 installed, plus all editions of Vista) come with Windows Firewall. When you install or activate the operating system, the firewall is automatically turned on. See Figure 2-1. If you install a third-party firewall like ones offered by McAfee or Symantec, they turn off the Windows firewall to prevent conflicts and confusion. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 664 Book IX Chapter 2 Guarding Against Intruders Being Neighborly with a Firewall 665 To use the Windows Firewall, the utility must be turned on. In this setting (the default when Windows is installed or activated) most programs are blocked from communicating through the firewall. To unblock a program, you can add it to the Exceptions list (on the Exceptions tab). In addition, Microsoft recommends the following settings: ✦ All network connections (home or work, public place, or domain) should be protected. ✦ The firewall should be turned on for all network connections. ✦ The firewall should be set to block any inbound connection that doesn’t match an exception. To view or edit Windows Firewall settings, click the Windows Firewall icon in the Control Panel. There you can ✦ Turn the utility on or off ✦ Click Change Settings to make adjustments ✦ When you turn on Windows Firewall, click the Block all Incoming Connections check box (see Figure 2-2) Figure 2-1: The Windows Firewall on my Toshiba Satellite P205 laptop is in place and ready to help (but I turned it off because the machine runs a security suite from McAfee). 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 665 Being Neighborly with a Firewall 666 Block all Incoming Connections rebuffs all unsolicited attempts to connect to your computer; it provides a high level of security for your laptop — especially when you’re using a public network at an Internet café or in a hotel or coffee shop. When you enable this setting, the following is true: ✦ You aren’t notified when Windows Firewall blocks programs. ✦ Programs on the Exceptions list are ignored. ✦ You can view most Web pages, send and receive e-mail, and send and receive instant messages. Unblocking a program in Windows Firewall By its design, Windows Firewall and other software firewalls want to block all programs. The key is to teach the utility which ones you want to allow through. Figure 2-2: When Windows Firewall is turned on, you can block all incoming connections by clicking the check box in the settings box. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 666 Book IX Chapter 2 Guarding Against Intruders Being Neighborly with a Firewall 667 To unblock a specific program, follow these steps: 1. Open the firewall utility. 2. Click Allow a Program Through Windows Firewall. This option is in the left pane. 3. Select the check box next to the program you want to allow. 4. Click OK. Adding a port in Windows Firewall If the program you want to unblock isn’t on the Exceptions tab, you may need to open or add a port. (This is often required to enable multiplayer games conducted over the Internet, for example.) A firewall exception is only open while needed. By contrast, an open port stays open until you close it; this could put your machine at risk. Close any ports for programs that aren’t in constant use. To add a port, follow along: 1. Click the firewall icon in the Control Panel. The firewall program opens. 2. Click Change Settings. 3. Choose the Exceptions tab. 4. Click Add Port. 5. In the Name text box, type a name. The name should help you remember the purpose of the open port. 6. Type the port number in the Port Number text box. 7. Click TCP or UDP, depending on the protocol. Most programs communicate using TCP; if the setting doesn’t work, try UDP. Enabling a third-party firewall A number of capable software firewalls are available from companies whose name does not begin with Micro and end with soft. Some are integrated into a complete suite of utilities, and others offer advanced features. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 667 Being Neighborly with a Firewall 668 Since Windows XP and Windows Vista come with a firewall as part of the operating system, you may receive a warning message from the Windows Security Center if ✦ You turn off the official Windows Firewall and enable no replacement ✦ It doesn’t recognize the replacement you installed ✦ The third-party firewall doesn’t report its status to Windows To instruct Windows that all is well, do the following: 1. Click Start ➪ Control Panel ➪ Security Center. You get a glance your firewall status, automatic updating, malware pro- tection, and other security settings. See Figure 2-3. 2. Click I Have a Firewall Solution That I’ll Monitor Myself. Choose this only if Windows doesn’t recognize your third-party firewall. Security Center displays your firewall settings as Not Monitored, and you no longer receive notifications about your firewall. 3. Track the status of your unsupported firewall. Figure 2-3: The Windows Security Center gives you a quick report on various protective utilities from Microsoft, as well as most major third-party sources. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 668 Book IX Chapter 2 Guarding Against Intruders Getting Your Antivirus Vaccine 669 When Windows XP with Service Pack 2 and Windows Vista first came out, sometimes the operating system didn’t recognize well-known third-party fire- walls, including McAfee and Symantec. That’s since been fixed. If Windows doesn’t recognize your firewall, consult the support page for the maker of your security software for updates. Many alternative personal firewall products are available as add-ons to Windows and other operating systems. The following are among the better- known products: ✦ CA Personal Firewall at http://shop.ca.com ✦ McAfee Personal Firewall Plus at http://us.mcafee.com ✦ ZoneAlarm at www.zonealarm.com All are capable products, but in my opinion they offer only slight improve- ments over the built-in firewall included with Windows Vista and Windows XP with SP2. I recommend you consider buying and using a full security suite that includes antivirus, antispam, and an enhanced firewall product. Getting Your Antivirus Vaccine There’s a reason many types of computer malware are called viruses: They follow many of the same models and methods as the nasties that cause dis- ease in humans. Viruses can ✦ Spread ✦ Replicate themselves ✦ Mutate from one form to another And just as with human diseases ✦ Sometimes there’s a cure ✦ Sometimes you can only treat the symptoms ✦ Sometimes the only effective response is to try to block the infection in the first place Antivirus software works in two basic ways; most programs include both methods in their arsenal. See Figure 2-4. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 669 Getting Your Antivirus Vaccine 670 Field guide to computer diseases What exactly are viruses and all those other nasties? In the broadest of terms, they’re all considered malware in that their purpose is to do evil (or at least annoying) things when they arrive in a computer. You can visit the Symantec web site at www.symantec.com and click the ThreatCon button to see a regularly updated report on the latest threats, risks, and vulnerabilities that are circulating on the wild, wild Internet. See Figure 2-5. ✦ Virus. A piece of code, usually embedded within a program, utility, or other software, intended to make your computer do something without your permission. Some viruses are self-replicating, meaning that once they’re on a machine they copy themselves and look for ways to spread to other computers. Some viruses are harmless pranks that display mes- sages or change settings, while others are aimed at corrupting your soft- ware or erasing the data on your storage devices. ✦ Worm. A particular type of virus designed to get into a machine and then spread itself to other machines through network connections, the Internet, and e-mail. Figure 2-4: Antivirus programs examine your machine when it boots as well as while it runs. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 670 Book IX Chapter 2 Guarding Against Intruders Getting Your Antivirus Vaccine 671 ✦ Spyware. Designed to insinuate itself onto your computer and then collect personal and financial information, which it sends to another person or group. They’re not doing this out of mere curiosity; the pur- pose is to steal from you or your organization. ✦ Phishing. A nasty form of spyware that arrives as an e-mail or an unso- licited pop-up message on a web site. One example: You receive an e-mail with the logos and colors of a familiar bank or credit card com- pany. For some reason they’re asking for information they already have: Why would a credit card company ask you to confirm your credit card number, for example? The thieves behind these efforts are impersonat- ing real organizations and hoping to trick you into revealing information. Never respond to a request for financial or other personal information unless you’re certain of the validity of the message; call your bank or credit card company or other organization using a telephone number you find on the card itself or on a legitimate bill; never reply to a suspi- cious e-mail or call any phone numbers on the message — they may well be phony, too. ✦ Adware. Code placed by businesses seeking to learn about your shop- ping and buying habits or to place ads on your Internet pages based on what they find out about you. Some adware is obvious, such as certain Figure 2-5: The Internet weather report for this morning, according to Symantec, shows an ordinary Level 1 threat. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 671 Getting Your Antivirus Vaccine 672 cookies left behind on your machine after you visit particular web sites to track your preferences; other adware is more insidious, sneaking onto your machine and into elements of the operating system or other software. ✦ Spam. Unsolicited e-mail advertising. You’re one rare bird if your e-mail inbox doesn’t fill up each day with ads for fake Rolexes, bogus hand- bags, and a full assortment of pharmaceuticals from “enhancement” products to happy pills and sleeping potions. If you get advertisement e-mails that you don’t want, it’s spam. The best solution: Use a spam filter that detects junk and either deletes it or puts it in a separate folder. Don’t reply to spam or ask to be taken off a mailing list; that only encour- ages them. Typing your antivirus My doctor friend loves antibiotics; come in with a hangnail and he’ll offer you the latest cure in a pill. My mother, who wanted me to be a doctor, rec- ommends vitamins; she’s got one for hangnails, too. And my wife, who plays doctor with me, believes that coffee (sometimes with Irish whiskey) will fix whatever ails you. It’s kind of the same way with antivirus programs. They’re each trying to pre- vent or cure a disease, but each takes a different approach than the others. Although in the end I recommend using a program that includes a mix of every possible defense mechanism, it helps to understand the various approaches that are available. Dictionary-based antivirus searching This mechanism examines files and programs for known virus code (called signatures). These programs consult a database collected by the antivirus maker and updated regularly. Antivirus programs that use a dictionary examine the system from the moment the operating system is booted and continue to be on the lookout anytime you ✦ Upload or download a file ✦ Send or receive an e-mail ✦ Change the system files In addition, the program can conduct scheduled or on-demand full system scans that examine every file in your computer. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 672 Book IX Chapter 2 Guarding Against Intruders Enjoying a Visit from Antispam and Antispyware 673 Virus authors have tried to get past dictionary-based hunters by creating polymorphic code that changes form or disguises itself. They hope to spread their wares before the dictionary is updated. Heuristic analysis This technology looks for suspicious or downright unacceptable behavior by any program or piece of code. They can catch many polymorphic viruses that aren’t in a dictionary and new code that isn’t yet listed. For example, a heuristic analyzer might spot a piece of code attempting to change an exe- cutable program; the antivirus program stops the effort permanently or asks you for advice. On the downside, this type of antivirus program can flag some legitimate code as malware. Taking out the garbage If an antivirus program finds some troublesome code, it can ✦ Delete the file ✦ Remove all traces of it from the machine ✦ Put the file into a quarantine folder, placing it out of reach and unable to spread ✦ Attempt a repair by removing just the virus code from an otherwise normal file Enjoying a Visit from Antispam and Antispyware Spam and spyware can be either merely annoying or seriously upsetting and dangerous to your personal finances, credit score, and privacy. Alas, it’s very difficult to completely avoid being targeted. You can take steps to reduce your profile or deal with assaults when they come. Pop-up advertising on your computer, software that collects and relays your personal information or changes your computer configuration without your permission are forms of spyware. Spyware is, by design, made to be difficult to detect or remove; in general, you need to use a specialized antispyware program to dislodge this sort of unwanted code from your machine. Microsoft has included Windows Defender as part of Windows Vista; Windows XP users can download a free version of the utility to add into their system. Search for the program at www.microsoft.com. 47 140925-bk09ch02.qxp 4/8/08 12:53 PM Page 673 . com- pany. For some reason they’re asking for information they already have: Why would a credit card company ask you to confirm your credit card number, for example? The thieves behind these efforts. real organizations and hoping to trick you into revealing information. Never respond to a request for financial or other personal information unless you’re certain of the validity of the message;. creating polymorphic code that changes form or disguises itself. They hope to spread their wares before the dictionary is updated. Heuristic analysis This technology looks for suspicious or downright unacceptable