Windows XP: Built-in firewall (firewall) Windows XP Service Pack 2

In this review, the main settings of the built-in firewall Windows XP Service Pack 2 and tested its reliability.

• Purpose of the firewall
• Installing Service Pack 2 for Windows XP
• Interface
• Setting Exceptions
  • Automatically create exceptions for applications
  • Manually create exceptions for applications
  • Creating Exceptions for Ports
  • Changing the addresses from which connections are allowed
• Advanced firewall settings
• Testing the firewall
  • Test computer configuration
  • Using the program memory and CPU usage
  • Scanning the system with the Retina Security Scanner
  • On-line firewall test
• Conclusion

Purpose of the firewall

In Windows XP, there was a built-in firewall, which was supposed to protect connections to the computer network from unauthorized access and infection by certain types of viruses. By default, the built-in firewall was disabled and this was one of the reasons that virus epidemics hit computers with Windows XP, despite the fact that the operating system had a tool that was supposed to prevent infection. Microsoft responded by releasing a new patch for Windows XP, which included updating the built-in firewall, providing the user with new functionality, and including a firewall for all connections to the network. Now the user has the ability to configure the firewall for their needs and adjust its behavior when trying to access the software network. You can also set exceptions to the rules, giving the ability for certain software to access the network, bypassing the prohibitive firewall rules. By default, the firewall is enabled for all connections to the network, but at the user's request, for some connections it can be disabled. If the computer uses a third-party firewall, the built-in firewall must be disabled.

Installing Service Pack 2 for Windows XP

Service Pack 2 for Windows XP is available for download on the Microsoft website. If you plan to install the patch package on only one machine, it makes sense to use the Windows Update site , with which the operating system will be checked for missing important fixes, and only the required ones will be downloaded. This will reduce the amount of downloaded information and save time installing updates.

If the service pack is planned to be installed on several computers, then it makes sense to download its full version .

Interface

You can access the Windows XP Service Pack 2 firewall settings using the Start - Control Panel - Windows Firewall . An example of a window with firewall settings is shown in the figure below.

In this window, you can enable or disable the firewall for all connections to the network. The Do Not Allow Exceptions option activates the firewall mode, in which the firewall does not display blocking notifications and disables the list of exceptions that can be set on the next tab of the firewall control window.

The firewall allows incoming connections for applications listed in this list if they are checked. You can allow incoming connections to a specific local port by creating the appropriate rule. The next tab of the firewall settings window contains additional settings.

In this window, you can disable the firewall for a specific connection or configure additional filtering settings for each connection using the Options button. In the same window, the log of the firewall is configured, the ICMP filtering parameters are set. Using the Default button, you can return all the firewall settings to their original settings.

Setting Exceptions

Automatically create exceptions for applications

When you start a program on your computer that is to listen to a specific port, waiting for a connection to it from the network, the firewall will display a request, an example of which is presented below.

The user is given the following choice:

• Block - an application that tried to open the port will be blocked and connect from the network to this application will be impossible. In the exception list of the firewall, a rule will be created that blocks this application.
• Unlock - the application will be given the opportunity to open the port and connections from the network to the application that opened the port will be available. A rule will be added to the exception list of the firewall, which will continue to allow this application to open the port to wait for incoming connections.
• Defer - an application attempt to open the port will be suppressed, but an exception will not be created. The next time the application tries to open the port, the query shown above will be displayed again.

The option to Delay is optimal if you are not sure which application is trying to open the port, and whether the system will work normally after the application fails to open the port. In principle, you can block the attempt to open the port by the application and if the choice is incorrect, then in the future you can fix the automatically generated exception manually.

Manually create exceptions for applications

If an application that must accept incoming connections from the network is known in advance, you can create an exception for it manually. To do this, open the window for setting up the firewall and select the Exceptions tab.

To create an exception, click the Add program ... button. A window will open, an example of which is shown below.

In this window, the list of programs lists those that are installed on the computer. If the program that you want to allow to accept incoming connections is not in the list, you can use the Browse button to specify the path to it. After clicking OK, the exception will be created and added to the list, where a check mark will be marked, which indicates that this rule allows the specified application to open ports and wait for the connection from the network. If you want to prevent an application from opening ports, the check box should be unchecked.

Creating Exceptions for Ports

The firewall provides the ability to open any port, allowing, therefore, to establish connections from the network with the service running on the port being opened. To open the port, click the Add Port button in the exception window . An example of the window for adding a port to the exception list is shown below.

In this window it is necessary to specify the protocol and port number, the connection to which from the network the firewall will not block. In the name field, you need to enter a brief description of the reason why the port was opened, so that, after a time, an unnecessary rule could easily be found and deleted or corrected.

Changing the addresses from which connections are allowed

If you manually create or edit an application or port created earlier, you can specify a range of addresses from which connections to the specified application or port can be established. To do this, click the Change Area ... button, which opens the window shown below.

In this window, you can specify a list of addresses whose connections will be skipped by the firewall. It is possible to specify that connections must be allowed from either an address or from a strictly defined one. Also, you can specify the subnet in which the computer is located under the protection of the firewall.

Advanced firewall settings

Access to additional firewall settings can be obtained on the Advanced tab of the main window of the firewall configuration.

• Network connection settings - lists all network connections that exist on the computer under the protection of the built-in firewall. By setting or unchecking the box next to each connection, you can enable or disable the firewall for each of the connections. Using the Options button, you can configure the firewall settings for each connection if you share this connection.
• Logging security - Using the Options button, you can configure the logging of events that occur while the firewall is running in the job log.
• Protocol ICMP - allows you to configure the filtering of the firewall messages that are exchanged via ICMP. In particular, you can disable or allow the computer to respond to the ping command.
• The default settings - clicking the Default button returns all the settings of the firewall to the original ones.

Testing the firewall

The configuration of the test computer, the software used for testing

• Celeron Tualatin 1000A on the bus 133, i.e. The processor frequency is 1333 megahertz.
• Motherboard Asus TUSL-2C, BIOS revision 1011.
• 512 megabytes of RAM, running at a frequency of 133 megahertz.
• Winchester Seagate Barracuda 4 80 gigabytes in UDMA5 mode.
• Windows XP Pro Rus Service Pack 2.
• 10 megabit network of two computers.
• Vulnerability Scanner Retina 4.9.206.
• Utility for network flooding by ICMP, IGMP, TCP, UDP.

After installing Service Pack 2, all exceptions created by default were disabled in the firewall settings.

Using the program memory and CPU usage

To assess the behavior of a firewall in difficult conditions, when a machine under its protection was attacked over a local network, a number of tests were performed. During the attack on the test machine, the readings were taken of the amount of memory used by the service and about the loading of the processor.

The results of tests testify to the absence of memory leaks and demonstrate that even when attacking on a local network, where the data transfer rate is several times higher than when working on the Internet, there are no problems with reducing the performance of the computer under the protection of the firewall. During SYN-flood, CPU usage was maximum, but work on the computer could be continued.

Scanning the system with the Retina Security Scanner

The test machine was scanned by the Retina vulnerability scanner with the firewall turned on and off. The scan results are shown in the table below.

The scan results demonstrate that enabling the firewall closes open ports and hides the computer on the network.

On-line firewall test

To test the firewall for the quality of control of applications that try to send information to the Internet, the utility PCAudit2 was used. This utility offers in any application (for example, in Notepad) to enter any few words or go to any site that requires authorization and enter a username and password. The utility intercepts the input data, takes a screenshot from the screen, determines the name of the user working on the system, the IP address and attempts to send the collected information to its server. Then the utility opens a dynamically created page from the server with the sent data and visually demonstrates what information can be obtained by the hacker who hacked the system.

The built-in Windows XP SP2 firewall could not stop sending this data. The utility intercepted the text entered in Notepad and without any obstacles and alerts from the firewall sent them to its server, which was confirmed by the opened page with all the information collected.

Conclusion

Built-in Windows XP SP2 firewall is reliable enough, but it controls only incoming connections, leaving outbound without attention. Therefore, when using the built-in firewall to protect your computer, you need to be very careful when opening files received from the network. The virus or spyware can easily send data to the developer's server and stop its operation. The built-in firewall can not.

On the one hand, the work done by the Microsoft team over the built-in firewall is significant, on the other - the lack of complete control over traffic calls into question the advisability of using the built-in firewall in general. I'd like to hope that Microsoft will decide in future patch packages or new versions of the operating system to extend the functionality of the firewall and it will be able to monitor all traffic, not just incoming traffic. The current version of the built-in firewall can only be considered as a universal solution to protect against certain types of viruses and restrict access to operating system services.