Networking / Beginners

Managing Network Security

Simply put, you must take conscious steps to secure your network from hackers.

At the very least you must ensure that every point of contact between your computers and the Internet is secured by a firewall of some sort. The reason for this concern is that every computer exposed to the Internet will be subject to probing by unscrupulous people. These probes are automated, common and thorough, and they will find you and test you.

Simple File Sharing only makes this worse, because if your Internet connection is left unsecured, everyone on the Internet will have the same access to your network's shared files as you do. This is the reason that the Network Setup wizard is so adamant about either installing the firewall or disabling file sharing.

Securing Various Types of Internet Connections

There are several ways that you can connect to the Internet.

  • If you use Internet Connection Sharing (ICS), be sure that the Internet Connection Firewall is enabled on the connection (dial-up or LAN adapter) that connects to the Internet.
    The Internet Connection Sharing and Internet Connection Firewall features are not available in the 64-bit versions of Windows XP.
  • If you use a hardware Internet connection sharing router, this device will provide significant protection. For additional protection, configure filtering on the TCP ports listed in Table below.
  • If you use routed Internet service (which provides a direct connection for all of the computers on your LAN), be absolutely sure that your router is configured to filter at least the TCP ports listed in Table below.
  • If you use a cable modem that provides several independent IP addresses for several computers, install two network adapters in each computer and set up two separate LANs. One should be used only for the cable Internet service, and the connections to this LAN must have the Internet Connection Firewall enabled. The other LAN is used for file sharing. (Hint: You can save this difficulty and the expense of the extra connections by getting a connection sharing router, or by using ICS.)
  • If you use a direct or dial-up Internet connection on your computer, be sure that the Internet Connection Firewall is enabled on the connection (dial-up or LAN adapter) that connects to the Internet.

You can check the status of the Internet Connection Firewall on each of your computers' dial-up and LAN connections in the Network Connection window; the icons for each connection will show a small lock: and will carry the label "Firewalled."

To enable or disable ICF manually, view the properties page for a dial-up or local area connection and view the Advanced tab. ICF is enabled and disabled by a check box.

Filtering to Protect a Router

If you are configuring a hardware router used for a shared or routed Internet connection, you should configure your router to block (filter out) several specific ports, which has the effect of blocking communication for several corresponding network services. Table below lists the minimum set of ports to block.

Ports That Should Be Blocked
ProtocolPortService Blocked
UDP137NetBIOS Name Service
UDP138NetBIOS Datagram
TCP139File Sharing (SMB over NetBT)
UDP161Simple Network Monitoring Protocol (SNMP)
TCP145File Sharing (SMB over TCP)

You can usually accomplish this with three entries: block port range 137-139 for both TCP and UDP, port 161 for UDP and port 445 for TCP.

Each router make and model uses a different setup scheme, so you'll need to consult your router's instructions to find out how to set up filtering. If you have direct routed Internet service, your ISP will help you do this or may do it for you. If you use a connection sharing router, in most cases you will be on your own.

[Previous] [Contents] [Next]