You need protection if you have
- a direct, dial-up connection to the Internet,
- a single computer connected to a cable modem, or
- a single computer connected to a DSL modem.
You'll also want to enable a firewall on the Windows XP-based host computer (and only the host computer) that is used for Internet Connection Sharing (ICS).
If you're a broadband user with two or more ISP assigned IPs connected through a hub, you'll need to protect each computer individually. An easy rule of thumb - if a computer connects directly to the Internet, it needs protection.
Ask the following questions
- What asset(s) (corporate, customer, e-commerce) is/are at risk?
- What is the value of that asset?
- What are the ramifications relating to downtime, lost revenue, or lost client and customer confidence?
- What is the actual threat? Have internal threats been sealed off?
- What's the potential for external breaches?
CIOs and network administrators need a complete and comprehensive understanding of not only Internet activities but also internal network traffic, such as bandwidth requirements, protocols in use, and access requirements. Remember that all access points are vulnerable and subject to attacks.
Once you have this information, you can move on to building a firewall architecture.
VPN Usage:
If you're a VPN user and connect to a remote office, you should not use ICF. Turn it off before you start your VPN session.
File and Print Sharing:
Some broadband providers offer connectivity for more than a single computer and supply multiple public routable IPs. In this case, computers are connected to a hub or switch (rather than a router or NAT box) that connects to a cable or DSL modem. Since ICF disables file and print sharing using TCP/IP, you may need an alternative method of sharing files among your own computers.
You can install an additional network transport protocol such as IPX/SPX that will enable you to transfer files between your computers.
- If a computer is a client computer to an ICS (Internet Connection Sharing) host, do not enable ICF, but be sure you do enable it on the host computer.
- If a computer is behind a NAT box or router, don't enable ICF, because the inherent properties of NAT will protect you.
- If you're in an enterprise/corporate environment, don't enable ICF while logged into a domain at work because your IT staff will have proper commercial firewalls in place on the network. In most cases, user policies will prevent you from enabling ICF if you are logged into a domain.
- If you've logged on at home using cached credentials and enabled ICF, user policies will probably prevent you from using ICF at work, but you will be able to use it at home while not protected by the corporate firewall.
