Because ICF inspects all incoming communications, some programs, especially email programs, might behave differently when ICF is enabled. Some email programs periodically poll their email server for new mail, and some email programs wait for notification from the email server.
Outlook Express, for example, automatically checks for new email when its timer tells it to do so. When new email is present, Outlook Express prompts the user with a new email notification. ICF won’t affect the behavior of this program because the request for new email notification originates from inside the firewall. The firewall makes an entry in a table noting the outbound communication. When the mail server acknowledges the new email response, the firewall finds an associated entry in the table and allows the communication to pass, and then the user receives notification that a new email message has arrived.
Outlook 2000, however, is connected to a Microsoft Exchange server that uses a remote procedure call (RPC) to send new email notifications to clients. Outlook 2000 doesn’t automatically check for new email when it’s connected to an Exchange server. The Exchange server notifies Outlook 2000 when new email arrives. Because the Exchange server—which is outside the firewall—not Outlook 2000—which is inside the firewall— initiates the RPC notification, ICF can’t find the corresponding entry in the table, and it doesn’t allow the RPC messages to cross from the Internet into the network. ICF drops the RPC notification message. Users can send and receive email, but need to manually check for new email.
Advanced ICF Settings
The ICF security-logging feature provides a way to create a security log of firewall activity. ICF is capable of logging both traffic that’s permitted and traffic that’s rejected. For example, the firewall, by default, doesn’t allow incoming echo requests from the Internet. If the Internet Control Message Protocol (ICMP) Allow incoming echo request isn’t enabled, then the inbound request fails, and ICF generates a log entry that notes the failed inbound attempt. For information about ICMP, see Internet Control Message Protocol (ICMP). ICMP allows you to modify the behavior of the firewall by enabling various ICMP options, such as Allow incoming echo request, Allow incoming timestamprequest, Allow incoming router request, and Allow redirect. The ICMP tab provides brief descriptions of these options. For navigation and instructions for ICMP, see Enable Internet Control Message Protocols.
You can set the allowable size of the security log to prevent the potential overflow that DoS attacks could cause. ICF generates event-log entries into the Extended Log File Format as established by the World Wide Web Consortium (W3C). For more information about ICF security logging, see Internet Connection Firewall security log file overview.
No comments:
Post a Comment