Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows 7

Blocking Intruders with Windows Firewall (part 1)

3/16/2011 6:09:18 PM
Your first line of defense in securing your computer is to protect it from attacks by outsiders. Once your computer is connected to the internet, it becomes just another node on a huge global network. A firewall provides a barrier between your computer and the network to which it's connected by preventing the entry of unwanted traffic while allowing transparent passage to authorized connections.

Using a firewall is simple, essential, and often overlooked. You'll want to be sure that all network connections are protected by a firewall. You might be comforted by the knowledge that your portable computer is protected by a corporate firewall when you're at work and that you use a firewalled broadband connection at home. But what about the public hot-spots you use when you travel?

And it makes sense to run a firewall on your computer (sometimes called a personal firewall) even when you're behind a residential router or corporate firewall. Other people on your network might not be as vigilant as you are about defending against viruses, so if someone brings in a portable computer infected with a worm and connects it to the network, you're toast—unless your network connection has its own firewall protection.


Warning:

This bears repeating. In today's environment, you should run firewall software on each networked computer; don't rely on corporate gateway firewalls and gateway antivirus solutions to protect your computer from another infected computer inside the perimeter. Although it's not a good idea to run more than one software firewall on a computer, you should run a software firewall as an extra layer of protection behind your hardware firewall.


Windows includes a two-way stateful-inspection packet filtering firewall called, cleverly enough, Windows Firewall. Windows Firewall is enabled by default for all connections, and it begins protecting your computer as it boots. The following actions take place by default:

  • The firewall blocks all inbound traffic, with the exception of traffic sent in response to a request sent by your computer and unsolicited traffic that has been explicitly allowed by creating a rule.

  • All outgoing traffic is allowed unless it matches a configured rule.

You notice nothing if a packet is dropped, but you can (at your option) create a log of all such events.


Note:

Some people wonder why Windows Firewall, unlike some third-party firewalls, doesn't block outbound traffic by default. You'll find security experts on both sides of this argument, but the reason is that Windows Firewall is designed to protect and maintain a secure computer. If malware is making outbound connections, your computer has already been compromised. (The misbehaving program should be caught by your antivirus or antispyware defenses.) Blocking outbound traffic by default would generate many pop-up warning messages (because so many programs legitimately connect to the internet or other network computers), which some experts feel would greatly dilute their significance, causing many users to simply ignore them.


Stateful-Inspection packet Filtering Explained

Most firewalls work, at least in part, by packet filtering—that is, they block or allow transmissions depending on the content of each packet that reaches the firewall. A packet filter examines several attributes of each packet and can either route it (that is, forward it to the intended destination computer) or block it, based on any of these attributes:

  • Source address The IP address of the computer that generated the packet

  • Destination address The IP address of the packet's intended target computer

  • Network protocol The type of traffic, such as Internet Protocol (IP)

  • Transport protocol The higher level protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)

  • Source and destination ports The number that communicating computers use to identify a communications channel

Packet filtering alone is an inadequate solution; incoming traffic that meets all the packet filter criteria could still be something you didn't ask for or want. Stateful-inspection packet filtering goes a step further by restricting incoming traffic to responses to requests from your computer. Here's a simplified example of how stateful-inspection filtering works to allow "good" incoming traffic:

  1. You enter a URL in your browser's address bar.

  2. The browser sends one or more packets of data, addressed to the web server. The destination port is 80, the standard port for HTTP web servers; the source port is an arbitrary number from 1024 through 65535.

  3. The firewall saves information about the connection in its state table, which it will use to validate returning inbound traffic.

  4. After the web server and your computer complete the handshaking needed to open a TCP connection, the web server sends a reply (the contents of the webpage you requested) addressed to your computer's IP address and source port.

  5. The firewall receives the incoming traffic and compares its source and destination addresses and ports with the information in its state table. If the information matches, the firewall permits the reply to pass through to the browser. If the data doesn't match in all respects, the firewall silently discards the packet.

  6. Your browser displays the received information.


Compared with the firewall included in Windows XP, Windows Firewall has been enhanced in several ways:

  • Windows Firewall supports monitoring and control of both incoming and outgoing network traffic.

  • Through its Windows Firewall With Advanced Security console, Windows Firewall provides far more configuration options, and it can be configured remotely. A new wizard makes it easier to create and configure rules. Configuration of Internet Protocol security (IPsec)—a mechanism that provides for authentication, encryption, and filtering of network traffic—is also done in the Windows Firewall With Advanced Security console.

  • In addition to the usual criteria (addresses, protocols, and ports), firewall rules can be configured for services, Active Directory accounts and groups, source and destination IP addresses for incoming and outgoing traffic, transport protocols other than TCP and UDP, network connection types, and more.

  • Windows Firewall maintains three separate profiles, with the appropriate one selected depending on whether the computer is connected to a domain, a private nondomain network, or a public network.

Note that, if you use Windows XP Mode, the virtual machine should have its own firewall enabled. Because the virtual machine runs Windows XP Service Pack 3 (SP3), it uses the Windows XP firewall. For more information about XP Mode.

Using a Third-Party Firewall

Windows Firewall is designed to be compatible with firewall programs from third-party providers. When you install a third-party firewall, it can register itself to take ownership of and manage certain firewall categories, such as port blocking, IPsec policy, and boot-time policy. The third-party program reports its status in Action Center, just as Windows Firewall does.

Even if you have a third-party firewall, you should leave Windows Firewall turned on and leave the Windows Firewall service set to run automatically. This is needed to enforce IPsec policies, and it also ensures that Windows Firewall continues to manage any categories that are not protected by the third-party program.


1. Using Windows Firewall in Different Network Locations

Windows Firewall maintains a separate profile (that is, a complete collection of settings, including rules for various programs, services, and ports) for each of three network location types:

  • Domain Used when your computer is joined to an Active Directory domain. In this environment, firewall settings are typically (but not necessarily) controlled by a network administrator.

  • Private Used when your computer is connected to a home or work network in a workgroup configuration.

  • Public Used when your computer is connected to a network in a public location, such as an airport or library. It's common—indeed, recommended—to have fewer allowed programs and more restrictions when you use a public network.

If you're simultaneously connected to more than one network (for example, if you have a Wi-Fi connection to your home network while you're connected to your work domain through a virtual private network, or VPN, connection), Windows uses the appropriate profile for each connection with a feature called multiple access firewall profiles (MAFP). (This is not the case in Windows Vista. That operating system uses the most restrictive applicable profile whenever you connect to multiple networks at the same time.)

You make settings in Windows Firewall independently for each network profile. The settings in a profile apply to all networks of the particular location type to which you connect. (For example, if you allow a program through the firewall while connected to a public network, that program rule is then enabled whenever you connect to any other public network. It is not enabled when you're connected to a domain or private network, unless you allow the program in those profiles.)

2. Managing Windows Firewall

Windows Firewall is a Control Panel application that provides a simple interface for monitoring firewall status and performing routine tasks, such as allowing a program through the firewall or blocking all incoming connections. To open Windows Firewall, type firewall in the Start menu search box or in Control Panel. Click Windows Firewall to display a window similar to the one shown in Figure 1.

Figure 1. Windows Firewall shows status and settings for each currently connected network. The Domain Networks profile appears only on computers that have been joined to a domain.


3. Enabling or Disabling Windows Firewall

The main Windows Firewall application, shown in Figure 1, is little more than a status window and launchpad for making various firewall settings. The first setting of interest is to enable or disable Windows Firewall. To do that, click Turn Windows Firewall On Or Off to open the screen shown next. From here you can enable (turn on) or disable (turn off) Windows Firewall for each network type. In general, the only reason to turn off Windows Firewall is if you have installed a third-party firewall that you plan to use instead of Windows Firewall. Most of those, however, perform this task as part of their installation.

As you'll discover throughout Windows Firewall, domain network location settings are available only on computers that are joined to a domain. You can make settings for all network location types—even those to which you're not currently connected. Settings for the domain profile, however, are often locked down by the network administrator using Group Policy.



The Block All Incoming Connections check box in Customize Settings provides additional safety. When it's selected, Windows Firewall rejects all unsolicited incoming traffic—even traffic from allowed programs or that would ordinarily be permitted by a rule. (For information about firewall rules, see Section 15.4.4 on the next page.) Invoke this mode when extra security against outside attack is needed. For example, you might block all connections when you're using a public wireless hotspot or when you know that your computer is actively under attack by others.


Note:

Selecting Block All Incoming Connections does not disconnect your computer from the internet. Even in this mode, you can still use your browser to connect to the internet. Similarly, other outbound connections—whether they're legitimate services or some sort of spyware—continue unabated. If you really want to sever your ties to the outside world, open Network And Sharing Center and disable each network connection. (Alternatively, use brute force: physically disconnect wired network connections and turn off wireless adapters or access points.)

Other -----------------
- Monitoring Your Computer's Security
- Recording and Watching TV
- Using Windows Live Web Services
- Using Windows Live Programs (part 3) - Using Windows Live Photo Gallery
- Using Windows Live Programs (part 2) - Using Windows Live Mail
- Using Windows Live Programs (part 1) - Obtaining a Windows Live ID & Using Windows Live Messenger
- Using Speech Recognition and Voice Commands
- Reading, Writing, and Editing with Pen and Touch Tools (part 1) - Using Gestures in Windows 7
- Reading, Writing, and Editing with Pen and Touch Tools (part 1) - Using Gestures in Windows 7
- Enabling and Customizing Pen and Touch Features
- Working with (and Around) Digital Rights Management
- Managing Your Media Library
- Ripping CDs
- Using Windows Media Player (part 2) - Working with Playlists
- Using Windows Media Player (part 1)
- Which File Formats and Codecs Does Windows 7 Support?
- Performing Routine Maintenance - Managing Disk Space
- Performing Routine Maintenance - Defragmenting Disks for Better Performance
- Performing Routine Maintenance - Checking Disks for Errors
- Performing Routine Maintenance - Keeping Your System Secure with Windows Update
 
 
Most view of day
- Windows Phone 8 : Configuring Basic Device Settings - Providing Feedback
- Windows Phone 7 : Running XNA Projects in Windows (part 3) - Input Differences, Isolated Storage, Application Life Cycle
- SharePoint 2010 : Farm Governance - Installing a feature and activating it
- Sharepoint 2013 : Integrating Apps for Office with SharePoint (part 1) - Standalone Apps for Office
- Windows Phone 8 : Designing for the Phone - Designing with Visual Studio
- Microsoft Excel 2010 : Calculating the Mean (part 1) - Understanding Functions, Arguments, and Results
- Configuring Startup and Troubleshooting Startup Issues : How to Configure Startup Settings (part 1)
- Sharepoint 2013 : Planning for Disaster Recovery
- Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface
- Integrating BizTalk Server 2010 and Microsoft Dynamics CRM : Communicating from BizTalk Server to Dynamics CRM (part 4) - Configuring the BizTalk endpoints
Top 10
- SQL Server 2012 : Latch Contention Examples - UP Latches in tempdb, Spinlock Contention in Name Resolution
- SQL Server 2012 : Latch Contention Examples - Queuing
- SQL Server 2012 : Latch Contention Examples - Inserts When the Clustered Index Key Is an Identity Field
- SQL Server 2012 : Latches and Spinlocks - Monitoring Latches and Spinlocks
- SQL Server 2012 : Latches and Spinlocks - SuperLatches/Sublatches
- SQL Server 2012 : Latches and Spinlocks - Latch Types, Latch Modes
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - Client-Side Object Model API Coverage
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 3) - Creating, Updating, and Deleting
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 2) - Filtering and Selecting
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 1) - Getting Started with REST and OData
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro