2.8.1. Windows Firewall – Part 1
By Val Bakh
This article is a high-level introduction to firewalls in general and Windows Firewall (WF) in particular. It provides a simplified, conceptual view of the relevant functionalities and is intended as light-reading material for those who are unfamiliar with firewalls, rather than as an instruction manual for professional IT administrators. It will be easier for you to understand this material if you have access to a computer running Windows 7 or Windows 8 and if you open and review the WF dialog boxes that are discussed here.
Different firewall designs incorporate different levels of sophistication, and most firewalls can be configured in a variety of ways to meet the needs of specific situations. The most typical configuration is where a firewall blocks all or most unsolicited inbound traffic and allows outbound traffic and response inbound traffic. Any exceptions to this general arrangement are defined in rules. Inbound rules usually allow specified types of unsolicited inbound traffic, and outbound rules usually block specified types of outbound traffic. Thus, most of the time, there is no need for any outbound rules in order to allow hosts on your network to access the Internet.
WF is a host-based software firewall. The main difference between a network firewall and a host-based firewall is that the former protects an entire network whereas the latter protects only a single computer. For example, suppose you connect a Windows computer to two networks and configure it as a router. Its WF will block unsolicited traffic destined to the computer itself but will not interfere with any transit traffic flowing though the computer between the two networks. In other respects WF functions similarly to a network firewall. Quite obviously, a host-based firewall’s back is the local host and the front is the rest of the network. Two concepts closely related to a host-based firewall are client and server. A client is a computer or an application that requests a service, and a server is a computer or an application that provides a service. Correspondingly, a client usually initiates communications, and a server usually listens for client requests (that is, for unsolicited inbound traffic) and responds to them. Thus, most of the time, you don’t need any firewall rules in order to support a client application, but you most definitely need inbound rules to support server applications. In other words, inbound rules are the ones you need to deal with most often.
By default, after you have just installed any modern version of Windows, WF is turned on and includes several dozen commonly used preconfigured rules. Some of those rules are already enabled because they are necessary for the operating system to function properly. Other rules are just sitting there and waiting for you to enable them in case you ever need them. When you install an application or an optional operating system feature, quite often they automatically enable the necessary existing WF rules or add new ones. So WF is sufficiently smart and usually does not require a lot of your attention. But you still need to know how it works and how to configure it when its automatic configuration does not meet your specific needs.
There are several tools for managing WF, both graphic and command-line. The latter include the Netsh tool and PowerShell (PS) cmdlets. The cmdlets are available in PS 3.0, which is included in Windows 8. Windows 7 comes with PS 2.0, but you can install PS 3.0 (subject to certain prerequisites). As for the graphical tools, the graphical user interface (GUI) differs somewhat among different versions of Windows, but the main principles are about the same. Most common configuration tasks can be performed graphically, but certain, more advanced tasks are available only through Netsh and PS. The first thing you notice is that, starting with Windows Vista, there is a special console for managing WF; it is named Windows Firewall with Advanced Security. In earlier versions of Windows, there is only a Control Panel item named Windows Firewall. This Control Panel item is still available in modern versions of Windows. It is intended primarily for home users; it is relatively easy to use but does not provide a lot of flexibility.
Let’s take a look at the console. Right-click the top-level node in the left pane, and select Properties. The properties dialog box includes four tabs: one tab for each profile and the fourth tab for IPSec settings. A profile is a collection of settings and rules that apply to a specific type of network connection. There are three profiles: Domain, Private, and Public. If a computer belongs to an Active Directory Domain Services (AD DS) domain, it automatically detects the presence of domain controllers for that domain and designates the corresponding network connection as the Domain type. The connections where domain controllers are not found are usually automatically designated as Public. You can change it to Private by using a local policy. WF automatically applies the corresponding profile to each active network connection. On each profile tab in WF properties, the most important settings are whether WF is enabled or disabled and its modes for inbound and outbound communications. By default, WF is on, all unsolicited inbound traffic that does not fall under inbound rules is blocked, and all outbound traffic that does not fall under outbound rules is allowed. Inbound response traffic is always allowed and therefore doesn’t have a setting to control it. You can change this configuration to allow or block all unsolicited inbound traffic regardless of inbound rules, to block all outbound traffic that does not fall under any outbound rules, or to disable WF altogether so that all traffic will be allowed.
As for the IPSec Settings tab, it defines IPSec defaults for secure connections. In older versions of Windows, IPSec can be configured only through group policies. Starting with Windows Vista, IPSec has been integrated with WF. The legacy IPSec policies are still available in modern versions of Windows. To avoid unpredictable results, you should be very careful not to accidentally configure IPSec on the same computer by using both WF and legacy policies. IPSec in WF is invoked through connection security rules. These rules are different from inbound or outbound rules, which are ambiguously referred to as WF rules or simply firewall rules. Generally, all rules are WF rules by the mere virtue of being created in WF. To differentiate between the two types of rules, it might be less confusing to refer to inbound and outbound rules as simply connection rules and to leave the term connection security rules for the other type of rule. Connection security rules define authentication modes and methods and can include custom IPSec settings. Settings that are configured in connection security rules override the corresponding default settings configured on the IPSec Settings tab.
Let’s summarize what we’ve accomplished so far. In this blog post, we have introduced network firewalls and host-based firewalls. We have explained the general principles of their operation. We have also gotten acquainted with WF, its most important general settings, and two types of rules. Next month, we’ll discuss both types of WF rules and examine their main settings. We’ll also consider an example scenario that illustrates how the two types of rules work together.
Are you preparing for a certification exam? Check out our practice exams!
Photo: Roberto Arias