Windows Firewall
Windows Firewall, a stateful filtering firewall previously known as Internet Connection Firewall (ICF), increases protection against probes that scan for information on open ports and active IP addresses, and denies all unsolicited inbound traffic. It allows outbound traffic to flow normally, and automatically accepts inbound responses to outbound requests.
Stateful filtering works by examining a packet's state and the context information of a session. Windows Firewall uses a security policy with three primary rules:
Any packet that matches an established connection flow is forwarded.
A sent packet that does not match an established connection flow creates a new entry in the connection flow table and is forwarded.
A received packet that does not match an established connection flow is dropped.
These three rules allow normal Internet access, such as browsing the Web and retrieving email, while preventing any unsolicited packet flow. The user or administrator can also declare exceptions to the security policy, to allow server applications to work.
Windows Firewall has three major states: On, On with no exceptions, and Off. The On state protects the computer but allows specific declared exceptions to the security policy. The "On with no exceptions" state can be used when a computer is used in an insecure environment, such as an unprotected public wireless network, or a local area network that has been infected with a virus. The Off state can be useful for brief periods, for diagnosing possible firewall-related problems, but shouldn't be used for extended periods.
The firewall state can be set by the user, or by a domain administrator using a Group Policy. Similarly, firewall exceptions can be set by the user, or by a domain administrator using a Group Policy. The Group Policy always takes precedence if it exists; when a Group Policy is in place, the controls in the Windows Firewall control panel will be grayed out.
Windows Firewall can be enabled or disabled for specific network interfaces, although all are enabled by default. It can log dropped packets and/or successful connections. It has a number of options to control whether and how the computer responds to ICMP ("ping") requests; all of these are off by default, helping to make the computer invisible to probes.
It is fairly simple to configure Windows Firewall to allow well-known services like Web and FTP servers to be accessed from the Internet using Windows Firewall's advanced settings. If the current computer is sharing the Internet connection for another computer that is actually hosting the service, that can be specified by editing the service description. The advanced settings also allow the specification of new services, and common services running on customized ports.
Whenever you enable an exception for Windows Firewall, you can make the exception either global or local. Global means that anyone can use the port, program or service from anywhere, even from the Internet. Local means that the port, program or service can only be used from the local subnet – the computer's own LAN.
In Windows XP Service Pack 2, the firewall driver has a static rule to perform stateful filtering, called a boot-time policy. This rule allows the computer to perform basic networking tasks such as DNS and DHCP and communicate with a domain controller to obtain policy. Once the firewall service is running, it loads and applies the run-time Windows Firewall policy and removes the boot-time filters. The boot-time policy cannot be configured.
|