This firewall is mostly useful for end users who do not require complex firewall capabilities to protect their systems and are looking for a simple packet filter to block typical Windows
Trang 1Windows Firewall and Windows XP
The ICF, now dubbed Windows Firewall, is a simple stateful firewall that is part of the Windows XP operating system In essence, Windows firewall provides the same core functionality that other personal firewall products on the market provide, such as stateful connection management and configurability for specific traffic that is desired
Windows Firewall does come bundled with every new version of Microsoft's operating systems The firewall capabilities can also be utilized in Windows Server 2003 Standard and Enterprise editions
Essentially, Windows Firewall is the next version of Microsoft Windows ICF It provides basic filtering capabilities on all Windows XP and 2003 Server platforms so that an administrator or end user can limit the traffic reaching the system (it does not filter traffic coming from the system) It's limited in that it is not a stateful firewall but rather a simple access list type of filter Also, it only looks at the network and transport layers of the ISO protocol stack (Layers 3 and 4) This firewall is mostly useful for end users who do not require complex firewall capabilities to protect their systems and are looking for a simple packet filter to block typical Windows services such as NetBIOS, Remote Procedure Call (RPC), and others
How Windows Firewall Works
By default, Windows Firewall comes with an assigned security profile This profile provides what are termed as "exceptions" for Print and File Sharing as well as Remote Assistance and Universal Plug-and-Play (UPnP) with the local subnet The local subnet is defined as the local network that the system is connected to If the system is connected to multiple networks (for example, if the system has multiple interfaces), these network ranges are considered part of the local subnet These services allow the ports listed in
Table 4-1 to connect to the system
Table 4-1 Default Windows Firewall Profile Exceptions
File and Printer Sharing 139,445 137,138
Remote Assistance C:\Windows\system32\sessmgr.exe Remote Desktop 3389
Trang 2UPnP Framework 2869 1900
Note that by default only the Remote Assistance exception is enabled Although the other exceptions are created in the profile, they are not enabled Figure 4-1 shows the default configuration for the Windows Firewall
Figure 4-1 Windows Firewall Default Configuration
After Microsoft released XP SP2, Windows Firewall was turned on by default Third-party firewall vendors enable users to turn off Windows Firewall during the installation
of their software
Configuring Windows Firewall
Trang 3Configuring Windows Firewall is fairly straightforward To open Windows Firewall, go
to Start and choose Control Panel This will open the Control Panel window as shown in
Figure 4-2
Figure 4-2 Windows XP Control Panel
[View full size image]
Choose Security Center at the lower-right corner of the window to open the Windows Security Center window Choose Windows Firewall at the lower-left corner, as shown in
Figure 4-3
Figure 4-3 Windows Security Center
[View full size image]
Trang 4This opens the Windows Firewall window The settings on the General tab determine whether the firewall is on or off As mentioned earlier, Windows Firewall is on by default since the release of Windows XP SP2 You have three options with the Windows
Firewall: on, on without exceptions, and off (as shown in Figure 4-4)
Figure 4-4 General Tab of the Windows Firewall
Trang 5When the firewall is turned on, the user is offered the possibility of running the firewall with exceptions as specified in the Exceptions tab or with no exceptions at all Microsoft recommends that when accessing a network such as a public wireless network (say at Starbucks or a T-Mobile hotspot in an airport) that the firewall should be set to on
without exceptions This setting blocks other users on the public wireless network from accessing system shares or other resources on the firewall-protected system
When the system is on a safer network (such as a home office or a local office LAN), you can set the firewall to on with exceptions to allow for file sharing and remote assistance These default exceptions are activated in the Windows Firewall policy on the Exceptions tab, as shown in Figure 4-5 The need to provide these exceptions is to allow the end system to participate in a Windows network environment and for folder and file shares to
be made available to other systems on the local network Remember that exceptions should be turned on only in known, secure networks Such a network may be a home
Trang 6network or a corporate LAN and cannot be precisely defined in all cases When in doubt, consult the network administrator regarding the security of the local network or simply
do not allow exceptions
Figure 4-5 Default Exceptions for Windows Firewall
Adding an exception to the default Microsoft policy is relatively simple Exceptions can
be added either as specific network ports or as programs that are to be provided access to the network To add a program to the exception list, click the Add Program button in the lower left of the Exceptions tab Doing so opens a new window with a list of programs that are to be added to the exceptions list, as shown in Figure 4-6 Choose the specific program to be added
Figure 4-6 Program Exception List
Trang 7There is a difference between specifying a program in the exceptions list and statically opening a TCP or UDP port The difference comes from the fact that specifying a specific application in the exceptions list means that the port that the application listens on will be allowed through the firewall only if the defined application opens the port The
disadvantage to specifying the application in the exceptions is that if the port is used by another application, the firewall will not permit traffic through to the application because
it is not the program defined in the exception list
To specify which computers can have access to the ports that the program listens on, change the scope of the permitted access To do so, click the Change Scope button at the lower-left corner of the window Doing so opens the Change Scope window shown in
Figure 4-7 Here you can add a custom list of IP addresses to allow exceptions for the program in the firewall Alternatively, the entire local subnet, or even foreign networks, can be provided access
Figure 4-7 Changing Scope
Trang 8To add a port to the exceptions list, click the Add Port button on the Exceptions tab Doing so opens the Add a Port window As shown in Figure 4-8, here the user can enter the name of the service as well as a comma-separated list of ports that the service requires
to be open in the firewall in order to be accessible to other systems The UDP or TCP button on the window must be selected to define the specific transport protocol, too
Figure 4-8 Add a Port Window
Trang 9For home use, the typical ports that may need to be accessible by the local network include TCP/135, UDP/137, TCP/139 (traditional NetBIOS ports), and TCP/445
(NetBIOS over TCP/IP) It may be desirable to open TCP/3389 (for Microsoft Remote Desktop)
Finally, the Advanced tab allows the user to determine on which interfaces the Windows Firewall will be enabled as well as define a log file to store the firewall logs In addition, specific Internet Control Message Protocol (ICMP) messages can be specified to be allowed to traverse the firewall in order to ease debugging of connection problems A last-resort capability is also available, allowing the user to restore the Windows Firewall service to its default settings Figure 4-9 shows the Advanced tab
Figure 4-9 Windows Firewall Advanced Tab
Trang 10Windows Firewall Features
The Windows Firewall software builds on top of the ICF/Internet Connection Sharing software that is now deprecated in Windows XP SP2 Essentially, Windows Firewall provides the following features over the ICF:
• The ability to specify options on a global level so that they apply to all
connections
• An operating mode that does not allow exceptions
• Startup security (covered below)
• IPv4 traffic scoping The end user can specify that the firewall accept traffic from specific IP addresses
• The ability to specify exceptions by service or by program
• IPv6 support
Of particular interest is the new startup security Whereas ICF was active after the system had booted up and the ICF service was successfully started by the Windows kernel, Windows Firewall is active from the very start During system boot, the Windows
Firewall applies a default stateful filter to the system to allow basic networking
functionality such as Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and communication with domain controllers, but blocks all other traffic until the system boot process has completed Only then are the settings configured by the user applied to the firewall
Windows Firewall Checklist
When configuring Windows Firewall, you must configure several features depending on the system role in the network The answers to the following questions will depend on whether the system will connect using a public network (such as a wireless network in a coffee shop or a library) or a private network (such as a corporate LAN or home network)
or both Additionally, Windows Firewall settings on servers that may be configured as a web server, an authentication server, or a database server will differ from the settings on
a simple desktop or laptop system You can use this checklist to help ensure that the Windows Firewall settings are appropriate for a given system
• Does Windows Firewall need to be enabled?
This is determined by the consideration of whether the system will be exposed to a less-secure network than anticipated This really needs to be considered more for laptops rather than desktop systems
Trang 11• What exceptions (if any) should be configured in the Windows Firewall policy?
Remote Desktop?
To allow an external user to access the system using Microsoft Remote Desktop Client
File and Printer Sharing?
This is necessary to share files with other users and systems as well as print documents
Other services?
Should other services such as Remote Assistance, Virtual Network
Computer (VNC), or Internet Information Server (IIS) be accessible
through the firewall?
• Should the exceptions be configured as programs or as services?
If you configure exceptions as programs, the firewall only allows the traffic
through if the specified program is active Otherwise, the traffic is blocked
However, if the program is a set of services, such as Windows File and Printer Sharing, it may be easier to configure the exceptions as a range of network service ports rather than programs
• For which interfaces should Windows Firewall be configured?
The end user or administrator needs to decide whether all network interfaces will have the firewall active or just those that may be exposed to "insecure" networks This typically applies to desktops with multiple interfaces but can also apply to laptops with both a wired and a wireless interface In some cases (such as a laptop with a built-in wireless interface), it is best to apply the firewall to all interfaces to ensure that attackers cannot slip by through an active wireless connection
• Which ICMP types should be allowed through the firewall?
At the very least, ICMP echo reply packets, ICMP destination unreachable
packets, and ICMP Time-To-Live (TTL) Exceeded packets should be allowed through the firewall for debugging potential network connectivity problems
• Should logging be configured?
Logging can cause a degradation in system performance Turn logging on only
Trang 12when it is needed to debug a problem with the firewall
After you have answered all of these questions, you can appropriately configure the firewall for the system One item to consider is that if logging is configured, who will be reading the logs and how often? It is of little value to configure logging if no one actually looks at the logs