Microsoft continues to follow through on its promise to lock down its Windows OSs. Windows XP Service Pack 2 (SP2) includes a robust evolution of the Internet Connection Firewall (ICF), called Windows Firewall, which makes great strides toward helping secure your corporate workstations. Windows Firewall provides a stateful host-based firewall that you can centrally configure through Active Directory (AD) Group Policy. With ICF, Microsoft extended Windows 2000 IP filtering features into a stateful-inspection firewall. However, ICF suffers from a few shortcomings that have prevented its widespread adoption; for example, ICF is disabled out of the box and you can't centrally manage its settings. With its enhanced logging, centralized management, and more granular rules, Windows Firewall might be just what you're looking for to augment your existing network-layer firewalls. Best of all, Windows Firewall is available free of charge and is automatically enabled when you install XP SP2. In this article, I examine some of the features and configuration options available in Windows Firewall. (Note: At the time of this writing, Microsoft hasn't yet released the final XP SP2 version. This review is based on the prerelease version, Release Candidate 2--RC2--which Microsoft released in June 2004.)
Defense in Depth
Network-layer firewalls protect the perimeter of a network from malicious intruders trying to probe the network or exploit a vulnerability on an internal servers. (They don't protect your systems from worms or viruses embedded in legitimate traffic, such as email attachments.) Unfortunately, users don't always connect their computer to a network protected behind one of these firewalls. Users at an airport, at a hotel, at a customer's site, or at home, often connect their computers to an unsafe network outside the secured network perimeter. Systems administrators can address this risk by installing a host-based firewall such as Windows Firewall on network computers. A host-based firewall is installed lower in the network stack than your applications and inspects all network traffic going to and from the computer on which it's installed.
Similar to how a network-layer firewall works, Windows Firewall inspects traffic destined for your computer and drops any inbound traffic that isn't solicited or permitted by an ACL. Windows Firewall uses firewall technology that maintains the state of a connection to define solicited traffic. If you browse to a Web site, the firewall remembers this connection and will dynamically open a port back to your computer for the return data. When you close the connection, the firewall automatically closes the port.
Implementing a host-based firewall such as Windows Firewall on individual computers in addition to deploying a network-perimeter firewall increases the depth of your network's defense. Consider a scenario in which an employee's laptop is infected with a worm, then brought back into the corporate network, bypassing the perimeter firewall. The worm now might try to propagate to other internal computers. A host-based firewall installed on these computers will help protect them from such internal attacks.
Host-based firewalls inherently require more effort to deploy because you need to install and configure the firewall on individual machines. ICF requires administrators to enable and configure the firewall for each adapter, making deployment onerous. Windows Firewall addresses this limitation by protecting the computer as a whole via centrally managed rules. Also, Windows Firewall is location-aware, meaning that you can lock down a mobile user's laptop when it's connected to the Internet but permit greater access when the machine is connected to the corporate LAN, such as for system management. However, even when computers are connected to the corporate LAN, you should keep Windows Firewall enabled to prevent the spread of any worms that try to connect to some random port. Simply configure the LAN firewall settings to allow for known networking applications such as remote monitoring and management, file sharing, or other business network services.
Outbound Agnostic
Windows Firewall provides more ACL customization than ICF does, but it still isn't as robust as many third-party host-based firewalls. Windows Firewall inspects only inbound traffic to your computer and categorizes it as solicited and unsolicited. Windows Firewall lets you configure rules for handling unsolicited inbound traffic but permits all outbound traffic as well as inbound solicited traffic. This configuration lets you block most attackers, while permitting remote management protocols. More sophisticated host-based firewalls also inspect outbound traffic, which is useful for detecting unauthorized outbound traffic that could be a sign that a worm or spyware has invaded the computer. Microsoft recommends that you use IP Security (IPSec) filtering and policies to manage outbound traffic; however, IPSec isn't a state-aware technology, so you'll need to open quite a few holes to permit the return traffic from remote computers. For example, if you use remote procedure call (RPC) to manage a computer, you could configure Windows Firewall to allow inbound RPC traffic, but you would also need to configure your outbound IPSec filter to allow the outbound traffic, which is usually on a port greater than 1024.
Most firewalls let you define rules based on network traffic parameters such as address and protocol. Host-based firewalls inherently have more access to the programs that generate network traffic because these firewalls are installed on the host transmitting the data. Windows Firewall takes advantage of this situation by supporting not only network-based ACLs (such as allowing SMTP--port 25) but also application-based ACLs. For example, if you create an ACL entry that lets MSN Messenger connect to your computer, Windows Firewall will permit any unsolicited request destined for MSN Messenger when it arrives at your protected computer. Essentially, Windows Firewall opens a port for this traffic and lets it communicate with the MSN Messenger program.