Over the past few years, information security has taken center stage because of the publicity surrounding attacks that exploit vulnerable software or use email to coerce users into running nefarious software. In the past, attackers commonly exploited specific holes in software, and those exploits required remote access to the vulnerable system. Properly managed perimeter firewalls helped thwart many such Internet-borne attacks.
Nowadays, an attack is more likely to be an inside job. Employees aren't necessarily attackers; rather, trusted computers can become infected through a vector such as an email attachment and are then connected to your LAN. Attackers use a savvy combination of social engineering and technology to lure victims into installing spyware, a Trojan horse, or a worm. Once installed, malignant software can spread freely to other computers. By installing hostbased firewall software on individual computers, you can help block unknown and untrusted traffic from accessing your network's computers.
With Windows XP, Microsoft includes a basic firewall that was originally named Internet Connection Firewall and has recently been rebranded as Windows Firewall. The original version of Windows Firewall did a lot of things right, such as providing both command-line and Group Policy Object (GPO) configuration, but it fell short in areas such as robust rule customization and outbound-traffic filtering. The version of Windows Firewall that will ship with Windows Vista lets you configure restrictions by service and configure outbound connections. Let's take a look at the improvements Microsoft made to Windows Firewall as of the February 2006 Community Technology Preview (CTP) version of Vista. Keep in mind that some of these features might change by the time Vista rolls out.
A New MMC Snap-In
Vista's Windows Firewall straddles consumer and enterprise workstation environments by supporting powerful centralized administrative features while remaining easy to use. At first glance, you might not even notice any changes, because Microsoft tucked the new features in a new Microsoft Management Console (MMC) snap-in called Windows Firewall with Advanced Security, which Figure 1 shows. You can still configure the new features centrally, using Group Policy, or locally, using the Netsh command-line tool. Like other snap-ins, Windows Firewall with Advanced Security supports a remote option, which lets you manage the firewall features of local and remote computers.
One thing to keep in mind is that, although rules created in Control Panel show up in the snap-in, rules created or modified in the snap-in don't always show up in Control Panel. For example, if you use the snapin to edit a basic rule created in Control Panel, you won't be able to see or edit the rule in Control Panel.
Blocking Inbound and Outbound Connections
Vista's firewall blocks inbound traffic by default, so you'll need to configure Exceptions immediately if you choose to host network applications from your computer. (Exceptions are what Microsoft calls rules—or more technically, ACLs.)
Many third-party host-based firewalls warn you of a pending outbound connection and ask whether you want to permit the connection. According to your response, the firewall might create a rule for subsequent activity. However, Vista's firewall permits all outbound traffic by default. Creating Exceptions to block outbound traffic is easy but requires you to use the new snap-in. Most end users probably won't bother, but as an administrator, you'll want to become familiar with the Windows Firewall with Advanced Security snap-in so that you can configure its must-have features.
Accessing New Firewall Features
Most of the new firewall features became available in the December 2005 Vista CTP, although Microsoft made minor adjustments in the February CTP. You'll find adding the Windows Firewall with Advanced Security snap-in to be a familiar process. Click the Start icon, then type
mmc
in the search box and press Enter. When prompted, click Allow to let MMC operate in a privileged mode. From the File menu, click Add/Remove Snap-in, select Windows Firewall with Advanced Security, and click Add. Select the computer you want to manage and click Finish, then OK.
The snap-in lets you manage all the firewall features. You can select Inbound Exceptions, Outbound Exceptions, Computer Connection Security, or Firewall Monitoring from the treeview pane and double-click an item to see additional options in the center pane. In the right-hand pane is a list of all available actions for the selected node. This layout makes configuring the firewall intuitive; for example, you can right-click a rule to enable or disable it, or select a rule to show a list of available actions in the righthand pane. Most actions take effect immediately, making troubleshooting quick and easy. To view and configure the firewall's properties, right-click Windows Firewall with Advanced Security in the treeview pane and select Properties.
If you're familiar with earlier versions of Windows Firewall, you'll notice that the new version retains the concept of domain and standard profiles. You can configure individual rules for each profile and Windows will automatically determine which profile to use. The domain profile is used when a computer is connected to a network within the computer's domain, such as an internal LAN. The standard profile is used in all other instances, such as when a computer is connected to an external network. You can configure the firewall's properties differently for the domain and standard profiles—for example, you might create a rule that allows inbound traffic to access your computer when you're connected to the LAN, and disallows access when you're on the road. You can also configure the firewall's default actions (such as blocking or permitting inbound and outbound connections) and IPsec settings (such as key exchange, which encryption and integrity algorithms to use, and authentication methods).
Learn by Example
Microsoft includes in Windows Firewall many preconfigured rules that are disabled by default, which makes it easy to follow Microsoft's preferred approach for creating or configuring an exception. All firewalls generally let you configure rules by allowing or restricting the use of specific protocols (e.g., TCP, UDP) and ports. But Windows Firewall also lets you restrict specific programs' and services' access to a protocol or port.
Previous
Register
soulslit May 02, 2008 (Article Rating: