Over the past few years, information security has taken center stage because of the publicity surrounding attacks that exploit vulnerable software or use email to coerce users into running nefarious software. In the past, attackers commonly exploited specific holes in software, and those exploits required remote access to the vulnerable system. Properly managed perimeter firewalls helped thwart many such Internet-borne attacks.
Nowadays, an attack is more likely to be an inside job. Employees aren't necessarily attackers; rather, trusted computers can become infected through a vector such as an email attachment and are then connected to your LAN. Attackers use a savvy combination of social engineering and technology to lure victims into installing spyware, a Trojan horse, or a worm. Once installed, malignant software can spread freely to other computers. By installing hostbased firewall software on individual computers, you can help block unknown and untrusted traffic from accessing your network's computers.
With Windows XP, Microsoft includes a basic firewall that was originally named Internet Connection Firewall and has recently been rebranded as Windows Firewall. The original version of Windows Firewall did a lot of things right, such as providing both command-line and Group Policy Object (GPO) configuration, but it fell short in areas such as robust rule customization and outbound-traffic filtering. The version of Windows Firewall that will ship with Windows Vista lets you configure restrictions by service and configure outbound connections. Let's take a look at the improvements Microsoft made to Windows Firewall as of the February 2006 Community Technology Preview (CTP) version of Vista. Keep in mind that some of these features might change by the time Vista rolls out.
A New MMC Snap-In
Vista's Windows Firewall straddles consumer and enterprise workstation environments by supporting powerful centralized administrative features while remaining easy to use. At first glance, you might not even notice any changes, because Microsoft tucked the new features in a new Microsoft Management Console (MMC) snap-in called Windows Firewall with Advanced Security, which Figure 1 shows. You can still configure the new features centrally, using Group Policy, or locally, using the Netsh command-line tool. Like other snap-ins, Windows Firewall with Advanced Security supports a remote option, which lets you manage the firewall features of local and remote computers.
One thing to keep in mind is that, although rules created in Control Panel show up in the snap-in, rules created or modified in the snap-in don't always show up in Control Panel. For example, if you use the snapin to edit a basic rule created in Control Panel, you won't be able to see or edit the rule in Control Panel.
Blocking Inbound and Outbound Connections
Vista's firewall blocks inbound traffic by default, so you'll need to configure Exceptions immediately if you choose to host network applications from your computer. (Exceptions are what Microsoft calls rules—or more technically, ACLs.)
Many third-party host-based firewalls warn you of a pending outbound connection and ask whether you want to permit the connection. According to your response, the firewall might create a rule for subsequent activity. However, Vista's firewall permits all outbound traffic by default. Creating Exceptions to block outbound traffic is easy but requires you to use the new snap-in. Most end users probably won't bother, but as an administrator, you'll want to become familiar with the Windows Firewall with Advanced Security snap-in so that you can configure its must-have features.
Accessing New Firewall Features
Most of the new firewall features became available in the December 2005 Vista CTP, although Microsoft made minor adjustments in the February CTP. You'll find adding the Windows Firewall with Advanced Security snap-in to be a familiar process. Click the Start icon, then type
mmcin the search box and press Enter. When prompted, click Allow to let MMC operate in a privileged mode. From the File menu, click Add/Remove Snap-in, select Windows Firewall with Advanced Security, and click Add. Select the computer you want to manage and click Finish, then OK.
The snap-in lets you manage all the firewall features. You can select Inbound Exceptions, Outbound Exceptions, Computer Connection Security, or Firewall Monitoring from the treeview pane and double-click an item to see additional options in the center pane. In the right-hand pane is a list of all available actions for the selected node. This layout makes configuring the firewall intuitive; for example, you can right-click a rule to enable or disable it, or select a rule to show a list of available actions in the righthand pane. Most actions take effect immediately, making troubleshooting quick and easy. To view and configure the firewall's properties, right-click Windows Firewall with Advanced Security in the treeview pane and select Properties.
If you're familiar with earlier versions of Windows Firewall, you'll notice that the new version retains the concept of domain and standard profiles. You can configure individual rules for each profile and Windows will automatically determine which profile to use. The domain profile is used when a computer is connected to a network within the computer's domain, such as an internal LAN. The standard profile is used in all other instances, such as when a computer is connected to an external network. You can configure the firewall's properties differently for the domain and standard profiles—for example, you might create a rule that allows inbound traffic to access your computer when you're connected to the LAN, and disallows access when you're on the road. You can also configure the firewall's default actions (such as blocking or permitting inbound and outbound connections) and IPsec settings (such as key exchange, which encryption and integrity algorithms to use, and authentication methods).
Learn by Example
Microsoft includes in Windows Firewall many preconfigured rules that are disabled by default, which makes it easy to follow Microsoft's preferred approach for creating or configuring an exception. All firewalls generally let you configure rules by allowing or restricting the use of specific protocols (e.g., TCP, UDP) and ports. But Windows Firewall also lets you restrict specific programs' and services' access to a protocol or port.
Restrict by application. To illustrate how flexible and granular a Windows Firewall rule can be, let's look at the rule for the Background Intelligent Transfer Service (BITS)—a service used to download updates from remote computers. This rule lets you lock down only the BITS service by specifying the parent application and the network port as follows. In the Windows Firewall with Advanced Security snap-in, click Inbound
Exceptions in the left-hand pane and double-click the BITS Service rule in the middle pane to bring up the rule's properties. On the General tab, you can name the rule, enable it, and specify whether all programs or only specific programs should use it. As Figure 2 shows, I've specified that only svchost.exe (the executable wrapper that services run under) can use the rule. When I click OK, all other programs are immediately restricted from using the rule. The Actions section lets me allow or block all connections or select Allow only secure connections. Secure connections rely on IPsec to configure the encryption and integrity of the network communication and let you specify a user or computer to authenticate the connection.
Restrict by protocol and port. The first version of Windows Firewall let you configure the remote port of only two protocols: TCP and UDP. For example, if you wanted to permit inbound HTTP connections, you'd specify the protocol and port number (e.g., TCP 80) for the connections. Vista's firewall lets you specify more than 20 predefined protocols or define your own and also lets you specify the local port as well as the remote port. You can also associate multiple ports with a single rule. For example, to cover both encrypted and unencrypted Web traffic, you could define a rule called Web Traffic to allow TCP over ports 80 and 443. On the Protocols and Ports tab for the BITS Service rule, Microsoft defines BITS traffic as TCP over local port 2126. You can also specify predefined Internet Control Message Protocol (ICMP) settings, such as echo request and router reply, or a custom ICMP type and code.
Restrict by network address. The Scope tab lets you define the local and remote network-addresses that the rule will apply to. You can specify an IP address or subnet (e.g., 10.0.0.10, 192.168.0.0/24) or an address range (e.g., 192.168.0.0 to 192.168.0.10). For the remote address, you can select a predefined address, such as the default gateway or DHCP servers, as Figure 3 shows. Predefined addresses make it easy to reconfigure rules when your environment changes. For example, you can let file transfer protocols access only computers on your local subnet. Dynamic rules let you restrict traffic without configuring individual rules for every network.
Restrict by interface type. The Advanced tab lets you apply an exception to a specific interface type: Local Area Network, Remote Access, or Wireless. When a user who's connected to your company network also needs to connect to a remote network and you don't want to risk the remote network accessing data on your local network, you can configure an exception to block all inbound connections and apply it to the remote access interface. Users can still accept new connections from the LAN, but not from a remote network.
Restrict by service. You'll recall that the preconfigured BITS Service rule allows inbound connections on TCP port 2126 by the svchost.exe program. Microsoft further restricts the communication to only the BITS Service under the Services dialog box. You can configure which services apply to a rule by clicking the Advanced tab in the BITS Service Properties dialog box, then clicking Settings, which is next to the Services section. In many cases you'll just want to restrict traffic to a protocol and port, but in other cases you can be much more granular by specifying the service whose network communication you want to permit or block.
The Vista firewall lets you configure outbound connections in much the same way you do inbound connections. The ability to recognize and filter outbound connections is one of the firewall's best features because it lets you exercise granular control over how a computer is using the network. Outbound exceptions let you permit Microsoft Internet Explorer (IE), Outlook, and other known network programs to access the network but disallow all other outbound traffic.
For example, if your company requires use of an authenticated proxy server that uses TCP port 8080 by default, you could log and block all outbound TCP port 80 (standard HTTP) traffic to prevent rogue programs from bypassing the proxy server in an attempt to communicate with an external Web server. Users often unknowingly install spyware or unapproved software that accesses the Web, and you can create an exception that blocks them from doing so at the host.
Unlike some third-party host-based firewalls, the beta version of Vista's firewall doesn't alert you when it blocks an outbound connection. However, if you configure firewall logging, you can view blocked connections in the log file.
Couple outbound connection filtering with Windows Firewall's remote connection features, and you can remotely lock down a suspicious computer, such as one that you suspect might be infected with a virus or worm. The only options you had with earlier versions of Windows Firewall were to either unplug the computer or disable the network interface. Vista's firewall lets you remotely connect to the suspect computer using MMC, enable outbound blocking, and turn on logging while permitting only specified computers to have port access. This approach lets you contain the threat and still be able to remotely manage the computer.
Microsoft also added a new Netsh context to Windows Firewall to accommodate extra features such as outbound rules. You can run Netsh interactively or string together commands and subcontexts into a single command. For example, the command:
netsh advfirewall outbound show allwill start Netsh, change to the advfirewall context and the outbound subcontext, and run the Show All command. The output will show outbound exceptions configured for the firewall. At any command, you can type a question mark (i.e., ?) to list the supported commands and subcontexts. Netsh lets you export configurations and copy them to other computers or use a script to add new rules from the command line. Use the Show command to list rules and the Add command to create a new rule.
Like earlier versions of Windows Firewall, the Vista firewall continues to log data to the file system in c:\windows\pfirewall.log by default. You can also choose to log either blocked packets or successful connections.
Integration with IPsec
Vista's firewall integrates IPsec configuration into the firewall rules. Microsoft promotes IPsec heavily, but in my experience few people use it. Barriers to deploying IPsec can be real or perceived and include difficulty with proper setup, the risk of not being able to access a computer if the policy goes wrong, and an inability to use traditional network tools to monitor or manage IPsec traffic. The new firewall doesn't address these risks, but it makes accessing IPsec configurations easier. Microsoft has also rewritten the IPsec wizards in an attempt to make IPsec easier to implement.
Same Tool, New Features
Security professionals will want to check out the new firewall features included with Vista. The ability to create bidirectional ACLs will appeal to many organizations. Third-party host-based firewall software still provides more features, but you can't beat the price of Windows Firewall, and its inclusion in every Vista version lets you protect computers right out of the box. Plus, the firewall continues to let you use Netsh and GPOs for configuration. Organizations that use Group Policy and Vista will be well on their way to deploying an effective, centrally managed host-based firewall solution.