5/29/2007

The Windows Vista Firewall

We all have heard at one time or another, about the Windows XP firewall and how useless it is. However true or untrue these statements are, they can effect the confidence of future Windows products security systems. This paper is intent upon educating the public on the facts of the subject matter. So, let's get with it...

The Difference:-
No third party software can lay claim to the fact that the Windows Firewall starts its protection once the computer is turned on. Is that important you ask? Absolutely. If a capable malware program could turn itself on at the same time that the computer starts to boot, common sense would dictate the danger of this. Now, knowing the fact that the Vista firewall 'does' start at boot, we need to confidently know that it is going to protect from boot.

The Interface:-
Microsoft and the Windows team have done something a little different with the Vista firewall. They have separated the firewall in to two different interfaces. The default interface is the basic one. At first glance, it looks identical to the Windows XP SP2 firewall. This basic interface is ON by default and loads basic settings for normal user protection. In most cases, this basic setting should work fine. Then they added an Advanced interface for the more security savvy individuals. This Advanced interface gives a greater flexibility over the firewalls settings.

The Basic Configuration:-
As I mentioned earlier, the Vista firewall is turned on by default and will be set to a 'basic' configuration. In this configuration, the firewall works in tandem with the new Windows Service Hardening feature. If the firewall should detect a certain activity that is deemed a prohibited behavior according to the Windows Service Hardenings preset rules, the firewall will block this suspect activity.
To access the Vista Firewalls basic settings; Click the Windows button>> Control Panel>> Windows Firewall. With the Windows Firewall window open, you will see three tabs at the top; General, Exceptions and Advanced. Let's quickly discuss each tab separately:

General tab:-
With this tab selected, you will see three possible settings; On (default), Block all programs and Off. The on and off selections are pretty self-explanatory, but the "Block all programs" option is very handy if you need to login to an unsecure public wi-fi network. With this option selected in this scenario, you will be completely protected.

Exceptions tab:-
With this tab selected, you can view all of the programs that Windows has on its default block list. If you would like to unblock a certain program, just simply click the checkbox next to the programs name. Also, at the bottom of this window you will notice that you can add or delete programs. A little further down the window, you will notice an entry titled: "Tell me when Windows Firewall blocks a program". This is enabled by default, but if you would prefer not to get popup notifications regarding blocked programs, simply de-select this option and click Apply.

Advanced tab:-
With this tab selected, you will see the available network connections on your system that can be protected by the Windows Firewall. When you see a checkmark next to the available network connection, you'll know that it is being protected. Unchecking, of course, removes the protection.
Also available under the Advanced tab is a "Security logging" feature. When you click the "Settings" button under the Security logging feature, you will be able to create and configure log files of either dropped packets or successful connections to your network and set maximum log sizes.
Another feature you'll notice is "ICMP" (Internet Control Message Protocol):
Here you are given a certain flexibility over how your computer is to respond to ICMP requests. When you click the Settings button, you will notice that the entry titled: "Allow incoming echo request" is the only entry selected (allowed). All other requests are not allowed by default.
The last available option under the Advanced tab is the "Default settings" options. When you click the "Restore Defaults" button, you will remove any previous settings changes that have been made and return the Windows Firewall back to its Default configuration. If you should get in to a little trouble while configuring your Basic settings, this is a good option to be aware of.

The Advanced Configuration:-
This is where Microsoft has added a second completely separate interface for the Windows Firewall. In order to view and configure advanced settings, you will first need to create a custom MMC (Microsoft Management Console). The purpose for this is to dissuade any novice users from accessing these settings. If you would like to create a custom MMC, here's how:
  1. Click the Windows button
  2. In the Search box, enter: cmd
  3. Right click the Run Program and select "Run as administrator" from the resulting menu.
  4. In the Run window, type in: mmc.exe [Enter] or click OK.
  5. With MMC open, go to File>> Add/Remove Snap-in.
  6. Open the "Available Snap-ins" list and scroll the list to locate an entry titled: "Windows Firewall With Advanced Security".
  7. Click to select the entry and then click the "Add" button.
  8. Accept the default (Local Computer) from the Select Computer dialog box.
  9. Click Finish, then OK.
You will now be able to view the advanced settings in the MMC.

From within the MMC, you have a great deal of flexibility over your Windows Firewall. Some interesting configurations worth noting are:

Multiple Firewall Profiles:-
More geared around portable computing, this available option allows you to configure three different profiles for different situations. As an example, if your are traveling and are using your laptop in a public unsecured wi-fi environment, you can enable your "Public" profile. Switch to your "Private" network configured profile when surfing at home, or rely upon your "Domain" configured profile for work. Each profile tab has the same available settings changes available.
Once you've clicked one of the profile tabs, you can turn the selected profile On or Off. You also have the flexibility over Inbound and Outbound connections. By default as we have learned earlier, outbound connections are allowed and Inbound connections are NOT allowed (selected 'exceptions' are allowed). In the MMC, you can change these settings to fit your personal needs.

IPSec Configuration:-
Another tab you'll see along side each of the three profiles is the IPSec tab. IPSec (Internet Protocol Security) is a constantly developing security standard that provides for security of sensitive data that is transmitted over unprotected networks. With the IPSec tab selected, you can click the "Custom" button to configure these settings to fit your needs. Available configuration options are: Key Exchange, Data Protection and Authorization Method.

Connection Security Rules:-
After you have setup all of your profiles and configured your IPSec settings, you're now ready to setup your connection security rules. You will be guided by a wizard that helps you create security rules to determine how and when secure connections are to be applied between an individual computer or even a group of computers. Some of the flexibilities you will have here are:
  • Isolate certain connections and restrict a connection based on a domains membership or health status.
  • Set up server-to-server authentication rules
  • Restrict certain connections
  • Exemplify certain computers from authentication
  • Create a custom rule when nothing available applies
Once you've created your rules, you can easily delete them by right clicking and selecting Delete. Or, you can save them for a later time by selecting Disable instead. To enable the disabled rule, simply right click it and select Enable.

3 comments:

Anonymous said...

Can anyone recommend the well-priced Remote Management utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central performance reporting
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

My friend and I were recently discussing about the ubiquitousness of technology in our daily lives. Reading this post makes me think back to that discussion we had, and just how inseparable from electronics we have all become.


I don't mean this in a bad way, of course! Ethical concerns aside... I just hope that as memory gets less expensive, the possibility of copying our brains onto a digital medium becomes a true reality. It's one of the things I really wish I could experience in my lifetime.


(Posted on Nintendo DS running [url=http://quizilla.teennick.com/stories/16129580/does-the-r4-or-r4i-work-with-the-new-ds]R4[/url] DS ZKwa)

Anonymous said...

Wasting time is robbing oneself.

-----------------------------------