Before you start
Objectives: Learn what is Firewall and why should we use it. You will also learn about the specifics of built-in firewall in Windows operating systems.
Prerequisites: you should understand OSI Model.
Key terms: firewall, packet, Internet, computer, inbound, network, outbound, packets, configure
What is Firewall
Firewall is a hardware device or a software running on the device, that inspects network traffic and allows or blocks traffic based on a set of rules. Firewalls are typically used to protect a network or devices from attacks, were unwanted traffic from an untrusted network is blocked. Firewalls are typical used when connecting our private network to the Internet (public network). Firewall will filter traffic between the private network and the Internet. The main purpose of the firewall is to protect our network from attackers on the Internet, who try to get into our private network.
Firewall will make decisions on every packet that arrives. When a packet from the Internet comes to the firewall, the firewall will make a decision based on its settings, whether to allow that packet to come through or to discard the packet. The same thing is true when we send packets out to the Internet.
There are two main firewall types used today. Those are Network Firewalls and Host-based Firewalls. Network Firewalls (also called Hardware Firewalls) are located at the network entrance, and filters all traffic coming to our network for all hosts. Host-based (also called Software Firewall) is located on individual host within the network. Host-based firewall is typically used when we’re connecting our personal computer directly to the Internet. It is also very useful when we are traveling and are connecting to public, untrusted networks. So, host-based firewall runs on the computer itself and filters all the traffic coming to or from that particular computer.
Every packet coming from the Internet is called an Inbound packet. Packet sent from our computer to the Internet is called an Outbound packet. We can have different sets of rules which are based on inbound and outbound packets. Keep in mind that unless a rule exists that explicitly allows data to pass trough the firewall, the data will be dropped.
Firewall is often used for untrusted (public) networks, such as the Internet. However, we can also use a firewall with in a private network. For example, we might want to protect sensitive data in our environment, not suitable for all users in our organization to see. This can be, for example, payroll information, or similar. In that case, we can create a special subnet within our own network, and install a firewall on that subnet to prevent users within our own company from getting sensitive information. We define rules on that firewall to allow only traffic from specified users, or specified devices, and block traffic from other users who shouldn’t have access to sensitive information.
Firewalls use filtering rules, also called access control lists or ACL’s, to define the criteria for allowing or rejecting network traffic. The criteria used depends on the type of firewall we are implementing. This way we can protect our network and computers by having smaller ‘attack surface’. Firewalls sometimes present the concentrated form of security, and in that way present a single point of failure. It’s important to make sure that firewall is not our only security mechanism deployed. If we don’t do that, a compromised firewall will mean the compromised private network.
Terminology
In order to work with firewalls we have to know about some common things when it comes to computer networking. The first thing we should know about is a protocol. A protocol is a set of rules used to establish communication between computers on the network. Typical networking protocols that we will use in Windows environments and firewalls are: TCP, UDP, and ICMP. TCP is the reliable transport protocol, while UDP is not. ICMP protocol is used for diagnostic purposes. Tools like PING and TRACERT use ICMP.
A port is a number used to indicate specific program or service on the computer. For example, port 80 is used to indicate HTTP traffic (HTTP uses TCP transport protocol), port 25 is used to indicate SMTP protocol (which also works over TCP) which is used to send e-mail messages, etc.
When working with firewalls in Windows we will also see the term IPSec. IPSec is an encryption and signing protocol used to protect traffic in public networks.
More Details about Network Firewalls
Keep in mind that Firewalls can only manage traffic that passes its communication border. Network Firewalls can be deployed on network border, between segments on a network, or outside of the network boundaries. There are four general types of Network Firewalls, and those are Packet filtering firewall, Circuit level gateway, Application level gateway, and Stateful inspection firewall.
Packet Filtering Firewall
Packet filtering firewall filters traffic based on the source and destination address, as well as the port numbers and service protocol types. This means that it examines information in the IP packet, so it operates at OSI layer 3. It uses access control lists or filtering rules to monitor and control the traffic. When a message comes into the firewall, it removes the framing information to expose the IP packet information, which includes the data along with the destination and source IP addresses. So, a packet filtering firewall can filter traffic based on IP addresses and port numbers. Every packet that comes into the firewall is compared to the filtering criteria. The filtering criteria can include the network interface card that the packet was received on, the direction of the communication (inbound or outbound), the IP address and port numbers, and an action to take if there’s a match.
Filtering rules can be rather complex. For every packet that comes into the firewall, every packet rule must be checked in order to find out whether the packet should be allowed or denied. Most routers come with functionality that allows us to configure a packet filtering firewall on the router. When configuring a packet filtering firewall, a typical configuration is to reject packets for all ports and then only allow (open) ports for the traffic that we need to support on our network. For this, we need to be aware of the port numbers used by common services that we want to allow on our firewall. There are literally thousands of port numbers, with each port number being used for a different service or communication channel. However, there are common ones that we should know. We have a separate article in which we show which ports are used for common services.
Packet filtering firewall is less secure since it allows packets from approved session to enter the network regardless of the content, so it may allow service attacks or buffer overflow attacks. Because it operates only at layer 3, it provides high performance.
Circuit Level Gateway
Circuit level proxy (also called circuit level gateway) monitors traffic between trusted hosts and untrusted hosts trough virtual circuits or sessions. It filters traffic based on session state. It operates at OSI layer 5 (Session). It monitors the session ID number and allows only those packets that match active sessions.
It takes advantage of a TCP three-way handshake process. When a session is established, a client computer first sends a request for a session using a special packet called the SYN packet. The server responds with an acknowledgment (ACK) packet, basically stating that it has a session that can be used. The client then responds with another acknowledgment (SYN-ACK) packet, that acknowledges that it has received the original session information and wants to establish communication. The gateway monitors this process to identify sessions that are active. When a packet is received, the firewall removes the packet header information and examines the session information within the packet. If the session is active, then the communication is allowed to the other network. If it finds a session ID that is not active or it doesn’t exist or has been terminated, then that packet is dropped and not forwarded. This type of firewall is often called a statefull firewall because it keeps track of the state of the session. Instead of examining every packet and filtering based on rules, it simply looks at the session ID and determines whether it is active or inactive.
This type of firewall also verifies the sequencing of session packets to prevent session hijack attempts. It detects and blocks many types of attacks, and responds to attacks by blocking future communication from attack hosts. This type of firewall operates a bit slower than a packet filtering firewall.
Application Level Gateway
Application level gateway operates at OSI layer 7 (Application), and monitors and sanitizes the communication. The application level firewall does not filter based on individual packets, but rather on the data that exists at the application layer.
Messages that come into the firewall are typically composed of multiple packets. So, at the network layer a packet filtering firewall examines each packet to make the forwarding decisions. At the session layer a circuit level gateway examines the session ID associated with information across multiple packets and makes decisions. On the other hand, application layer firewall takes individual packets and reassembles them into the original data. It then makes forward decisions based on that data, and not on the individual packets. So, the application level firewall must reassemble the request, and then use the information in that request for filtering decisions. For example, we can use an application level gateway to filter traffic based on URLs with in the HTTP request. So, we can use this type of a firewall to prevent users from going to specific websites. We can also use this type of firewall to allow or deny access based on users or groups.
The implementation of an application layer firewall is often referred to as a proxy server. Proxy server is actually a specific implementation of the application layer gateway. The proxy server is a server that sits between a network and an end-user. Typically, the proxy server is located between the public network (Internet) and the clients that need access to the Internet (private network). Request going to the Internet are intercepted or sent to the proxy server. The proxy server takes those requests and applies application layer filtering to the request to decide whether the request should be allowed to the Internet or whether it should be blocked. This way we can filter requests based on the URLs to allow access only to certain websites. We can also filter based on users or groups, to only allow specific users to have access to the Internet.
This type of firewall is the slowest form of firewall, since it has to work all the way up to Application layer.
Firewall Deployment
There are three general ways in which Network Firewalls are deployed. One way is called the Bastion firewall (router). In this case we have a firewall between two networks (subnets), one of which is our trusted network and the other is the public network (Internet). It is called a Bastion firewall because it is put in front of the private network for protection from the untrusted network. This firewall has two network interface cards. One interface card connects to the Internet and the other connects to the private network. If we where using a packet filtering firewall, we could, for example, allow all outbound traffic to the Internet and also allow any responses back through the firewall to those kinds of requests. So, for instance for website browsing, we can allow all traffic going to port 80 out to the Internet, and allow any responses to those specific requests back in. However, we might not allow port 80 requests coming through the firewall to a specific device, if that request actually originated from the Internet. So, we allow responses from the Internet, but not requests that originated from Internet.
The next type of deployment is called a Screened host. In this type, the firewall is still placed between the private and the public network, but instead of sending all traffic on the LAN, it sends it to the Application gateway. This means the firewall has a third interface card which is connected to the application gateway. So, the Screened firewall sends all traffic to the Application gateway. Only if filters on the Application gateway allow the traffic, it will be forwarded to the LAN.
The third type is called the Screened subnet. In this case, a firewall also has a third interface card connected to another subnet (network). That network third network can contain servers that are accessible from the Internet. For example, we may have a Web server with our website, and we want people on the Internet to be able to access it. In that case we would allow port 80 communication only if it directed to our public website located on our subnet.
Another type of configuration is to use two separate firewall devices. The outer firewall is connected to the Internet and restricts traffic in and out of the entire network. The inner firewall restricts access into the private network. Between those two firewalls we have a third subnet (network). This type of configuration is often called a DMZ or demilitarized zone. The subnet between the private network and the Internet (DMZ) contains servers that are publicly accessible, such as our Web server, email server, etc. The outer firewall is configured to allow incoming connections directed only to the specific devices in our DMZ. Any attempts to go through the outer firewall into the private network would be blocked by the inner firewall. The inner firewall, on the other hand, is configured to allow messages generated from inside our private network out to the Internet. Another configuration within the demilitarized zone is to allow specific servers within our demilitarized zone to communicate with specific servers on our private network. In this case, we increse the security of servers on our private network, since they can only be accessed from the servers in the DMZ, and not directly from the Internet. The common scenario is to have a web server in the DMZ which can communicate with the database server on our private network. Database server can’t be contacted from the Internet directly in that case.
Built-in Firewall in Windows
The Windows Firewall was first introduced with Windows XP SP2. This version of built-in firewall was a simple inbound only firewall, which means that it was only used to restrict inboud traffic coming from the Internet. Windows Vista introduced the Windows Firewall with Advanced Security (WFAS).
Windows Firewall With Advanced Security (WFAS)
WFAS is also available in Windows 7 together with some new enhancements. More advanced users can take advantage of the WFAS to configure restrictions based on inbound and outbound rules, based on protocol type (port address), or even based on specific services. The WFAS console displays which network profiles are active and allows us to create, delete, or disable rules that allow or disallow traffic. Rules are collection of criteria to find which traffic is allowed, blocked or secured. The custom rule enables us to configure a rule based on specific criteria not covered in other options. Here are some rule types available in WFAS:
- Program rule – we can use this rule to specify a program to which the rule will apply to. This rule is great when we don’t know the port or other required settings for the rule. By using this rule we have to specify the path to the program executable. By default the program will be allowed to accept connections on any port.
- Port rule – we can use this rule to specify a rule based on protocol being used (TCP, UDP or ICMP), and a local port number.
- Predefined rules – those rules are similar to the rules available in Windows Firewall. Rules are provided in a list based on the services and programs running on the computer. After choosing the rule type, we simply specify the action to take when the conditions are met. We can allow traffic, block traffic, or allow the traffic if the connection is authenticated (allowed if secure). Most well-known services and programs are provided in the list.
- Custom rules – we can use custom rules to specify a connection based on specific criteria.
- Rule Scopes enables us to specify if the rule apply to specific source and destination addresses. This allows us to create a rule that limits traffic to or from a particular set of addresses.
In addition to the inbound and outbound rules, there is also a third rule type called the Connection security rules. Those are special type of rules that deal with authenticated and encrypted traffic. Connection security rule describe how two computers authenticate before they establish a connection and how they secure information transmitted between the two computers. The traffic is secured by using an IPSec and can be used to specify that connections between two computers must be authenticated and encrypted. Different types of connection security rules are:
- Isolation rule – this rule limits communication to only those hosts that are able to authenticate by using specific credentials. The most common use of this is to limit computers from communicating with other computers that are not members of the Active Directory domain. It can either be configured to request authentication for both inbound and outbound connections. Also, it can be configured to require inbound authentication, but request outbound authentication. The last option is to configure it to require authentication for all communication. Beware that if we choose the require option, and the other device doesn’t support authentication, the communication won’t be established.
- Authentication Exemption rule – this rule enables us to configure exceptions to the Isolation rules. Basically, by using this rule we can allow traffic from specific computers without authentication. Computers can be specified by using specific IP address, IP address range, subnet, or a predefined group.
- Server-to-Server rules – those rules are similar to the Isolation rules, but instead of applying them to all connections, they are applied to specific host-to-host connections. Host are identified by their IP address. This rule is typically used to protect connection between servers.
- Tunnel rules – those rules are similar to the Server-to-Server rules, but instead of applying them to specific hosts, they are applied to the connection trough tunnels to remote sites such as a site-to-site VPN link. It is typically used when connecting across the Internet between two gateways, each gateway having its own private network. Data is encapsulated in IPSec while traveling across the Internet.
- Custom rules – here we also have a custom rule option which can be used when no other rule type is found useful.
Based on the rules, the traffic can be blocked, allowed or allowed if it is secure. It’s important to remember that security rules take advantage of IPSec. Windows 7 and Windows Vista support both IPSec policies and security rules. However, Windows XP only supports IPSec policies.
WFAS uses network profiles (similar to Windows Firewall) to determine the firewall configuration. So, firewall options can be configured for each profile (domain, private, public) independently. We can turn firewall on or off if we want to. By default, all inbound rules that do not match any active firewall rules are blocked, but we can change this. When it comes to the outbound rules, all connections that do not match any active firewall rules are allowed by default, but this can also be changed.
If we need to monitor our Firewall status, we can use the WFAS console and click on the Monitor node. The monitor session will show us information about current firewall rules, connection security rules, and the security associations. The Monitor Overview page shows us which profiles are active (domain, private or public), and the settings for the active profiles. We can also see all the events for the WFAS in the Event Viewer. Another enhancement for the WFAS in Windows 7 is the ability to export and import firewall rules. Exported firewall rules have the .wfw extension. This file is a binary file (not an XML based file).
The WFAS can also be managed by using the netsh advfirewall command line tool. The netsh command can be used from the elevated CMD in order to manage advanced firewall settings. By using CMD we can create script the creation of firewall rules or even use it with Windows Remote Shell to run on the remote computer which is running Windows 7. For example, the netsh advanced firewall command to export some rule would be: “netsh advfirewall export“. For import we can use the “netsh advfirewall import” command. The syntax of the command used to add a rule is “netsh addfirewall add rule name=”{name}’ profile={domain or public or private} protocol={TCP or UDP or ICMP} dir={in or out} localport={port number} action={allow or block}“. As we can see, by using the netsh command, we can take advantage of managing our WFAS from the command line or remotely.
Example Configuration
To see how to work with firewall in Windows check out these articles: