Firewalls are either a hardware or software entity (or a combination of both) that protects a network by stopping network traffic from passing through it. In most cases, a firewall is placed on the network to allow all internal traffic to leave the network (email to the outside world, web access, etc.), but stop unwanted traffic from the outside world from entering the internal network. This is achieved by using rules. There are 3 basic types of rules as follows:
Inbound rules: These rules help protect your computer from other computers making unsolicited connections to it.
Outbound rules: These rules help protect your computer by preventing your computer from making unsolicited connections to other computers.
Connection-specific rules: These rules enable a computer’s administrator to create and apply custom rules based on a specific connection. In Windows, this is referred to as Network Location Awareness.
Windows 7 uses two firewalls that work together: Windows Firewall and Windows Firewall with Advanced Security (WFAS). The
primary difference between them being the complexity of the rules that can be configured for them.
Firewall Types:
There are 2 basic types of firewalls:
Network perimeter firewalls - Network firewalls are located at the boundary between the internal network and external networks such as the Internet and provide a variety of services. This type of firewall is illustrated in the image above. Such products are either hardware-based, software-based, or can be a combination of both. Some of these firewalls also provide application proxy services like Microsoft Internet Security and Acceleration (ISA) Server. Most of these types of network firewall products provide following functionality:
Management and control of network traffic by performing stateful packet inspection, connection monitoring, and application-level filtering.
Stateful connection analysis by inspecting the state of all communications between hosts and by storing the connection data in state tables.
Virtual private network gateway functionality by providing IPsec authentication and encryption along with Network Address Translation-Traversal (NAT-T). It allows permitted IPsec traffic to traverse the firewall with public to private IPv4 address translation.
Host-based firewalls - Network perimeter firewalls cannot provide protection for traffic generated inside a trusted network. Therefore host-based firewalls running on individual computers are needed. Host-based firewalls protect a host from unauthorized access and attack.
Apart from blocking unwanted incoming traffic, you can configure Windows Firewall with Advanced Security to block specific types of outgoing traffic as well. Host-based firewalls provide an extra layer of security in your network.
In Windows Firewall with Advanced Security, firewall filtering and IPsec are integrated together. This integration reduces the possibility of conflict between firewall rules and IPsec connection security settings.
Network Location Awareness:
Windows 7 supports network location awareness, which enables network-interacting programs to change their behavior based on how the computer is connected to the network. In the case of Windows Firewall with Advanced Security, you can create rules that apply only when the profile associated with a specific network location type is active on your computer. There are 3 location types:
Public - By default, the public network location type is assigned to any new networks when they are first connected. A public network is considered to be shared with the world, with no protection between the local computer and any other computer. Therefore, the firewall rules associated with the public profile are the most restrictive.
Private - The private network location type can be manually selected by a local administrator for a connection to a network that is not directly accessible by the public. This connection can be to a home or office network that is isolated from publicly accessible networks by using a firewall device or a device that performs network address translation (NAT). Wireless networks assigned the private network location type should be protected by using an encryption protocol such as Wi-Fi Protected Access (WPA) or WPAv2. A network is never automatically assigned the private network location type; it must be assigned by the administrator. Windows remembers the network, and the next time that you connect to it, Windows automatically assigns the network the private network location type again. Because of the higher level of protection and isolation from the Internet, private profile firewall rules typically allow more network activity than the public profile rule set.
Domain - The domain network location type is detected when the local computer is a member of an Active Directory domain, and the local computer can authenticate to a domain controller for that domain through one of its network connections. An administrator cannot manually assign this network location type. Because of the higher level of security and isolation from the Internet, domain profile firewall rules typically permit more network activity than either the private or public profile rule sets. On a computer that is running Windows 7, if a domain controller is detected on any network adapter, then the Domain network location type is assigned to that network adapter.
Turning Windows Firewall On and Off:
To turn Windows Firewall on or off, simply open the Windows Firewall control panel and click Turn Windows firewall on or off. The Change notification settings link brings up the same screen as shown below:
Not only can you turn the firewall on and off for each network location, you can also block all programs, and set notification when a program is blocked. One of the few reasons you would ever want to turn this off is if you had another firewall program that you want to use instead.
Allowing Programs:
Traditionally with firewalls, you can open or close a protocol port so that you can allow or block communication through the firewall. With Windows Firewall included in Windows 7, you specify which programs or features you want to communicate through the firewall. The most common options are available by clicking the Allow a program or feature through Windows Firewall option on the left pane of the Windows Firewall control panel. Only users that are members of the local Administrators group, or who have been delegated the appropriate privileges are able to modify Windows Firewall settings. If you need to open a port instead of specifying a program, you have to use the Windows Firewall with Advanced Security which is discussed later in this tutorial.
If a program that you want to create a rule for is not present on this list, click Allow Another Program. This opens the Add A Program dialog box. If the program that you want to create a rule for is not listed, click Browse to add it. Click the Network Location Types button to specify the network profiles in which the rule should be active.
If a program is blocked, the first time you try to run it you are notified by the firewall, allowing you to configure an exception that allows traffic from this program in the future. If an exception is not configured at this time, you will need to use the steps above to allow traffic through.
Introduction to Windows Firewall with Advanced Security:
Windows Firewall with Advanced Security is designed for advanced users and IT professionals, and offers more powerful configuration options than the standard Windows Firewall. You can now configure Inbound and Outbound Rules, Block or Allow incoming or outgoing connections based off Protocols and Ports and/or Programs and Services, and configure IPSec. The Inbound and Outbound Rules can be enforced on predefined profiles, Public, Private, Domain or all Profiles. WFAS becomes handy in instances where you need to enable a rule that allows traffic for a specific service while connected to one network profile, but not on another. For example, you can allow FTP traffic for the Domain (Work) Profile but not for the Public Profile. This would mean that computers at your work place can connect to your computer hosting an FTP service, whereas such traffic is blocked when you’re connected to another network.
The default Inbound rule settings is to block all connections that do not have rules (exceptions) that allow the connection unless the incoming request is a response from the client. The default Outbound rule is to allow all outbound connections unless you have explicitly blocked an outbound connection.
To access Windows Firewall with Advanced Security snap-in, open the Network and Sharing Center and click on Advanced Settings in the left pane. Or, you can type Windows Firewall with Advanced Security into the Search Programs And Files box in the Start menu. You must be a member of the administrators group.
Creating Rules:
To create and inbound or outbound rule, follow these steps:
First click on Inbound Rules or Outbound Rules in the left pane depending on which type of rule you are trying to create. In this case, we selected Inbound Rules.
Click on the Action menu and select New Rule.
This brings up the New Inbound Rules Wizard. In this window you can define a rule based on a program, a port, a predefined service or feature, or multiple parameters (custom rule). The program and predefined rules are the same as those found in the standard Windows Firewall. The custom rule allows you to configure a rule based on more than one option, for example, a rule that involves a specific program and ports.
What happens from here depends on the type of rule you are going to create and we suggest that you familiarize yourself with all of them. In this case, we are going to create a custom rule.
Here you can apply the rule to all programs, browse to a specific program, or a service. We're going to apply ours to a specific program by clicking the Browse and selecting a program.
Here we can apply the rule to specific protocols and ports. We selected a TCP port.
Next we define the scope of the rule. We have the option to configure local and remote addresses. The local IP address is used by the local computer to determine if the rule applies. The rule only applies to network traffic that goes through a network adapter that is configured to use one of the specified addresses. Specify the remote IP addresses to which the rule applies. Network traffic matches the rule if the destination IP address is one of the addresses in the list.
Next, we can allow the connection, allow the connection if it is secure, or block the connection.
Now we choose which network locations the rule will apply to.
In the final step, we enter a name and description for the rule and click Finish
The above instruction only demonstrate one of the possible types of rules you can create, and the dialogue boxes will vary depending on the type of rule and selections you make.
In addition to inbound and outbound rules, you can also configure Connection Security Rules. For more information about this, read Understanding Connection Security Rules.
Import and Export:
WFAS allows you to import and export the current firewall configuration for the purpose of easy configuration on stand-alone computers. To roll out the firewall configuration on a company network, it is better to use group policy. The import and export feature also essentially enables you to make a backup copy of your configuration before you make changes to it. Exported policy files are binary with a .wfw extension.