With Windows 7, Microsoft offers you the ability to manage Windows
Firewall in several different ways. You can manage the basic functionality
of the firewall using the Windows Firewall in Control Panel, and the
advanced functionality of the firewall using the Windows Firewall with
Advanced Security console. This section looks at the basic Windows
Firewall. You’ll learn more about the advanced firewall in the next
section.1. Windows Firewall Features and Improvements
When Windows Firewall was first introduced, it enabled
built-in exceptions for file sharing and similar protocols that allowed
some ports to be open on the computer, but it disallowed most other
ports on the computer. In subsequent revisions, Microsoft added the
ability to manage the firewall using Group Policy, enabling
administrators to manage the feature throughout an enterprise. Later,
Microsoft implemented the same changes into Windows Server 2003, which
brought the same improvements to the server operating system.
Unfortunately, in order to correct some of the problems associated with
Windows Firewall, you often had to disable the product completely to
make things work efficiently on your computer—and that definitely was
not good for computer security.
The current version of Windows Firewall includes IPv6 support,
outbound packet filtering, and a host of other features (see Table 1). Together, these features offer
great improvements over the Windows Firewall that was first introduced
with Windows XP. These features also help alleviate the need to turn off
Windows Firewall, as you had to do with early offerings of the
product.
Table 1. Windows Firewall features
| Feature | Description |
|---|
| IPv6 connection
filtering | Allows filtering of
connections using the IPv6 protocol |
| Outbound packet
filtering | Allows control of
outbound ports |
| Advanced packet
filtering | Allows filtering rules
specified by source and destination IP addressing, or complete port
ranges |
| IPSec
integration | Manages connections
through the use of IP Security (IPSec) and a
certificate |
| Encryption
requirement | Manages connections
through the ability to require encryption |
| Separate firewall
policies for domains, private, and public network
enrollment | Manages rule enforcement
based on the network enrollment of the computer |
| Management Console
(MMC) | MMC snap-in, called
Windows Firewall with Advanced Security |
IPv6 connection filtering enables you to use the IPv6 protocol in
a secure fashion. This ability did not exist under Windows XP. Because
of this feature, your IPv6 connections will be as secure as your IPv4
connections.
Firewall rules for inbound packet filtering make up the majority of configuration
efforts on firewalls. These rules determine how network traffic flows
through the computer. You manage the flow of inbound and outbound
traffic through these rules. The firewall inspects the packets as the
computer receives them, and then determines based on the configured
rules—how the computer will handle a particular packet. If Windows
Firewall determines that the packet should be accepted, it passes the
packet along internally to the computer. If the packet does not meet the
requirements of the rule set, it discards the packet.
Outbound packet filtering enables you to manage outbound
connections from your computer. This option did not exist as part of the
Windows Firewall in early versions. Outbound packet filtering lets you
keep spyware or malware from uploading personal data that’s been
collected. To use this type of functionality in Windows XP, you had to
purchase a third-party application. Microsoft now offers this ability as
part of the operating system. When the computer encounters a packet
requesting outbound access, Windows Firewall inspects the packet to
determine its purpose, verifies the packet against the firewall rules,
and then either allows the packet to be delivered or discards it
completely.
Advanced packet filtering allows you to create rules associated
with multiple IP addresses. This feature gives you greater flexibility
in managing connections using a source or destination IP address. You
even can manage a range of IP addresses for connectivity to the
computer. With Windows XP, you could filter with only a single IP
address, never a range of IP addresses. This is a marked improvement
over early versions of the product.
IPSec integration allows you to manage connections using
encryption. With IPSec integration, you can require that a connection
have the proper certificate in order to connect to the computer. This
allows for incredibly strong security and much greater flexibility when
transferring data among computers.
NOTE
IPSec requires the use of certificates to transfer data. These
certificates use public and private keys to determine whether the
connecting entity has authorization to transfer data. This option
makes transferring data much more secure among computers than before,
especially among computers connected across the Internet.
Separating policies by network enrollment enables you to manage
how your computer reacts to requests in different network environments.
You can associate a very hardened security policy when you are using an
insecure network, a fairly open security policy when connected to your
corporate network, and a moderately secure policy when connected to your home network. The beauty
of this feature is that you do not have to configure the settings over
and over; Windows 7 allows you to create a profile for each type of
environment and forget it. You specify the type of environment when you
create the network connection.
Windows Firewall with Advanced Security offers the greatest
flexibility in managing the advanced security options This allows you to
manage the different types of connections and rules through a single
interface. And administrators can easily manage the Windows Firewall
connections and associate the settings with Group Policy.
Overall, Microsoft brings a very capable firewall into Windows 7.
It offers excellent security features, and truly supplements a network
perimeter firewall. Although you may have more difficulty configuring
some of the advanced features of Windows Firewall, you will find
considerably fewer intrusions and false positives on your computer when
the firewall is configured correctly.
