Networking / Beginners

Firewalls

Host-based firewalls are becoming all the rage. Windows XP includes a free host-based firewall, and Windows XP Service Pack 2 includes a very good, free host-based firewall, called Windows Firewall (WF). WF includes some very sophisticated management functionality that affords network administrators great control over the firewall. For instance, they can configure it to behave one way when on the internal network, another way when not. They can open up an authenticated IPsec bypass allowing all authenticated IPsec traffic to bypass the firewall, and they can set up program-based exceptions that allow certain firewall-unfriendly programs, such as instant messenger programs, to work properly. In all, the firewall has only one real or imagined shortcomingit does not perform outbound filtering. There are three reasons why: (1) Users do not understand it and therefore it will not help. As we mentioned earlier, if a dialog asking the user to make a security decision is the only thing standing between them and dancing pigs, security does not stand a chance. (2) Given that outbound filtering is a delay feature for the vast majority of users, why expend the limited available resources on that instead of giving administrators a great centrally manageable firewall? (3) Outbound filtering is available in IPsec already.

This does not, of course, mean that outbound filtering is not a worthwhile feature, just that it is not worthwhile for all users. For those who do need it, outbound filtering can be had through third-party firewalls.

We recommend using host-based firewalls on all your clients because they help stop malicious code from getting on the system in the first place.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools