Understanding Multiple Active Firewall Profiles

Windows Vista and later versions support Network Location Awareness (NLA), a feature that enables Windows to detect changes in network connectivity so that applications can continue to operate seamlessly when network changes occur. The Network Location Awareness service (NLASVC) monitors the local computer for changes in its connectivity to connected networks. When Windows connects to a new network for the first time, the Network List Service assigns a globally unique identifier (GUID) to the new network. If the NLASVC later detects a change in network connectivity on the computer, it notifies the Network List Service, which then notifies Windows Firewall.

The NLA APIs in Windows can be used by applications to determine whether a network is in a connected or disconnected state. The APIs can also be used to determine which type of connection (such as wired connections, remote access connections, or wireless connections) Windows is currently using to access a specific network. Each network identified by Windows is assigned a location based on the type of network to which the computer is connected. The three types of network locations supported in Windows Vista and later versions are:

• Domain network A network on which Windows can authenticate access to a domain controller for the domain to which the computer is joined.
• Private network A network that has been specifically designated by the user or by an application as being a private network located behind a gateway device such as a NAT router, with the typical scenario being a Small Office/Home Office (SOHO).
• Public network A network that provides a direct connection with the Internet or is in a public place such as a coffee shop or airport. All non-domain networks are identified as public by default.

Windows Firewall is an example of such a network-aware application and uses the NLA APIs to identify the type of each connected network. Windows Firewall automatically associates a firewall profile with each identified network connection and configures the profile appropriately for that type of network. For example, if a network connection on the computer is a wireless connection to a WiFi hotspot at a coffee shop, Windows identifies the network as a public network and associates the appropriate firewall profile (public) with the connection. The firewall settings for a network connection are determined by the firewall profile assigned to that location. For example, if Windows Firewall with Advanced Security identifies a connected network as a public network, the firewall rules for File and Printer Sharing will be disabled by default to prevent other users on the network from accessing shared folders or printers on your computer. By contrast, if Windows Firewall with Advanced Security identifies the connected network as private, the File and Printer Sharing rules will be enabled because the network has been specified by the computer's administrator as a work/home environment where other trusted users and/or computers may reside.

Corresponding to these three types of network locations, the three types of firewall profiles are:

• Domain profile Applies to network connections whose network location type has been identified as domain network.
• Private profile Applies to network connections whose network location type has been identified as private network.
• Public profile Applies to network connections whose network location type has been identified as public network.

By default, the public profile is the most restrictive firewall profile, and the domain profile is the least restrictive in terms of the number of different types of traffic each profile allows.

In Windows Vista, only one firewall profile could be active at any one time even if your computer is connected to more than one network. In addition, the active profile would always be the most restrictive profile of all the networks to which the computer is connected. This caused problems for virtual private network (VPN) scenarios. For example, consider a user with a laptop running Windows Vista who is sitting at a coffee shop where free Internet access is provided via a wireless hotspot. The wireless connection is identified by Windows as a public network, and so the public firewall profile is the active firewall profile. The user then establishes a VPN connection via the Internet with her company's internal network using her domain credentials. Because there can be only one active firewall profile in Windows Vista, the firewall profile that is applied to the VPN connection is the same public profile being used for filtering Internet access. This causes some corporate applications to break when used over the VPN connection because these applications expect to use the less-restrictive domain profile, not the more-restrictive public profile.

Windows 7 solves this problem by allowing multiple firewall profiles to be active on the computer simultaneously. In this scenario, the user with a laptop running Windows 7 uses the wireless hotspot to connect to the Internet. The wireless connection is identified as a public network and the public firewall profile is assigned to the network and is active. The user now establishes a VPN connection with corpnet using her domain credentials, and in this case the domain profile is assigned to the VPN connection since authentication with a domain controller has been achieved. Both firewall profiles-the public profile for the wireless Internet connection and the domain profile for the VPN connection-are active in Windows 7. The public profile filters traffic that does not go through the VPN tunnel, while the domain profile filters traffic passing through the tunnel. The result is that corporate applications now work as intended over the VPN connection. Both networks are connected and the firewall profile for each network is active.

Note If a computer running Windows 7 has a network adapter that is not connected to any network, the network location type will be Unidentified and the public firewall profile will automatically be assigned.