Windows 7 / Networking

Windows 7 Firewall

Firewalls restrict network traffic based on a collection of configurable rules. Another name for these rules is exceptions. When traffic reaches a network interface protected by a firewall, the firewall analyzes it, either discarding the traffic or allowing it to pass on the basis of the rules that have been applied to the firewall. Windows 7 uses two firewalls that work together: Windows Firewall and the Windows Firewall with Advanced Security (WFAS). The primary difference between these firewalls relates to the complexity of the rules that can be configured for them. Windows Firewall uses simple rules that directly relate to a program or service. WFAS allows for more complicated rules that filter traffic on the basis of port, protocol, address, and authentication. WFAS will be covered in more detail later in this tutorial.

When thinking about how firewall rules work, remember that unless a rule exists that explicitly allows a particular form of traffic, the firewall will drop that traffic. In general, you must explicitly allow traffic to pass across a firewall, though there will be some occasions when you need to configure a deny rule. You will learn about deny rules later in this lesson. Windows Firewall and WFAS ship a minimum number of default rules that allow you to interact with networks. This means that although you are able to browse the Web without having to configure a firewall rule, if you try to use an application to interact with the network that is not covered by a default rule, such as File Transfer Protocol (FTP), you receive a warning. This behavior is different to earlier versions of Microsoft Windows, such as Windows XP, where the firewall blocked only incoming traffic and did not block outgoing traffic. The firewall in Windows 7 blocks most outbound traffic by default. When a program is blocked for the first time, you are notified by the firewall, allowing you to configure an exception that allows traffic of this type in the future.

The Windows 7 firewall uses a feature known as full stealth. Stealth blocks external hosts from performing Operating System (OS) fingerprinting. OS fingerprinting is a technique where an attacker determines what operating system a host is running by sending special traffic to the host's external network interface. After an attacker knows what operating system a host is using, they can target OS-specific exploits at the host. You cannot disable the stealth feature of Windows 7.

Boot time filtering, another feature of Windows 7, ensures that Windows Firewall is working from the instant the network interfaces become active. In previous operating systems, such as Windows XP, the firewall, either built into Windows or from a third-party vendor, would become operational only once the startup process was complete. This left a small but important period where a network interface would be active but not protected by a firewall. Boot time filtering closes this window of opportunity.

To understand the operation of Windows Firewall, you need to be familiar with some core networking concepts. If you have a lot of experience with networks, you may want to skip ahead to the next section because you are already familiar with them. These core concepts are:

  • Protocol In terms of Windows Firewall, you need to consider only three protocols, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). TCP is more reliable and is used for the majority of Internet traffic. UDP is used for broadcast and multicast data, as well as the sort of traffic associated with online games. You use ICMP primarily for diagnostic purposes.
  • Port A port is an identification number that is contained within the header of a TCP or UDP datagram. Ports are used to map network traffic to specific services or programs running on a computer. For example, port 80 is reserved for World Wide Web traffic and port 25 is reserved for the transmission of e-mail across the Internet.
  • IPSec (Internet Protocol Security) IPSec is a method of securing network traffic by encrypting it and signing it. The encryption ensures that an attacker cannot read captured traffic. The signature allows the recipient of the traffic to validate the sender's identity.
  • Network address Each host on a network has a network address. You can configure firewalls to treat traffic differently based on the destination network of outgoing or the origin network of incoming traffic.
  • Inbound traffic Inbound traffic is network data that originates from the external host and is addressed to your client running Windows 7.
  • Outbound traffic Outbound traffic is traffic that your client running Windows 7 sends to external hosts over the network.
  • Network interface A network interface can be a physical local area network (LAN) connection, a wireless connection, a modem connection, or a virtual private network (VPN) connection.
[Previous] [Contents] [Next]