Chapter 11: Managing Windows Firewall

Overview

When Windows XP was introduced in 2001 it included a feature called Internet Connection Firewall (ICF). Unlike the TCP/IP Filtering that was included in prior Windows releases, ICF was a stateful, packet filtering firewall. It even blocked unsolicited SYN-ACK packets, but that was pretty much where its benefits stopped. To be fair, at the time, it was roughly at the stage where other host-based firewalls were, but it certainly was no leap forward.

Among the many shortcomings of ICF were:

• Lack of central management

• Single-profile-no separate settings for different networks

• Not on at boot

In Windows XP Service Pack 2 (SP2) some of these shortcomings were addressed, and the Windows Firewall in Windows XP SP2 still is one of the lowest overhead, most reliable, and least intrusive firewall products available for Windows XP. In spite of this, it was still lacking a few features:

• Limited integration with IPsec, including separate management interfaces

• Strict source address mapping

• ACLs on TCP and UDP ports

• Outbound filtering

• Extensibility

• Support of more than two profiles

• Scriptability

The most common network protocol in use today is Internet Protocol (IP), with some transport protocol on top. The most widely used transport protocol is the Transmission Control Protocol (TCP). The remainder of this chapter assumes you have a working knowledge of TCP/IP.

When using the TCP protocol, computers establish sessions. This is done with what is known as the "three-way handshake." First, the client computer sends a hello message-a SYNchronize packet (a TCP packet with the SYN flag set). The Server then responds with an ACKnowledgement of the SYN from the client, and also sends a SYN of its own-a SYN-ACK packet. The client then responds with an ACK of the server's SYN, and we have a session.

The SYN-ACK is supposed to be sent in response to a SYN packet. Most firewalls are stateful and, therefore, keep track of all outgoing SYNs so that they know which incoming SYN-ACKs they should expect. However, in the early days of host-based firewalls quite a few did not track this. Attackers (often through innocent third-parties) use unsolicited SYN-ACKs for several things, but primarily Denial of Service (DOS) attacks. Processing an unsolicited SYN-ACK can be expensive, and this can cause performance problems on the victim.

The firewall in Windows XP SP2 provided acceptable functionality and quite adequate security for the vast majority of organizations. Many organizations, still, purchased third-party firewalls (often to obtain features that they eventually turned out not to use and which often provided little or no security value, such as outbound filtering). To address the demand for additional features, Microsoft launched a massive overhaul project for the firewall in Windows Vista.

Everyone should have a firewall on their computer. It certainly will not stop everything. But, it will protect you both against accidental exposures and programming mistakes by programmers who did not entirely practice the type of defensive programming required when you are writing programs that take network input. Such programs are far more complicated than purely local programs. As Alun Jones, author of the WFTPD FTP server, says: "Network programming is the hardest kind of programming because you're only writing half the program, and the guy writing the other half hates you."