Windows Vista Two Way Firewall

John Lock the door! And come... Let us go... said mom to her 8 year old son. We hear the term "Lock the door..." in almost every day and keep using locks every day to protect our house from thieves. Thus, the word "Security" is used for protecting something from getting stolen or from some mishaps.

As said above, one can arrange physical security arrangements like locking the computer labs, rooms. However, these security arrangements will not help to prevent the data inside the computer from getting stolen, especially, in case, if the computer gets connected to network and internet. In case of home, Personal details and other data related to bank accounts, various calculations, etc. can be whisked away by some miscreants, if one fails to provide software security to the system. Similarly, business details and other highly confidential details are often under security threats, if there is no proper security arrangements are made by the organization.

What is a firewall?

A firewall is one of the security measures, is basically a program used to block dangerous network traffic and ensure safety from getting unsafe data. In early days of windows family of operating systems, there was no direct protection to the systems. Users of old windows, made to go for third party firewalls. However, with release of Windows XP, the concept of built in firewall was introduced in the client systems.

The new operating system of Windows Family, the Windows Vista which is planned to be released on early 2007, and Longhorn the server family of operating system, has got a new and enhanced version of firewall with it. The new firewall will be similar to that of firewall in Windows XP Service Pack 1 and Service Pack 2.

Much control over the network traffic in Vista Firewall

The new two-way firewall for Windows Vista is designed to give administrators much control over the network traffic and applications while one uses internet. The firewall is in its development and testing stage and is likely to be released in real version along with the final version of Windows Vista.

The firewall is said to be "Two-Way" because, it filters and blocks both in-coming and out-going network data. It can be used to block systems which are trying to connect to applications, using illegal means. This feature of blocking out-going data does not exist in Windows XP firewall. By using the new feature, administrators can ensure that their PC’s only uses a preferred Instant Messaging application. If some one uses some other Instant Messaging application, other than one, which administrator is using, it will be blocked.

Firewall Features:

The new firewall designed for Windows Vista and Windows Server Long horn have the following features. They are,

  • It enables filtering for both incoming and outgoing network traffic
  • It has internet protocol security settings and Firewall filtering settings integrated
  • It has got Microsoft Management Console Snap In for User Interface,
  • Exceptions for filtering can be configured for Active Directory, directory service account and groups, IP addresses, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) ports, Internet Control Message Protocol and IPV6 services.

Features introduced in the Community Technical Preview build 5270

The new firewall features were introduced in the Community Technical Preview build 5270, but found difficult for a user to access it. One might come to the conclusion, after installing Build 5270 that, the firewall has not changed. One needs to create a customized management console, and configure it to load windows firewall with advanced security. The management console can be handled in two ways. The first way is "Single machine mode" where in it can manage only the computer, in which it has been installed. The second way is to configure the firewall, with an Active Directory setup to protect a number of machines. For example if one has got 100 systems then one can setup a policy, one time, to block given application.

The new firewall supports methods to block incoming data, dropping all incoming data that does not correspond to either traffic sent in response to a request of the computer or the traffic that is given exception by the user. This is very important aspect of blocking, as it prevents spreading infections of most dangerous network level viruses and worms that spread through unsolicited incoming data.

Configuring the firewall:

The network administrator can configure the new Windows Vista Firewall to block all traffic sent to specific ports, such as the well known ports used by virus software or to the specific IP addresses of computers that contain the sensitive content. The default setting of the Windows Firewall is to,

  • Block all incoming data, unless it is solicited or matches a given exception,
  • Allow all outgoing data unless it matches a given exception.

One can configure the new Windows Vista firewall, by using Windows Firewall item in the control panel. Here one cannot configure the enhanced settings. The new firewall can be configured with an MMC Snap-in item named "Windows Firewall with Advanced Security". One must add the snap-in "Windows Firewall with Advanced Security" to an MMC Console. There is presently no predefined console available for this firewall.

One can configure the firewall using command line also. For this, one should run the commands in netsh advfirewall context. This context is not there for computers running Windows XP with SP1 and SP2 or Windows 2003 Server.

If one configures the new firewall for group Policy based configuration, Windows XP with SP1 and SP2 and Windows 2003 Server will ignore the settings and continue with its old firewall. However, in Beta Version of Windows Vista, one cannot see the rules defined for blocking or allowing the network traffic, in the control Panel.

For Group Policy based configuration, one need to open Computer, then Configuration, Windows Settings, Security Settings, Windows Firewall with Advanced Security in the Group Policy Editor snap-in. The new firewall will apply the settings done, to the current Windows Firewall at ComputerConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.

IPSec and firewall based security:

IP Security has become a level of issue, today for different users. Internet uses IP addresses to identify the server name one specifies. The web pages stored in the web sites get downloaded after resolving the domain name to IP address, which is further converted to binary because, computers can only understand binary form. IPSec is a set of Internet standards which provides higher level of protection for IP traffic. In Windows XP and Windows Server 2003, Both Firewall and IPSec are configured separately. Windows Vista’s new firewall will combine the network services using the same GUI and command line commands. This simplified the configuration settings of the IPSec, highly.

More things that can be done in new firewall:

With new Windows firewall one can configure rules for Active Directory Accounts and groups. One can specify the list of computer accounts and groups or user accounts and groups that are authorized to initiate protected communication for both outgoing and incoming data.

One can also specify the scope of expected incoming data. This is used to define the portion of the IP addresses, which are suspected to be dangerous. In the client systems, the new firewall can be configured to block both outgoing and incoming data, through the set of IP addresses of servers.

For destination addresses that are meant to be blocked, one can specify, predefined addresses, with the firewall. They are the IP addresses of Default gateways, WINS servers, DHCP servers, DNS servers, and Local subnets.

With new firewall, one block the network traffic for IP protocol number. At present, one can create rules based on TCP or UDP traffic, but, cannot define other type of network traffic to be blocked apart from TCP and UDP. There is a chance of getting network traffic through the use of any other protocol. So, the new firewall is designed in a way that, we can add other type of protocols, which are found to be suspicious. One can manually type the value number of the protocol directly.

One can specify comma separated values list of multiple TCP or UDP ports that are meant for blocking in Windows Vista new firewall. One can even specify all ports to fall under rule. The problem here is that, one should specify explicitly the port number though the port numbers fall under one range. For example, to block port numbers between 500 to 503, instead of specifying 500-503, one should specify as "500, 501, 502, 503".

One can also configure the rules for specific type of interfaces, which includes LAN, remote access or wireless interfaces. For example, if an application is used only for remote access and not for others, then one can configure the rule to be applied to remote connections only.

With the existing old firewall one can only enable rules for handling a fixed set of ICMP and ICMPV6 messages. In new firewall, there is list of a predefined set of commonly expected ICMP and ICMPV6 messages, and new ICMP and ICMPV6 messages can be added by specifying ICMP and ICMPV6 message type and code field values.

In the present firewall, one can configure a rule for services by specifying the path to the service program file name. With the new firewall one can specify that the defined rule applies to different processes, services. One can specify short name for the service name. For example, if one wants to configure a rule for a specific Computer browser service, then they can select the computer browser service in the list of services that are present in the computer.

Practical approach towards using Windows firewall with advanced security snap-in:

To configure advanced settings for the new firewall one must add the firewall with Advance Security Component to a MMC Console.

From Vista, Click Start, and type mmc into the text box provided there, and press enter.

In the MMC console Window, Click File, select Add/Remove Snap in option.

In the available Snap-Ins Click Windows Firewall with Advanced Security and click add.

Up on adding the snap-in, it prompts the user asking the computer name to manage. Select Local Computer and click Finish and then click OK.

To switch ON or OFF, the status of the firewall, Right click the "Windows Firewall with Advanced Security" and select properties from the resulting popup menu.

One can store a set of configuration rules, under separate nodes. These nodes are,

  • Inbound Rules,
  • Out Bound Rules,
  • Computer Connection Security,
  • Monitoring.

The Inbound Rules node stores a set of configuration rules for incoming traffic. The Outbound Rules node stores a set of configuration rules for outgoing traffic. The Computer Connection Security node holds a certain rules for protected connection and protected network traffic. Monitoring displays information on present firewall rules, connection and security rules and various security options and associations that are available. This node is not displayed when one views the firewall with advanced security snap-in through and within Group Policy Editor snap-in.

The Overview, Links and Resource panel are displayed when one selects Windows Firewall with Advanced Security node in the tree.

The overview panel displays the present status of the Windows Firewall for domain. It also includes standard profiles which are active.

The Links and Resources panel provide links to additional information about common procedures and topics for the firewall.

The Actions panel displays the context menu of command for the currently selected node in either the tree or details pane.One can create four types of rules in Inbound Rule Wizard. One can launch the same through right clicking over Inbound Rule node and selecting the option New Rule. The four types are Program, Port, Predefined and Custom.

One can specify a rule for incoming data based on program name, to which the data is meant. One can also specify an action (Allow, Block, Protect) to which the rule applies, and a name to the rule.

Ports are the main communication streams for applications that work on the internet. Some times unknown, dangerous data are being transmitted through the internet, through the use of ports. This data can cause harm to the computer. So, there was need for the incoming data to be blocked, through the ports. Vista’s new firewall blocks, allows, or protects data coming through the TCP and UDP ports, by allowing us to configuring a rule to do the specified action.

To take action against predefined services, one must select the predefined services in the New Rule dialog box. The predefined services are, Remote Assistance, File and Printer Sharing, Remote Desktop, Universal Plug and Play (UPnP) Framework, and ICMP Echo Request (v4).

One can use Custom to create a rule, which does not include a program, port or a predefined service. Selection of the option enables one to manually configure the rule behavior. One can specify a name for the rule.

Similarly, for an outbound also, one can configure the rules, again by choosing 4 options which are same as inbound new rule, exception being that, it is configured for providing protection to outgoing network traffic.

After this, process, one will have the set of outbound rules and inbound rules stored. And they will be used by the firewall to filter and block the data coming into and going out of the system. One can configure the advanced properties for the firewall, by right clicking over the rule name and select properties. The resultant dialog box will have four tabs and as follows,

General: This contains the rule’s name, the program to which the rule applies, and the rule’s action.

Program and services: The program or services to which the rule applies.

Computers: If the rule’s action is to allow only secured connection, the computer account is allowed to make protected connection.

Protocols and Ports: This includes, the IP protocol to which rule belongs to, Source and Destination TCP and UDP ports and ICMP and ICMP V6 settings.

Scope: The rule’s scope, i.e. its source and destination scopes through addresses.

Advanced: This tab contains the types of interface to which the rule applies.

There is no direct link for the new firewall, in control panel settings or in any other settings. So, therefore, it is very difficult to find and configure the new firewall.

Though there are many security products available with similar capabilities, this firewall is built into the operating system and makes life much easier for network administrators in the organization. There will be major difference between Windows XP and Windows Vista in terms of firewall also. The underlying code for firewall called Windows Filtering Platform has been redone for Vista. Microsoft is doing a great job in this regard, by helping the users of Windows Vista by protecting their systems, by using two different levels of firewalls embedded in to the Window Vista system.

Check out more topics on windows from here,

Advantages and Disadvantages of Windows 7

16 Reasons Why Should You Select Windows Vista

Advantages and Disadavantages of Windows Vista

Advice on Upgrading to Windows Vista

All about Windows Vista Migration

Wanna make Windows XP look like Vista ?

Change Windows Vista Appearance

Cloud Computing Deployment Models


Latest Posts


Most Popular