Firewalls can run on a network’s perimeter to
protect computers on the network via filtering both inbound and
outbound traffic. Firewalls can also run on a host computer to protect
that host. Let’s look briefly at these two types of configurations.
Network Perimeter Firewalls
Network
perimeter firewalls provide a variety of services to protect network
traffic. They’re typically either hardware- or software-based, some are
both. Some perimeter firewalls also provide application proxy services
as well. These perimeter firewalls typically provide the following
services:
Management
and control of network traffic through stateful packet inspection,
connection monitoring, and application-level filtering.
Stateful connection analysis by inspecting the state of communications by computers on the network.
Virtual
private network (VPN) gateway functionality providing IPsec
authentication and encryption services along with Network Address
Translation-Transversal (NAT-T) to allow IPsec traffic to pass through
the firewall between public and private IP addresses.
Host-based Firewalls
Although
perimeter firewalls protect the network from traffic flowing into and
out of the network itself, they cannot protect internal network
traffic. Host-based firewalls are used to protect host computers from
threats internal to the network itself. You can configure a firewall to
block specific types of incoming and outgoing traffic to provide an
extra layer of security for the host computer.
New Features in Windows Firewall with Advanced Security
Before
we look at the specifics of Windows Firewall with Advanced Security,
let’s take a look at the new features. Be sure to explore these
features fully on your Windows Server 2008 computer since, as we’ve
stated several times, the new features are the most likely to be tested
on an exam.
IPsec Integration
This
is a pretty significant change from previous versions of Windows. In
Windows Server 2008, IPsec is integrated into firewall functionality,
as shown in Figure 1.
In the Windows Firewall with Advanced Security snap-in, firewall
filtering and IPsec rule configuration are integrated. Note, however,
that if you want to configure IPsec for computers running an operating
system prior to Windows Server 2008 or Windows Vista, you’ll need to
use the IPsec Policy Management snap-in instead.
Support for IPv6
The
firewall function in Windows Server 2008 provides native support for
IPv6. Of course, it also still fully supports IPv4 as well as IPv6 to
IPv4 (6 to 4) and the new NAT traversal for IPv6 called Teredo
(discussed briefly in this chapter).
Support for Active Directory User, Computer, and Groups
You
can create various firewall rules and these rules can filter
connections by user, computer, or groups in Active Directory. These
connections must be secured with IPsec using a credential that carries
the AD account information. Kerberos V5 is the default for Windows
Server 2008 and is an example of a credential that carries the AD
account information.
Location-Aware Profiles
There
are three built-in profiles in the firewall software that allow you to
create location-aware profiles. The three profiles are domain, private,
and public. If you enable all three of these profiles, the software
will determine which profile to utilize based on your location (and
connection). The domain profile is used when the computer is
authenticated via AD and is active when all interfaces can authenticate
to a domain controller. The private profile is used when the computer
is connected to a private network behind a private gateway or router.
The public profile is used when the computer is connected to a public
network or unidentified connection, such as those found at airports and
coffee shops. Clearly, you would likely never use the public profile on
a server unless it happens to be in a DMZ on the network. Windows Vista
and Windows Server 2008 are based on the same code, so the public
profile is geared primarily toward Windows Vista-based computers rather
than Windows Server 2008-based computers. You might choose to disable
the public profile on your Windows Server 2008-based computers.
Detailed Rules
By
default, Windows Firewall with Advanced Security is enabled for both
inbound and outbound traffic. The default settings block most incoming
traffic and allow outgoing traffic. This version of the firewall
software enables you to configure detailed rules for filtering any
Internet Assigned Numbers Authority (IANA) protocol numbers. Previous
versions supported only filtering UDP, TCP, and ICMP protocols. In
addition, the firewall software in Windows Server 2008 supports
configuration of AD domain service accounts and groups, application
names, TCP, UDP, ICMPv4, ICMPv6, local and remote IP addresses,
interface types and protocols, and ICMP type and code filtering. The
good news, though, is that the default settings are a very good
starting point and you now have the capability to be very detailed in
configuring traffic rules if you have a need to do so.
Expanded Authenticated Bypass
Previous
versions of the firewall software provided an “all or nothing” style of
configuration. Either you could allow a computer full access to another
computer if it was configured to use IPsec, but you couldn’t specify
ports or protocols, for example. In Windows Server 2008 (and Windows
Vista), you can provide much more detailed authenticated bypass rules
that will allow you to specify which ports or programs can have access
and which computers or groups of computers can have access. This keeps
computers protected while providing rule-based exceptions as needed.
Network Location-Aware Host Firewall
In
Windows Server 2008, the Windows Firewall with Advanced Security can
act both as a network location-aware host firewall and as part of a
server and domain isolation strategy. Let’s look at these two scenarios
in detail to understand the considerations for these deployment options.
Windows
Server 2008 (as well as Windows Vista) includes network awareness APIs
that enable applications to sense changes to network configurations.
What that means is that a corporate laptop that is placed into standby
or hibernate and later fires up connected to a home network or a public
hotspot will sense that it’s on a new network and the firewall settings
will be modified accordingly. The network awareness APIs handle that
function. This function is clearly less useful on a Windows Server 2008
computer permanently connected to a corporate network. It’s really
intended for use on mobile computers (which could run Windows Server
2008, of course) that might be running Windows Vista as the client
operating system. Although this functionality is included in Windows
Vista, we’ll refer to it within the Windows Server 2008 context.
Windows Server 2008 identifies and remembers network connections and
can apply settings according to these configurations. Applications can
query for characteristics of networks including:
Connectivity. Is the computer connected to a network, is it connected locally or to the Internet?
Connections. Is the computer connected to the network by one or more connections?
Category.
What type of network is the computer connected to? Each network is
assigned a category in Windows Server 2008 that helps identify the
network type. Firewall settings can be applied based on the category
assigned.
There are three network location types used in Windows Firewall with Advanced Security:
Domain. A network on which the Windows Server 2008 (and Windows Vista) computer can authenticate via Active Directory.
Private.
A network is categorized as private if a user or application identifies
it as such. Only networks behind a NAT device should be identified as
private networks.
Public.
All other domain networks to which a computer connects. This includes
public connections such as those found at airports, hotel lobbies and
coffee shops (typically used for Windows Vista, not Windows Server
2008, though available in both operating systems).
Although all three profiles can be enabled simultaneously, only one profile is applied at a time and in this order:
If
all connections (interfaces) are authenticated to the domain controller
for the domain of which the computer is a member, then the domain profile is applied.
If
all connections (interfaces) are authenticated to the domain controller
or connected to networks identified as private, then the private profile is applied.
If either of the two previous scenarios does not apply, the public profile is applied.
Clearly,
the public profile is the most restrictive and is applied in cases
where the computer is not authenticated on its native domain or not
connected to a private (and
therefore somewhat protected) network. In all profiles, most incoming
traffic is blocked by default with the exception of core networking
traffic. With the private network profile applied, core networking
traffic along with network discovery and remote assistance traffic is
allowed. Default settings on all profiles also allow almost all out
bound traffic; you must create specific rules to block outgoing traffic
to suit your needs.
You
might choose to configure specific rules for outbound traffic on your
network. Although it’s fairly clear why you’d block unsolicited
incoming traffic, blocking outbound traffic can be extremely useful in
preventing malware from “phoning home” and transmitting data back to a
malicious source.
Server and Domain Isolation
As
an experienced network administrator, you’re probably familiar with the
concept and practice of isolation. You know that you can physically
and/or logically isolate network segments for a variety of reasons. You
can use these segments to speed up the network by keeping local traffic
local or you can use these segments as a way to increase network
security. In a Windows Server-based network, you can isolate server and
domain resources to limit access to authenticated and authorized
computers to prevent unauthorized computers (and programs) from gaining
access to resources. There are two primary types of isolation available
in this regard: server and domain.
Server Isolation
A
server can be configured to require secure authenticated communications
only (IPsec). This means that the server will respond only to certain
types of requests such as a database server that will respond only to a
web application server. In this way, the only traffic allowed to the
server is traffic coming from a specific computer or computers.
Domain Isolation
Domain
isolation uses IPsec policy to provide protection for traffic sent
between computers on a domain, including client (host) and server
computers. Active Directory domain membership is used to ensure that
computers that are members of the domain accept only secure,
authenticated traffic (IPsec) from other members of the domain.