Network firewalls, located at the boundary between the internal network and external networks such as the Internet, typically provide a variety of services. Such products are either hardware-based, software-based, or a combination of both. Some also provide application proxy services, an example of which is Microsoft® Internet Security and Acceleration (ISA) Server.

Most of these types of network firewall products provide some or all of the following functionality:

• Management and control of network traffic by performing stateful packet inspection, connection monitoring, and application-level filtering.
  
  
• Stateful connection analysis by inspecting the state of all communications between hosts and storing connection data in state tables.
  
  
• Virtual private network (VPN) gateway functionality by providing IPsec authentication and encryption together with Network Address Translation-Traversal (NAT-T), allowing permitted IPsec traffic to traverse the firewall with public to private IPv4 address translation.
  
  

Note
A new method of NAT traversal transition for IPv6 called Teredo is also available in Windows Vista and later versions of Windows.

Network perimeter firewalls cannot provide protection for traffic generated inside a trusted network. For this reason, host-based firewalls running on individual computers are needed. Host-based firewalls, of which Windows Firewall with Advanced Security is an example, protect a host from unauthorized access and attack.

In addition to blocking unwanted incoming traffic, you can configure Windows Firewall with Advanced Security to block specific types of outgoing traffic as well. Host-based firewalls provide an extra layer of security in a network and function as integral components in a complete defense strategy.

In Windows Firewall with Advanced Security, firewall filtering and IPsec are integrated. This integration greatly reduces the possibility of conflict between firewall rules and IPsec connection security settings.

Note
IPsec provides a security framework for Layer 3 (Network layer) of the TCP/IP stack. IPsec is a suite of protocols that ensures data confidentiality, data integrity, and data authentication between peers.

Many applications connect to the Internet to look for updates, download real-time information, and facilitate collaboration between users. However, creating applications that can automatically adapt to changing network conditions has been difficult for developers. Network Location Awareness (NLA) APIs enable applications to sense changes to the network to which the computer is connected, such as placing a portable computer into standby mode at work and then restarting it at a wireless hotspot. This enables Windows Vista and later versions of Windows to alert applications of network changes, and these applications can then behave differently to provide a seamless experience.

Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 identify and remember each of the networks to which they connect. Network Awareness APIs then allow applications to query for characteristics of each of these networks, including:

• Connectivity. A network might be disconnected, it might provide access to only the local network, or it might provide access to the local network and the Internet.
  
  
• Connections. A computer might be connected to a network by one of more connections. Network Awareness APIs enable applications to determine which connections Windows is currently using to connect to a specific network.
  
  

There are three network location types in Windows Firewall with Advanced Security:

• Domain. Windows automatically identifies networks on which it can authenticate access to the domain controller for the domain to which the computer is joined in this category. No other networks can be placed in this category.
  
  
• Public. Other than domain networks, all networks are initially categorized as public. Networks that represent direct connections to the Internet or are in public places, such as airports and coffee shops should be left public.
  
  
• Private. A network will only be categorized as private if a user or application identifies the network as private. Only networks located behind a NAT device (preferably a hardware firewall) should be identified as private networks. Users will likely want to identify home or small business networks as private.
  
  

When a user first connects to a network that is not part of the domain network location type, Windows asks the user to identify the network as either public or private. The user must be a local administrator of the computer to identify the network as private. When the types of networks to which the computer is connected are identified, Windows is able to optimize some of its configuration (especially its firewall configuration) for the specified network location types.

The Windows Firewall with Advanced Security is an example of a network-aware application. The administrator can create a profile for each network location type, with each profile containing different firewall policies. For example, the Windows Firewall can automatically allow incoming traffic for a specific desktop management tool over a connection to a domain network, but block similar traffic over connections to public or private networks. In this way, network awareness can provide flexibility on your internal network without sacrificing security when mobile users travel. A public network profile should have stricter firewall policies to protect against unauthorized access. A private network profile, on the other hand, might have less restrictive firewall policies to allow file and print sharing, peer-to-peer discovery, and connectivity with Windows Connect Now devices.

In Windows 7 and Windows Server 2008 R2, each network connection is assigned the profile appropriate for the network to which it is attached.

Important
In Windows Vista and Windows Server 2008, only one profile is applied at any one time.

The profile selection order used in Windows Vista and Windows Server 2008 is as follows:

1. If any interface is connected to a network classified as public then the public profile is applied to all connections on the computer.
   
   
2. If no interfaces are connected to a public network, but one or more interfaces are connected to networks that are classified as private then the private profile is applied to all connections on the computer.
   
   
3. Only if all interfaces are authenticated to a domain controller for the domain of which the computer is a member then the domain profile is applied to all connections on the computer.
   
   

This process is not used in Windows 7 or Windows Server 2008 R2 because each connection is assigned to the profile appropriate for its detected network type.

By default, all unsolicited incoming traffic is blocked except for core networking traffic. On the private profile, network discovery and remote assistance traffic is allowed. You must create specific rules to allow other authorized traffic to pass through the firewall into the computer. The default settings allow all outgoing traffic. You must specifically block programs or types of outgoing traffic that you do not want allowed.

In a Microsoft Windows-based network, you can logically isolate server and domain resources to limit access to authenticated and authorized computers. For example, you can create a logical network inside the existing physical network where computers share a common set of requirements for secure communications. Each computer in this logically isolated network must provide authentication credentials to other computers in the isolated network in order to establish connectivity.

This isolation helps prevent unauthorized computers and programs from gaining access to resources inappropriately. Requests from computers that are not part of the isolated network are ignored. Server and domain isolation can help protect specific high-value servers and data as well as protect managed computers from unmanaged or rogue computers and users.

You can use two types of isolation to protect a network:

• Server isolation. In a server isolation scenario, specific servers are configured to require IPsec policy to accept only authenticated communications from other computers. For example, you might configure the database server to accept connections from the web application server only.
  
  
• Domain isolation. To isolate a domain, you use Active Directory domain membership to ensure that computers that are members of a domain accept only authenticated and secured communications from other computers that are domain members. The isolated network consists of only computers that are part of the domain. Domain isolation uses IPsec policy to provide protection for traffic sent between domain members, including all client and server computers.
  
  

For more information about server and domain isolation on the Microsoft Web site, see Server and Domain Isolation (http://go.microsoft.com/fwlink/?LinkId=74576).

You can navigate to Windows Firewall with Advanced Security by using either of the following procedures.

1. Click the Start button, and then click Control Panel.

2. In Control Panel, click System and Security (in Windows 7 or Windows Server 2008 R2), or System and Maintenance (in Windows Vista or Windows Server 2008.

3. Click Administrative Tools at the bottom of the screen.

4. Double-click Windows Firewall with Advanced Security.

Note
If you are running Windows 7 or Windows Server 2008 R2, you can also open the Windows Firewall Control Panel program, and then click the Advanced settings link in the left-hand pane.

1. Click Start, and then in the Start Search box, type mmc, and then press ENTER.

2. If a User Account Control prompt appears, verify the information presented, and then provide the requested permission or credentials.

3. On the File menu, click Add/Remove Snap-in.

4. In the Available snap-ins list box, click Windows Firewall with Advanced Security, and then click Add.

5. If you are running Windows 7 or Windows Server 2008 R2, select either Local computer, or else select Another computer and then type the name of the computer you want to manage. Click Finish when you are done.

6. Click OK.

7. Repeat steps 1 through 6 to add Group Policy Management Console or other snap-ins that you want to use. You might also want to add Event Viewer to view audit log files.

8. Before you close the snap-in, save and name the custom console for future use.

Configuring firewall properties

To configure firewall properties, in the Overview pane, click Windows Firewall Properties. The Windows Firewall with Advanced Security on Local Computer property sheet displays a tab for each of the three available profiles (Domain Profile, Private Profile, and Public Profile) and a tab for IPsec Settings.

Configuring a profile

The tabs for each profile contain identical options. The options on each tab control how Windows Firewall with Advanced Security behaves on a connection that is attached to the specified type of network.

The options that you can configure for each of the three profiles are as follows:

• Firewall State. You can turn Windows Firewall with Advanced Security on or off independently for each profile.
  
  
• Inbound Connections. You can configure inbound connections to follow one of these rules:
  
  
  • Block (default) - Windows Firewall with Advanced Security blocks connections that do not match any active firewall rules.
    
    
  • Block all connections - Windows Firewall with Advanced Security ignores all inbound rules, effectively blocking all inbound connections.
    
    
  • Allow - Windows Firewall with Advanced Security allows inbound connections that do not match an active firewall rule.
    
    
• Outbound Connections - You can configure outbound connections to follow one of these rules:
  
  
  • Allow (default) - Windows Firewall with Advanced Security allows connections that do not match any active firewall rules.
    
    
  • Block - Windows Firewall with Advanced Security blocks outbound connections that do not match an active firewall rule.
    
    
• Settings - Click the Customize button in the Settings area to configure the following settings:
  
  
  • Display notifications. This setting determines whether a message is displayed to the user when a program is blocked from receiving inbound communications. This setting controls whether Windows displays a notification letting a user know that an inbound connection has been blocked. If local overrides are permitted, a prompt will appear asking whether to unblock the application or not.
    
    
  • Allow unicast response to multicast or broadcast network traffic. This setting allows the computer to receive unicast responses to its outgoing multicast or broadcast requests.
    
    
  • Apply local firewall rules. Select this option when, in addition to firewall rules applied by Group Policy that are specific to this computer, you want to allow administrators to create firewall rules on this computer. When you clear this option, administrators can still create rules, but the rules will not be applied. This setting is available only when configuring the policy through Group Policy.
    
    
  • Allow local connection security rules. Select this option when, in addition to connection security rules applied by Group Policy that are specific to this computer, you want to allow administrators to create connection security rules on this computer. When this option is cleared, administrators can still create rules, but the rules will not be applied.
    
    
• Logging. Click the Customize button in the Logging area to configure the following logging options:
  
  
  • Name. By default, the file is stored in %windir%\system32\LogFiles\Firewall\pfirewall.log.
    
    
  • Size limit. By default, the size limit is 4096 KB.
    
    
  • Log dropped packets. By default, dropped packets are not logged.
    
    
  • Log successful connections. By default, successful connections are not logged.
    
    
  In Windows 7 and Windows Server 2008 R2, Windows Firewall with Advanced Security also logs events in the Event Viewer program, under Applications and Services Logs\Microsoft\Windows\Windows Firewall with Advanced Security. Information about both firewall and IPsec (connection security) events is presented here.
  
  

Note
If you are configuring the firewall by using Group Policy, you need to make sure the Windows Firewall service has explicit write access by its service security identifier (SID) to the location that you specify. For more information about setting permissions for the log folder, see Customize Logging Settings for a Firewall Profile (http://go.microsoft.com/fwlink/?linkid=147899).

Configuring IPsec settings

The Customize IPsec Settings dialog box opens when you click the Customize button on the IPsec Settings tab of the Windows Firewall with Advanced Security on Local Computer property sheet. These settings are used when you create computer connection security rules. You can specify the following:

• Key Exchange. To enable secure communication, two computers must be able to access the same shared key without transferring that key across the network. Selecting Advanced and then clicking Customize allows you to configure security methods, key exchange algorithms, and key lifetimes.
  
  
• Data Protection. IPsec data protection defines the algorithms used to provide data integrity and encryption. Data integrity helps to ensure that data is not modified during transit. Windows Firewall with Advanced Security uses the Authentication Header (AH) or Encapsulating Security Payload (ESP) protocol to provide data protection. Data encryption protects data by concealing the information. Windows Firewall with Advanced Security uses the ESP protocol for data encryption.
  
  
• Authentication Method. This setting lets you configure the default authentication method for IPsec connections on the local computer. The out-of-box authentication method is Kerberos V5, which allows you to restrict connections to domain-joined computers. You can also restrict connections to only those computers that have a certificate from a specified certification authority (CA).
  
  

Create firewall rules

Create connection security rules

To centralize the configuration of large numbers of computers in an organization network that uses Active Directory, you can deploy settings for Windows Firewall with Advanced Security by using Group Policy. Group Policy provides access to the full feature set of Windows Firewall with Advanced Security, including profile settings, firewall rules, and computer connection security rules. In fact, you configure Group Policy settings for Windows Firewall with Advanced Security by using the same snap-in from within the Group Policy Management Console. The domain-member computer requests Group Policy updates, which are therefore solicited traffic that is not dropped by default when Windows Firewall with Advanced Security is enabled (unless the outbound default is configured to block traffic).

Warning
If you deploy Windows Firewall with Advanced Security by using Group Policy and then block outbound connections, make sure to enable the Group Policy outbound rules and to do full testing in a lab environment before deploying. Otherwise, you might prevent all of the computers that receive the block policy from receiving any updates to the policy in the future.

Note
If you configure a Windows Firewall with Advanced Security setting in an organization network by using Group Policy, then the local administrator cannot change the setting that was configured by using Group Policy.

In previous versions of Windows, Windows processes Group Policy under the following circumstances:

• Computer policies are processed when the Windows operating system starts.
  
  
• User policies are processed when a user logs on.
  
  
• Both computer and user policies are refreshed periodically.
  
  

Windows Vista and later versions of Windows process Group Policy in the following additional circumstances:

• Computer and user policies are processed when a computer establishes a virtual private network (VPN) connection with a remote site.
  
  
• Computer and user policies are processed when a computer comes out of hibernation or standby.
  
  

The additional circumstances help to ensure that computers obtain the most recent Group Policy settings more frequently and whenever the computer changes connections.

Use this folder to monitor details for all currently active and applied inbound and outbound firewall rules.

Use this folder to monitor the following:

• Connection Security Rules. This folder lists all of the enabled connection security rules with detailed information about their settings. Connection security rules use Internet Protocol security (IPsec) to secure communication between this computer and other computers. Connection security rules define which authentication, key exchange, data integrity, or encryption can be used to form a security association (SA). An SA defines the security used to protect the communication from sender to receiver.
  
  
• Security associations. This folder lists all of the Main Mode and Quick Mode SAs with detailed information about their settings and endpoints.
  
  
  • Main Mode. This folder lists all of the Main Mode SAs with detailed information about their settings and endpoints. You can use this folder to view the IP addresses of the endpoints.
    
    
  • Quick Mode. This folder lists all of the Quick Mode SAs with detailed information about their settings and endpoints. You can use this folder to view the IP addresses of the endpoints.