Protecting your home or small office network using Internet Connection Firewall
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Protecting your home or small office network using Internet Connection Firewall
Home and small office networking offers computers that are directly connected to the Internet the added security of firewall protection. Internet Connection Firewall (ICF) checks all communications that cross the connection between your network and the Internet and is selective about which responses from the Internet it allows.
Recommended topologies
You can enable Internet Connection Sharing (ICS) on only one Internet connection on your network, and you should protect this connection by enabling ICF. ICF can check only the communications that cross the Internet connection on which it is enabled. These types of network topologies are safe and the most recommended.
.gif "Shared Internet connection protected by ICF")
.gif "Combined Ethernet and wireless network")
Topologies that are not recommended
You should avoid topologies with multiple Internet connections. If you must have multiple direct Internet connections on your network, you should ensure that ICF is enabled on each direct Internet connection in order to protect your network, as shown in the following illustration. However, because ICF works on a per-connection basis, this topology is still not a recommended topology because there is no central point of administration through which you can ensure the continuous protection of all Internet connections.
.gif "ICF protected network and two Internet connections")
Likewise, providing Internet connectivity to your network by connecting your network hub directly to the Internet causes similar vulnerabilities and is not a recommended topology.
.gif "Unprotected network")
Enabling ICF on this type of network topology disrupts some network communications and provides protection only for the computer on which it is enabled. The other computers have direct connections to the Internet through the hub and are not protected.
Connection icons
When ICF has been enabled on a network connection, the following network connection icon appears in Network Connections: .gif "Firewalled connection icon")
. To check to see if ICF is enabled, or to enable ICF, see Enable or disable ICF. When ICS is enabled on a network connection, it appears in Network Connections as the shared Internet connection .gif "Shared connection icon")
icon. To check to see if ICS is enabled, or to enable ICS, see Enable ICS.
Recommendations for using ICF
You should enable ICF on every Internet connection. You should not enable ICF on virtual private network (VPN) connections or on network client computers because ICF interferes with some types of network activities such as file and printer sharing. For a similar reason, ICS prohibits you from enabling ICF on the ICS host computer's private connection, the connection that connects the ICS host to the ICS client computers. A firewall on this location would completely obstruct network communications. You should not enable ICF on any connection that does not directly connect to the Internet. ICF is not needed if an Internet connection already has a firewall or proxy server running.
ICF and notification messages
Because ICF inspects all incoming communications, some programs, especially e-mail programs, may behave differently when ICF is enabled. Some e-mail programs periodically poll their e-mail server for new mail, and some e-mail programs wait for notification from their e-mail server. Outlook Express, for example, automatically checks for new e-mail when its timer tells it to do so. When new e-mail is present, Outlook Express prompts the user with a notification about the new e-mail. ICF does not affect the behavior of this program, because the request for new e-mail notification originates from inside the firewall. The firewall makes an entry in a table noting the outbound communication to the mail server. When the mail server returns the response for new e-mail, the firewall finds an associated entry in the table and allows the communication to pass, then the user receives notification that a new e-mail has arrived.
Outlook 2000, however, is connected to a Microsoft Exchange server that uses a remote procedure call (RPC) to send new e-mail notifications to client computers. Outlook 2000 does not automatically check for new e-mail when it is connected to an Exchange server. The Exchange server notifies Outlook 2000 when new e-mail arrives. Because the RPC notification is initiated from the Exchange server that is outside the firewall, and not by Outlook 2000, which is inside the firewall, ICF cannot find the corresponding entry in the table, and the RPC messages are not allowed to cross from the Internet into the home or small office network. The RPC notification message is dropped. Users can send and receive e-mail but need to manually check the inbox for new e-mail.
Advanced ICF settings
The ICF security logging feature provides a way to create a security log of firewall activity. ICF is capable of logging both traffic that is permitted and traffic that is rejected. For example, incoming echo requests from the Internet, by default, are not allowed by the firewall. If the Internet Control Message Protocol (ICMP) Allow incoming echo request is not enabled, then the inbound request fails, and a log entry that records the failed inbound attempt is generated.
ICMP allows you to modify the behavior of the firewall by enabling various ICMP options, such as Allow incoming echo request, Allow incoming timestamp request, Allow incoming router request and Allow redirect. Brief descriptions of these options are provided on the ICMP tab. For information about ICMP, see Internet Control Message Protocol (ICMP).
If ICF is enabled on two or more connections on a single computer, the settings for the ICMP options are per connection. If you make a setting or change a setting in the ICMP options on any connection on which ICF is enabled, that setting is not applied to the other ICF firewalls on that computer. For more information, see Enable or disable Internet Control Message Protocol requests for ICF.
You can set the allowable size of the ICF security log to prevent the potential overflow that could be caused by denial-of-service attacks. Event logging is generated in the Extended Log File Format as established by the World Wide Web Consortium (W3C). For more information about ICF security logging, see Internet Connection Firewall security log.
If ICF is enabled on two or more connections on a single computer, the ICF settings are global. If you select a setting or change a setting in Logging Options or Services on any one of the connections on which ICF is enabled, that setting is applied to all of the ICF firewalls on that computer. For more information, see Internet Connection Firewall security log.
Note
Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.
This topic applies only to product features available in the original release of Windows Server 2003.
Internet Connection Sharing and Network Bridge are not included in Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; and the Itanium-based versions of the original release of the Windows Server 2003 operating systems.