Internet Connection Firewall Feature Overview
By Dennis Morgan
Microsoft Corporation
Abstract
Internet Connection Firewall (ICF) provides baseline intrusion prevention functionality to computers running Microsoft® Windows® XP or Windows XP with Service Pack 1 (SP1). It is designed for computers directly connected to a public network as well as computers that are part of a home network when used with Internet Connection Sharing. This article describes the features and functionality of ICF, highlights the API set, and answers common questions. In Windows XP Service Pack 2 (SP2), ICF has been replaced with Windows Firewall.
Acknowledgements
Tom Fout, Program Manager, Microsoft Corporation
John Kaiser, Technical Editor, Microsoft Corporation
On This Page
Introduction
Installing Internet Connection Firewall
Internet Connection Firewall Functional Overview
Options for Configuring Internet Connection Firewall
APIs for Internet Connection Firewall
Internet Connection Firewall FAQ
Summary
Related Links
Introduction
Responding to Increased Internet Threats
When networks were first created they were intended to connect "trusted" computers together. Over time clusters of networks became connected, introducing the ability for an unknown entity from one network to connect to a computer on another network, which led to the need for protection.
Previously not having protection in the form of a firewall on a PC connected to the Internet was not an issue because the primary connection used a modem and dialed the connection only when needed. The connectivity duration was short and the assigned IP address was dynamic, making it difficult for hackers and other outside threats to connect to a PC.
But today, the security landscape is changing. More home users are adopting "always-on" broadband connections. Because these connections have the same IP address, it's easier for hackers to locate a target PC.
Hackers used to need intimate knowledge of networking topologies and protocols. But now numerous tools are freely available on the Internet, making it easy for novice hackers (so-called "script kiddies") to find vulnerabilities in computers and exploit them. Studies show that cable modem networks are frequently scanned by hackers. Attacks are only likely to increase as more people connect to the Internet and more services are offered.
Goal for Internet Connection Firewall
The Internet Connection Firewall (ICF) in Windows XP or Windows XP with SP1 is designed to give the home user and small business protection against these threats. The goal is to provide a baseline intrusion prevention mechanism in Windows XP. This means protecting against scans for information and denying all unsolicited inbound traffic. By doing this, the basic tools that are available to "script kiddies" will be ineffective and they will likely move on to an easier target.
Firewalls have typically been difficult for the average person to configure. With Windows XP or Windows XP with SP1, Microsoft's goal is to provide a simple and unobtrusive security experience. Using a simple checkbox user interface and providing wizards for enabling ICF on connections, Windows XP or Windows XP with SP1 eliminates the configuration problems for consumers while still providing flexibility for advanced users to customize settings.
Note In Windows XP SP2, ICF has been replaced with Windows Firewall. For more information, see New Networking Features in Microsoft Windows XP Service Pack 2 and Manually Configuring Windows Firewall in Windows XP Service Pack 2.
Availability of Internet Connection Firewall
ICF ships in Windows XP or Windows XP with SP1, for both Windows XP Home Edition and Windows XP Professional. It is also available in Windows Server™ 2003, Standard Edition and Windows Server 2003, Enterprise Edition.
Installing Internet Connection Firewall
This section describes ways to install the Internet Connection Firewall.
Installation Points for ICF
Here are the various ways to install ICF:
Welcome to Windows wizard. This is what you see if you install Windows XP or Windows XP with SP1 on a stand-alone computer (not joined to a network domain). The wizard makes it easy to connect to the Internet, activate your copy of Windows, register Windows, and create user accounts. If the PC has a single network connection and it's determined that this network connection is for connecting to the Internet, the Welcome to Windows wizard will enable ICF on this connection.
Network Setup Wizard (NSW). (For Windows XP or Windows XP with SP1 on a stand-alone computer). When you run the NSW you are asked how you are connected to the Internet (there are five options). If you select an option stating that the PC is directly connected to the Internet, ICF will be enabled on the Internet connection.
New Connection Wizard (NCW). When you run the NCW and select the "Connect to the Internet" path, ICF will be enabled on the designated Internet connection.
Network Connections folder. You can go to the Advanced tab of the Properties page for a network connection and enable ICF via a simple checkbox. The Network Connections folder is located in the Network and Internet Connections area of the Control Panel.
Supported Connection Types
ICF can be enabled on a local area network (LAN) including a wireless LAN as well as remote access connections such as PPP over Ethernet, Dial-up and Virtual Private Network. ICF can be enabled on multiple connections on a system, each with its own settings and configuration.
ICF cannot be enabled on the Internet Connection Sharing (ICS) private adapter, a connection that is a member of the Network Bridge, the Network Bridge itself, or incoming connections.
Permission Requirements
You must be an administrator for the system in order to enable and manipulate ICF.
ICF Deployment Scenarios
There are two primary deployment scenarios for ICF:
Protection for a single PC running Windows XP, directly connected to the Internet. In this scenario a PC running Windows XP or Windows XP with SP1 is connected to the Internet via a remote access or LAN connection. Entities on the Internet (or other public networks to which the PC is connected) are able to reach this PC, but will not be able to access services and resources on the PC.
Protection for a home or small business network. When used in conjunction with an Internet sharing solution (such as ICS), ICF will provide protection for the network.
Internet Connection Firewall Functional Overview
This section includes a detailed view of how ICF works.
Conceptually firewalls are a big filter rule engine that intercepts network traffic and applies its rule set to the traffic. Packet filtering is a process of allowing or denying the passage of traffic based on the information in the header of each packet of data. Network protocol specific information such as TCP/IP source and destination address and ports, along with other information is available to a packet filtering device for use in establishing rules to allow or deny the flow of network traffic.
Stateful Packet Filtering
At the core of ICF is a stateful packet filter. Unlike a static packet filter, which decides whether or not to drop a packet based solely on that packet's addressing information, a stateful packet filter bases its decisions on both a packets state and the context information of a session. This stored state provides the filter the means to enforce a richer and more comprehensive set of rules than a static filter.
The state that the ICF maintains is a table of connection flows. For connection-oriented protocol's, such as TCP, a connection flow is equivalent to the protocols definition of a connection (for example, the source and destination addresses and ports and the protocol being used). A connection flow for a connectionless protocol, such as UDP, is the set of packets that are sent between common endpoints (for example, IPAddress1/Port1 and IPAddress2/Port2) without interruption, where interruption is defined as the lack of any packets matching that flow for a given period of time such as one minute.
When a connection flow is terminated based on time or the connection being closed, the state information is removed from the table.
Stateful Packet Filtering Security Policy
The primary security policy that ICF enforces through stateful packet filtering contains three rules:
Any packet that matches an established connection flow is forwarded.
A sent packet that does not match an established connection flow creates a new entry in the connection flow table and is forwarded.
A received packet that does not match an established connection flow is dropped.
This policy allows for normal client Internet access (such as Web browsing) while preventing packets that are not related to such access from being delivered to the network stack. There are provisions for users to modify these rules in order to open specific ports (creating a static filter) so that services, such as a Web server, may be run behind the firewall.
Beyond the security policy, ICF also performs additional structural checks on TCP packets. These checks include quickly dropping packets that have impossible flag combinations (such as both SYN and FIN set on a single packet), and enforcing the TCP three-way handshake for open ports. The former greatly reduces processing overhead when faced with attacks based on sending large numbers of random packets, while the latter hampers various scanning techniques.
State and Configuration on a per-connection basis
ICF can be enabled on multiple network connections. Each instance of ICF has its own port mapping and ICMP configuration options; kept independent of each other (logging settings are global).
Prevention of IP Spoofing
ICF prevents applications from doing IP spoofing. There has been some press attention about the inclusion of raw sockets in Windows XP and how this could lead to an increase of Denial of Service (DoS) attacks. The inclusion of support for the IP_HDRINCL option in Windows XP allows socket applications to set or modify the source IP address of packets. This is useful for DoS attacks because the attacker can disguise the origination of the attack.
ICF does outbound packet inspection for spoofed IPs. This includes TCP, UDP, ICMP, and PPTP/GRE (Point to Point Tunneling Protocol – Virtual Private Networking) communications. When ICF is running by itself, the outbound packet will be inspected and upon detection of a spoofed packet, the spoofed packet will be dropped.
When ICF and ICS are enabled together, spoofed traffic will be modified to contain the correct source IP address of the ICS host, preventing malicious code originating in the home network from being able to do IP Spoofing.
Note: This does not prevent the Windows XP client from participating in the DoS attack itself; it only prevents the Windows XP client from forging its IP address.
Support for Standard Protocols
ICF contains support for Internet standard protocols such as FTP, H.323, LDAP, T.120, and PPTP.
Transports Support
ICF supports filtering of IPv4 traffic. NetBEUI, IPX/SPX and IPv6 transports are not supported.
Support for Microsoft Features and Protocols
Windows Messenger and Remote Assistance have been written to work through ICF. In addition, because DirectPlay (dplay4 and dplay8) supports traversing ICF, games and applications that use DirectPlay will be able to work through ICF seamlessly. These modifications are accomplished using the APIs described below in this document.
Other Windows XP features with network functionality, such as the Help and Support Center, Windows Time, and Windows Update, use protocols that work through firewalls without special modification.
Known Issues
Here is a list of known issues with ICF:
Applications that require a range of ports be opened for return traffic will not work by default. Applications will need to create the appropriate port mappings for this to work. Users have the ability to add this port information manually.
Applications that run in user context where the user is not an administrator will not be able to manipulate port mappings.
When a scanning application running on the ICF host scans a target, the scanning application may report that ports 21 (FTP) and 389 (LDAP) are open on the target. This is due to the way the FTP and LDAP proxies are implemented. When the scanning app sends a request out, the private side of the proxy responds to the scanning application with an ACK. The scanning application does not check to see who the ACK is from and therefore treats this ACK as a successful communication between it and the target. Scans from a remote host to the ICF host will report that these ports are not available.
Options for Configuring Internet Connection Firewall
This section includes configuration options for port mappings, logging, and Group Policy.
Port Mappings
By default all unsolicited inbound connections to ICF are dropped. This is problematic if there are services running behind ICF that you want people on the Internet to access. Port mappings (static filters) are a way for services and applications to create rules in the firewall for how to handle inbound connections. By creating a port mapping (for example, opening port 80 for a Web server), ICF allows requests from users on the Internet to reach your Web site and be serviced by the Web server.
Similarly, some applications use protocols that are problematic for firewalls. This is typically due to the response to the outbound connection request returning on an unexpected port or from a different IP address. This commonly occurs in streaming media and chat applications. By creating port mappings, applications can configure ICF to allow response traffic to come back on a different port than the outbound connection indicated.
When ICS and ICF are running together on the same connection, a port mapping made by one feature will be picked up by the other as they share the same mapping table.
ICF has built-in port mapping options for common services. These port mappings are disabled by default. These mappings can be enabled in the Properties sheet of the ICF-enabled connection.
Logging Options
ICF has the ability to log network traffic. This logging follows the W3C Extended Log File Format (http://www.w3.org/TR/WD-logfile.html), the log file is an ASCII text file that can be imported for data analysis.
ICF has four basic logging options. By default all logging options are disabled.
Log all dropped packets. This option logs all dropped packets from both inbound and outbound connections.
Log all successful connections. This option will log successful outbound connections and successful inbound connections.
Log file name and location. The default name of the log file is pfirewall.log. The default location of the log file is %windir%. The user has the ability to set both the log file name and location.
Log file size. The default file size is 4096 kilobytes (KB). The maximum file size is 32767 KB.
Here is a sample log file from ICF:
#Version: 1.0 #Software: Microsoft Internet Connection Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info 2001-07-11 19:28:06 DROP ICMP 172.31.80.1 172.31.82.198 - - 56 - - - - 5 1 - 2001-07-11 19:28:08 DROP ICMP 172.31.80.1 172.31.82.198 - - 56 - - - - 5 1 - 2001-07-11 19:28:13 DROP ICMP 172.31.80.1 172.31.82.198 - - 56 - - - - 5 1 - 2001-07-11 19:31:05 DROP TCP 172.31.79.4 172.31.82.198 389 4391 40 A 1328582612 3027261772 17397 - - - 2001-07-11 19:31:07 DROP TCP 172.31.79.4 172.31.82.198 389 4396 40 A 1329262300 3027504832 16769 - - - 2001-07-11 19:31:08 DROP TCP 172.31.79.4 172.31.82.198 389 4401 40 A 1330742333 3028123509 16963 - - -
ICMP Options
Internet Control Message Protocol (ICMP) messages provide a method for PCs to report error and control conditions to each other. These messages can be used in hacking and DoS attacks.
The following ICMP options are available in ICF configuration:
Allow Incoming Echo Requests (Message type 8)
Allow incoming timestamp request (Message type 13)
Allow incoming mask request (Message type 17)
Allow incoming router request (Message type 10)
Allow outgoing destination unreachable (Message type 3)
Allow outgoing source quench (Message type 4)
Allow outgoing parameter problem (Message type 12)
Allow outgoing time exceeded (Message type 11)
Allow redirect (Message type 5)
Information on these options and their use are available in IETF RFCs (http://www.ietf.org) – RFC 792, RFC 1256 and RFC 950.
Location-Aware Group Policy
ICF has a Group Policy that allows domain administrators to prevent ICF from running in their domain. This Group Policy is location-aware, which means that ICF may still be configured and run when the PC is not running on the network in which the policy was pushed down.
Here is an example scenario for this location-aware Group Policy:
- A mobile user enables and configures ICF on the wireless connection of a laptop. The user logs into the corporate domain, which applies the ICF Group Policy Object (GPO) to disable ICF from running. The user later undocks the laptop and goes to a wireless hotspot such as a café or airport and connects to this wireless network. Because ICF detects that it is no longer connected to the domain that enforced the policy, ICF will provide protection while on this hotspot network. When the user returns to the corporate network, ICF detects that its attached to the domain network that enforced the GPO and, consequently, shuts itself down.
APIs for Internet Connection Firewall
This section briefly introduces Application Programming Interfaces (APIs) for ICF.
Microsoft provides a set of APIs within the Platform SDK to enable Independent Software Vendors (ISVs) to interact with ICF. Below is a preview of the interfaces available. For full information, refer to the Platform SDK at https://msdn.microsoft.com.
To determine whether an interface (network connection) has ICF enabled on it, you first need to enumerate all the interfaces available in the system. You can do this by using the INetSharingManager::get_INetSharingConfigurationForINetConnection method to obtain an INetSharingConfiguration interface for a particular connection.
After you determine which interface you want to check, use the INetSharingConfiguration::get_InternetFirewallEnabled method to determine whether ICF is enabled on this connection.
Methods are provided to allow an application to either enable or disable ICF. Calling these methods will result in a dialog being presented to the user for confirmation of the action:
INetSharingConfiguration::DisableInternetFirewall %programname% is attempting to disable Internet Connection Firewall. This will make your computer more vulnerable to Internet security threats. Do you want to allow %programname% to disable Internet Connection Firewall? INetSharingConfiguration::EnableInternetFirewall %programname% is attempting to enable Internet Connection Firewall to help protect your computer or network from Internet security threats. However, it may cause some of your older Internet games to function incorrectly. Do you want to allow %programname% to enable Internet Connection Firewall?
Additional methods of interest include:
INetSharingConfiguration::EnumPortMappings. This method allows you to enumerate the port mappings for a specific interface.
INetSharingConfiguration::AddPortMapping. This method allows you to add a port mapping to a specific interface.
INetSharingConfiguration::RemovePortMapping. This method allows you to remove a port mapping for a specific interface.
Note There are no API methods for setting the logging or ICMP options.
Internet Connection Firewall FAQ
Q: How does ICF compare to third-party firewalls?
A: In many cases ICF does not have the rich feature set provided by these products. This is because ICF is intended only as a basic intrusion prevention feature. ICF prevents people from gathering data about the PC and blocks unsolicited connection attempts. ICF is intended for users who connect to the Internet but would not normally purchase a firewall from the store.
Q: Does ICF do outbound packet inspection?
A: Other than checking the source IP address, ICF does not do any outbound packet inspection.
Q: Does ICF require ICS?
A: No, you do not have to share your connection in order to protect it. ICS and ICF are independent features.
Q: Why doesn't Microsoft enable ICF on all connections by default?
A: We do not do this due to the potential to break basic networking scenarios ( such as file and printer sharing, multiplayer gaming, and so on). ICF was designed to be enabled on Internet connections only and currently the technology for determining whether a connection is for the Internet versus private LAN remains in early development. As this technology improves ICF may be enabled by default.
Q: Does ICF compete with Internet Security and Acceleration (ISA) Server?
A: No. ISA server is an enterprise-level firewall and Web cache. ICF is designed for home and small businesses (fewer than five people) with little or no network management experience. ISA server gives network administrators more flexibility and functionality than ICF; thus ICF would not be desirable for this class of customers. For more information, see the ISA Web site.
Q: Is it okay for medium-sized organizations to use ICF as their perimeter firewall?
A: ICF is not intended to be used as a perimeter firewall for businesses. Therefore, ISA server is recommended.
Q: Can a malicious application turn off the firewall without the user's knowledge?
A: No. Although Microsoft provides APIs that allow applications to turn off ICF, a dialog box is displayed informing the user that ""application X"" wants to turn off the firewall and give the user the choice of whether to allow this. (See the API section earlier in this article). There is no programmatic way to circumvent this dialog box.
Q: Does ICF filter out outbound multicast traffic?
A: No. When in the ICS/ICF configuration, multicast traffic generated by clients on the network will not be forwarded, but multicast traffic generated by the ICS/ICF host will be.
Q: Can I run ICF on my corporate desktop? What will happen if I turn it on?
A: The user experience may be degraded as some basic functionality will not work, for example letting someone access a file share on your PC. Nor will you will receive notifications from remote services (this includes the ""print job completion"" and ""new mail"" notifications). In addition, because ICF has not been tested with the ISA client application, the effect they might have on each other remains unknown.
Q: Does Microsoft plan to obtain ICSA certification for ICF?
A: No. Because ICSA certification is associated with enterprise-level firewalls, obtaining this certification is not applicable considering the target audience. (However, ISA server is ICSA certified.)
Summary
The goal of Internet Connection Firewall is to provide a baseline intrusion prevention mechanism in Windows XP or Windows XP with SP1. This means protecting against scans for information and denying all unsolicited inbound traffic. By doing this, the basic tools that are available to "script kiddies" will be ineffective and they will likely move on to an easier target.
Firewalls have typically been difficult for the average person to configure. With ICF in Windows XP or Windows XP with SP1, Microsoft's goal is to provide a simple and unobtrusive security experience. Using a simple checkbox user interface and providing wizards for enabling ICF on connections, Windows XP or Windows XP with SP1 eliminates the configuration problems for consumers while still providing flexibility for advanced users to customize settings.
Related Links
See the following resources for further information:
For the latest information about Windows XP, see the Windows XP Web site.