Introduction to the Microsoft Windows XP Firewall



Similar documents
How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study

Introduction to Business Continuity Planning

Interested in learning more about security?

netforensics - A Security Information Management Solution

Interested in learning more about security? Why Bother About BIOS Security? Copyright SANS Institute Author Retains Full Rights

Security Awareness Training and Privacy

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewall Firewall August, 2003

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

10 Configuring Packet Filtering and Routing Rules

McAfee.com Personal Firewall

Security Technology: Firewalls and VPNs

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Guideline for setting up a functional VPN

Chapter 4 Firewall Protection and Content Filtering

1. Firewall Configuration

Lab Configuring Access Policies and DMZ Settings

Cyber Security: Beginners Guide to Firewalls

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

CSCI Firewalls and Packet Filtering

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Intro to Firewalls. Summary

Fig : Packet Filtering

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Chapter 12 Supporting Network Address Translation (NAT)

How to Configure Windows Firewall on a Single Computer

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls. Chapter 3

CSCE 465 Computer & Network Security

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

Security threats and network. Software firewall. Hardware firewall. Firewalls

Looking for Trouble: ICMP and IP Statistics to Watch

Chapter 4 Customizing Your Network Settings

Networking Security IP packet security

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Chapter 4 Customizing Your Network Settings

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewall Design Principles

IP Filter/Firewall Setup

Chapter 8 Security Pt 2

Network Defense Tools

Lab Configuring Access Policies and DMZ Settings

FortKnox Personal Firewall

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Easy Steps to Cisco Extended Access List

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Protecting the Home Network (Firewall)

Chapter 4 Firewall Protection and Content Filtering

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Overview. Firewall Security. Perimeter Security Devices. Routers

Applied Security Lab 2: Personal Firewall

UIP1868P User Interface Guide

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

BR-6104K / BR-6104KP Fast Ethernet Broadband Router User s Manual

Firewall Architecture

Introduction To Computer Networking

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Chapter 9 Firewalls and Intrusion Prevention Systems

Pre-lab and In-class Laboratory Exercise 10 (L10)

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

DSL-G604T Install Guides

Small Business Server Part 2

Step-by-Step Configuration

Prestige 324. Prestige 324. Intelligent Broadband Sharing Gateway. Version 3.60 January 2003 Quick Start Guide

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Chapter 4 Security and Firewall Protection

Implementing Network Address Translation and Port Redirection in epipe

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Solution of Exercise Sheet 5

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

allow all such packets? While outgoing communications request information from a

Internet and Intranet Calling with Polycom PVX 8.0.1

GlobalSCAPE DMZ Gateway, v1. User Guide

Cryptography and network security

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Service Managed Gateway TM. How to Configure a Firewall

PSC Defective Customer Equipment Return Policy

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Setting Up And Sharing A Wireless Internet Connection

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Transcription:

Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Introduction to the Microsoft Windows XP Firewall Microsoft's Internet Connection Firewall was designed to work with personal firewall applications, not to compete with them. ICF is far from perfect as firewalls go. It doesn't block any outbound traffic; which won't protect you from Trojan application that have made it onto you computer by other means (email, downloads, etc). Its rules are rather basic compared to other personal firewalls. But on the other hand, ICF has no cost (other than the OS cost). It has little or no complexity, if the average home user uses the... Copyright SANS Institute Author Retains Full Rights AD

Introduction to the Microsoft Windows XP firewall SANS Security Essentials (GSEC) v1.2e Matt Snitchler Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Introduction to the Microsoft Windows XP firewall Introduction Here we go again with another version of Windows. Windows XP is the soon to be released version of Windows. Windows XP promises to be the OS that will appeal to Geeks and Power users as well as to beginners and users generally timid around computers. This new version of Windows signifies a convergence of its home and business operating systems. This product will replace Windows 2000 and Windows 9x (including Windows Millennium). Both home and business operating systems will be based off the same source. For the first time in Microsoft s history all of their Operating Systems will be built off of the Windows NT Kernel. This is thought to be a much more Key stable fingerprint platform = AF19 than FA27 the old 2F94 DOS 998D command.com FDB5 DE3D platform. F8B5 06E4 This is A169 the platform 4E46 Operating Systems like DOS and Windows 95 were built from. The home version will be called Windows XP Home Edition and the business version will be called Windows XP Professional. Their server offerings will be based off of this same Kernel as well but are beyond the scope of this paper. This platform will bring together the strengths of Windows 2000, like security, manageability and reliability, and the strengths of Windows Millennium, like Plug-and-Play, easy-to-use user interface, etc. Windows XP will sport a new start menu as well as a new version of Internet Explorer. Windows XP introduces numerous security enhancements. These include controlled network access, software restriction policies, credential management, encrypted file system, and a basic firewall. This firewall is called the Internet Connection Firewall (IFC), and is the topic of this paper. Internet Connection Firewall might be a tool used to protect a home computer or maybe a small home network. You also might find ICF protecting a small business network. Microsoft does also produce a full fledged firewall designed for a dedicated server and a LAN. This product, Internet Security and Acceleration Server is generally used for protecting large networks and is quite a bit more complex to configure. Why do I need a firewall? Why do I need a firewall? you are asking yourself. Well the Internet can be a hostile environment. You are susceptible to attacks whenever you are connected. Very fast always on internet connections are becoming very popular in the home. Fast connections make attacks on your system very efficient. An attacker can try many different attacks in a shot amount of time. The always on nature of high speed Internet access with technologies like DSL or Cable modems make you a very convenient target. A hacker doesn t need to coordinate his attacks because your computer is always available. Even when you connect to the Internet with a modem you can be vulnerable, although much slower and cumbersome. You may not think you have anything of interest on your Key computer. fingerprint Attackers = AF19 FA27 may 2F94 have an 998D interest FDB5 in your DE3D personal F8B5 06E4 information A169 4E46 often stored on home computers. Do you store any passwords or credit card numbers on your computer? How about personal email or financial information, such as account numbers or electronic bank statements?

Well, you seem pretty safe; you don t store any of this information on your computer. Not so, your computer itself can become the tool of interest to hackers. Computers are compromised on the Internet and used to launch attacks on other computers. This can prove to be advantageous to a hacker who would prefer to keep his identity hidden. Do you think it would look good if your computer, unbeknownst to you was attacking a government website? Aside form hiding the identity of an attacker, many of these so called Drone machines (yours being only one of thousands maybe) can be used in organized and distributed attacks on large sites. I hope I ve got you convinced perhaps a firewall is good. If all this isn t enough for you to feel a little afraid, there are malicious attacks as well. Key You fingerprint computer = AF19 may be FA27 able 2F94 to be 998D broken FDB5 for an DE3D internet F8B5 attack, 06E4 requiring A169 4E46 you to reboot to regain access. Your internet access can be affected with a Denial of Service (DOS) attack. This can be described as a whole bunch of invalid information being sent to your computer. Your computer is so busy handling this garbage, that it can no longer function correctly, effectively breaking your Internet connection. General firewall overview So, what is this firewall thing? you ask. One such definition comes from the Windows XP Help file: A Firewall is a security system that acts as a protective boundary between a network and the outside world. Firewalls are usually designed to prevent unauthorized access to your internal network. There are many types of firewalls. You can buy dedicated hardware firewalls whose only role in life is to keeps bad guys out, or there are software firewalls that are applications that run on dedicated computers or personal computers. All firewalls function off of a predefined set of rules and are only as good as their configuration. There are four basic types of firewalls. Packet filtering, Circuit-level gateway, Application-level gateway, and Stateful inspection firewall. Packet filtering A packet filtering firewall accepts or denies traffic based on TCP and IP Headers. Generally it is the lowest cost firewall solution but will also offer the least protection. This type of firewall does not perform content checking. One good thing about a packet filtering firewall, other than cost, is the little or no network performance hit. A packet filtering firewall operates at the network layer of the OSI Model. Key fingerprint Circuit-level = AF19 FA27 gateway 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A circuit-level gateway monitors TCP handshaking between trusted clients or servers and untrusted hosts to determine the legitimacy of a requested session. A circuit-level gateway uses SYN & ACK flags as well as valid sequence

numbers to determine a requested session in logical. This type of firewall is usually implemented with application level gateways. A circuit-level gateway operates at the session layer of the OSI model (two levels up from packet filtering). Application-level gateway An application-level gateway is much like a circuit-level gateway with two major differences. Proxies are application specific and proxies filter at the application layer of the OSI model. Stateful inspection firewall A stateful inspection firewall includes aspects of a Packet filtering firewall, Circuit-level gateway & an Application-level gateway. It filters packets based on source and destination addresses as well as port numbers. A Stateful Key fingerprint inspection = AF19 FA27 firewall 2F94 monitors 998D FDB5 SYN & DE3D ACK F8B5 flags 06E4 as well A169 as valid 4E46 sequence numbers like a circuit-level gateway. It evaluates the contents of packets at the application layer like an Application-level gateway. Generally offers better performance than a Circuit-level or Application-level gateway. A Stateful inspection firewall operates at the network layer of the OSI Model. Most all firewalls offer some form of logging. This is useful for troubleshooting as well as learning about your attackers and the types of exploits that you are being exposed to. Overview of Microsoft s Internet Connection Firewall (ICF) Now you now know what a firewall is and why you need one. Let s take a look at Microsoft s Internet Connection Firewall (ICF). Internet Connection Firewall is considered to be a stateful inspection firewall. ICF is used to set restrictions on what connections can be made to your computer from the Internet. It is also used to define what types of connections are not allowed. It will disable all incoming traffic unless traffic is associated with an exchange that began from within your computer or private network (return traffic). Microsoft s Internet Connection Firewall is capable of protecting a standalone machine or an entire network. It is designed to function with Internet Connection Sharing (ICS), which a capability built into Windows XP to provide a shared Internet Connection. ICF will protect Local Area Network (LAN), Point-to-Point Protocol over Ethernet (PPPoE), and Virtual Private Networks (VPN) or dial-up connections. A Local Area Network is simply a group of machines connected together for the purpose of sharing resources. The resources may be files, printers or Internet access. Point-to-Point Protocol over Ethernet is commonly used with broadband access Key fingerprint (cable, = AF19 wireless, FA27 dsl, 2F94 etc.) 998D to achieve FDB5 access DE3D to F8B5 high 06E4 speed A169 networks 4E46 like the Intrenet.

VPN are a way for two or more computers to connect over public media, like the Internet and control public access. Dial up connections allow for home users with no broadband access to connect to other resources, like the Internet over a basic phone line. Microsoft s Internet Connection Firewall can block ICMP traffic. ICMP, commonly know as ping is traditionally used to report errors and status information. Bad guys often use ICMP to map out network services on computers. How to Install Microsoft s Internet Connection Firewall Key Windows fingerprint XP = is AF19 not configured FA27 2F94 out 998D of the FDB5 box DE3D with Internet F8B5 06E4 Connection A169 4E46 Firewall enabled. There are two ways to enable ICF. Network Setup Wizard You can run the Network Setup Wizard and it will enable the Internet Connection Firewall on all Internet connections it finds. This will enable ICF with default settings and will not ask you any customization questions. This may be a good option for a beginner user or for someone who will not be hosting any services, like a web server or a game server on their computer. ICF will block any attempt to ping your computer. Also by default ICF doesn t do any logging. Manual Configuration Manually configuring Internet Connection Firewall will expose you all the advanced options available. To manually configure Internet Connection Firewall: o Open Control-Panel o Click Network and Internet Connections o Click Network Connections o Right-click on your Internet Connection and select Properties o Click the Advanced tab of your connection s dialog o Under the Internet Connection Firewall section you can enable the firewall You may want to configure specific unsolicited inbound traffic into your network. Say you want to run a web server to publish your children s pictures on the web, or maybe you want to host a game server. You can configure ICF to allow these types of services to function. From the Advanced tab described above you will find a Settings button. Behind this button you will see commonly used services predefined for you on the Services tab. Enabling things like a web server or a telnet server are just a checkbox away. Key If fingerprint you find that = AF19 the service FA27 2F94 you are 998D interested FDB5 in DE3D providing F8B5 is 06E4 not listed, A169 you 4E46 can add additional services. This is where you will need to go to host games over the Internet from behind your firewall. You will need to add a few pieces of information after clicking the Add button found under the Services tab on the Advanced Settings

dialog. You will need a description of service, say UT Server. This is just information, so anything will do. You will need the name or IP address of the internal computer hosting the server. This will most likely be an internal IP address, like 192.168.0.4. Then you will need an external port number for this service and an internal port number for this service. The external port number will be the port number that users on the Internet will connect to. The internal port number will be the actual port number on the computer hosting the service that we listed above. In most cases these port numbers will be the same; however you may have a need to make them different, maybe if your game server is using a specific port, than you can connect to the game server with another computer on your internal network. This would be a drag, you hosting a game server that you can t connect to. By configuring a different internal port number this problem could be avoided. The last thing that needs to be configured on this dialog is Key weather fingerprint you = are AF19 configuring FA27 2F94 TCP 998D or UDP FDB5 ports. DE3D You re F8B5 application 06E4 A169 documentation 4E46 can tell you this. Also found on the Advanced Settings dialog, under the Security Logging tab you will find all the settings related to your logs. From this dialog you can choose to log dropped packets (incoming) and/or log successful connections (incoming and outgoing). You can also specify the name, size and location of the log file. One more configuration dialog, ICMP configures, as you might expect ICMP settings. By default, Internet Connection Firewall is configured to not allow any ICMP traffic in. This dialog will give you the option to allow nine different types of ICMP traffic through. These are incoming echo request, incoming timestamp request, incoming mask request, incoming router request, outgoing destination unreachable, outgoing source quench, outgoing parameter problem, outgoing time exceeded and allow redirect. Internet Connection Firewall log file overview ICF maintains a log that can be rather useful in analyzing attempted connections to your computer. By default it is disabled, so be sure and enable logging. ICF will log all dropped packets. This means that every attempt by traffic to travel across the firewall will be logged. ICF will also log all outbound connections. This will give you a complete picture of every successful connection. Logs are generated in World Wide Web Consortium (W3C) Extended Log Format. This is a standard format used by common log analysis tools. These logs have two sections, the header and the body. The header contains static information. Things like the version of the security log, the name of the log, time format and a list of fields used in the body. The body will include data entered from traffic attempting to cross firewall. This will include things like date/timestamp, action, protocol, src-ip, dest-ip, src-port, dest-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, and/or info. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 More information about the World Wide Web Consortium or about the Extended Log Format can be found at http://www.w3.org.

Conclusion Microsoft s Internet Connection Firewall was designed to work with personal firewall applications, not to compete with them. ICF is far from perfect as firewalls go. It doesn t block any outbound traffic; which won t protect you from Trojan application that have made it onto you computer by other means (email, downloads, etc). Its rules are rather basic compared to other personal firewalls. But on the other hand, ICF has no cost (other than the OS cost). It has little or no complexity, if the average home user uses the wizard to configure his Internet connection, he may not even know that ICF is in place. ICF is a tool designed for the average, not so knowledgeable home user with high speed Internet access and Key traditionally fingerprint = has AF19 little FA27 or no 2F94 protections 998D FDB5 in place. DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Sources Windows XP Technical Overview, May 18, 2001 http://www.microsoft.com/windowsxp/pro/techinfo/howitworks/overview/default.asp http://www.microsoft.com/windowsxp/pro/techinfo/howitworks/overview/09security.asp What New in Security for Windows XP, July 3, 2001 http://www.microsoft.com/windowsxp/pro/techinfo/howitworks/security/01section01.asp Why you need a firewall http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch2.htm Key What fingerprint is a firewall = AF19 and FA27 why 2F94 do I 998D need one? FDB5 DE3D F8B5 06E4 A169 4E46 http://www.simonzone.com/software/guarddog/manual/why-need-firewall.html Choosing The Best Firewall, Gerhard Cronje, April 10, 2001 http://www.sans.org/infosecfaq/firewall/best.htm What is a firewall? http://www.fishnetsecurity.com/secinfo/overview.html Getting up to speed with Windows XP, Scot Finnie, Serdar Yegulalp, Neil Randall, and Dave Methvin, May 3, 2001 http://computers.lycos.com/software/xp.asp What is PPPoE?, July 23, 2001 http://www.carricksolutions.com/pppoe.htm Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Last Updated: June 21st, 2016 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Salt Lake City 2016 Salt Lake City, UTUS Jun 27, 2016 - Jul 02, 2016 Live Event SANS Cyber Defence Canberra 2016 Canberra, AU Jun 27, 2016 - Jul 09, 2016 Live Event MGT433 at SANS London Summer 2016 London, GB Jul 07, 2016 - Jul 08, 2016 Live Event SANS London Summer 2016 London, GB Jul 09, 2016 - Jul 18, 2016 Live Event SANS Rocky Mountain 2016 Denver, COUS Jul 11, 2016 - Jul 16, 2016 Live Event SANS Delhi 2016 Delhi, IN Jul 18, 2016 - Jul 30, 2016 Live Event SANS San Antonio 2016 San Antonio, TXUS Jul 18, 2016 - Jul 23, 2016 Live Event SANS Minneapolis 2016 Minneapolis, MNUS Jul 18, 2016 - Jul 23, 2016 Live Event SANS San Jose 2016 San Jose, CAUS Jul 25, 2016 - Jul 30, 2016 Live Event Industrial Control Systems Security Training Houston, TXUS Jul 25, 2016 - Jul 30, 2016 Live Event SANS Vienna Vienna, AT Aug 01, 2016 - Aug 06, 2016 Live Event SANS Boston 2016 Boston, MAUS Aug 01, 2016 - Aug 06, 2016 Live Event Security Awareness Summit & Training San Francisco, CAUS Aug 01, 2016 - Aug 10, 2016 Live Event DEV531: Defending Mobile Apps San Francisco, CAUS Aug 08, 2016 - Aug 09, 2016 Live Event SANS Portland 2016 Portland, ORUS Aug 08, 2016 - Aug 13, 2016 Live Event SANS Dallas 2016 Dallas, TXUS Aug 08, 2016 - Aug 13, 2016 Live Event DEV534: Secure DevOps San Francisco, CAUS Aug 10, 2016 - Aug 11, 2016 Live Event Data Breach Summit Chicago, ILUS Aug 18, 2016 - Aug 18, 2016 Live Event SANS Alaska 2016 Anchorage, AKUS Aug 22, 2016 - Aug 27, 2016 Live Event SANS Bangalore 2016 Bangalore, IN Aug 22, 2016 - Sep 03, 2016 Live Event SANS Chicago 2016 Chicago, ILUS Aug 22, 2016 - Aug 27, 2016 Live Event SANS Virginia Beach 2016 Virginia Beach, VAUS Aug 22, 2016 - Sep 02, 2016 Live Event SANS Brussels Autumn 2016 Brussels, BE Sep 05, 2016 - Sep 10, 2016 Live Event SANS Adelaide 2016 Adelaide, AU Sep 05, 2016 - Sep 10, 2016 Live Event SANS Northern Virginia - Crystal City 2016 Crystal City, VAUS Sep 06, 2016 - Sep 11, 2016 Live Event SANS Network Security 2016 Las Vegas, NVUS Sep 10, 2016 - Sep 19, 2016 Live Event SANS London Autumn London, GB Sep 19, 2016 - Sep 24, 2016 Live Event SANS ICS London 2016 London, GB Sep 19, 2016 - Sep 25, 2016 Live Event Digital Forensics & Incident Response Summit OnlineTXUS Jun 23, 2016 - Jun 30, 2016 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information