Windows 7 native firewall is based on two sets of rules that complement each other. The basic Windows Firewall uses simple rules that directly relate to a program or service while the Windows Firewall with Advanced Security (WFAS) allows for more complicated rules that filter traffic on the basis of port, protocol, address and authentication.
Windows Firewall analyzes the traffic to and from the network interface/s and either allows or blocks traffic on the basis of rules that have been setup in the firewall. Briefly, the firewall restricts network traffic based on a collection of configurable rules. It is very important to understand that unless a rule exists that explicitly allows a particular form of traffic, the firewall will drop that traffic. By default, Windows Firewall comes with a set of pre-defined rules that allow you to browse the web and perform ordinary operations but blocks you from performing advanced tasks such as, using FTP. Both outbound and inbound traffic is blocked for traffic that has no allow rules. When a program is blocked for the first time, you are allowed to configure a rule called an exception that allows this traffic to pass.
Why it is important to have an active Windows Firewall!
Apart from the security it provides through the active rules, Windows 7 firewall blocks external hosts from performing operating system fingerprinting where an attacker tries to determine what operating system a host is running so that its vulnerabilities can be exploited. This feature is known as full stealth! In addition, Windows 7 ensures that the firewall starts immediately after the network interface/s become active and not after the startup process is complete such as, in Windows XP. This feature is called Boot time filtering which reduces the attack surface during boot up.
What terms you will be dealing with when managing the firewall!
Protocols – Windows Firewall deals with three protocols which are TCP (Transmission Control Protocol), UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol). As you may already know, TCP is the widely used protocol for Internet traffic while UDP is used in specific areas such as, broadcast traffic. ICMP is primarily used for diagnostics purposes.
Ports – these are used to map network traffic to specific services or programs running on a computer. It is an identification number that is encapsulated within the header of a TCP or UDP datagram.
IPSec – a mechanism that encrypts and signs traffic so that attackers cannot read captured traffic. IPSec (Internet Protocol Security) also allows the recipient of the traffic to validate the sender’s identity.
Network address – it can be a host or a group of hosts address. Firewall rules can be set to act on specific addresses that is, perform different actions based on the destination network for outgoing traffic or the source network for incoming traffic.
Inbound/Outbound traffic – the inbound traffic is the traffic that originates from an external host and is sent to your machine while the outbound traffic is the traffic that your machine sends to external hosts.
Network Interface – it can be a physical LAN connection, a wireless connection, a modem connection or a VPN connection on your computer.