Feeds

Where, oh where, is my Windows firewall?

Server lament

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

I have a problem: I can't seem to find a good host-based firewall for my Windows servers. In fact, people constantly ask me what I recommend and I find myself with no good answer.

Even though most of my servers are already behind firewalls, I like having additional protection on the server itself. Sometimes I use remotely co-located servers where I have no firewall, and that makes me completely dependent upon software on the server itself.

It seems like the solution would be simple enough. I have been patiently waiting for someone to come along with a capable, full-featured Windows firewall so I can stop explaining to everyone why the right way to go is probably Linux with iptables. But my wait has mostly been in vain. Every time I think I have found the ultimate Windows firewall solution, I end up being disappointed in one way or another. Let's consider our current offerings.

Sure, there's TCP/IP filtering. It's actually quite fast. But it is also so limited that it's only good for the most basic filtering of incoming traffic. If you use TCP/IP filter, you will definitely need additional layers of protection.

IPSec is better, once you sort out the difference between rules, rulesets, filters, and filtersets. You can use either the UI or the scripting interface, but they are both just as confusing. Once you finally get it up and running, you might notice the network is slower - because IPSec with packet filtering alone can slow down the network by 10-15 per cent. Oh, and here's the thing I hate most about IPSec: it logs to the Windows EventLog. If you want to browse your firewall logs, you either have click on each event to view the properties or export them to another format. That's enough to make me avoid it altogether.

The Internet Connection Firewall (ICF) in Windows 2003 is somewhat better. It has decent performance and some flexibility with the rules. When Windows 2003 SP1 comes around, the new Windows Firewall will be even better. Windows Firewall is a big improvement and it has Group Policy support. Unfortunately, Windows Firewall doesn't let you set any rules on outgoing traffic. Furthermore, it requires turning on the Remote Access Connection Manager and Telephony services - something I normally wouldn't need to do on, say, a mail or web server that I'm trying to secure.

What about RAS? You may have noticed that it has packet filtering capabilities, and in fact there is a good API for other tools to set these filters. But these filters do not let you control low-level traffic such as ICMP, so it's not very useful.

There are plenty of personal firewalls out there that work quite well for desktop computers, but they all fall short for server use. Some are obviously better than others, but all are plagued with common problems such as poor logging facilities, limited configuration capabilities, slow performance, and worst of all, many of them seem to be prone to blue screens when traffic gets very high.

The problem with personal firewalls is the way they integrate with Windows. There are actually numerous ways to intercept packets in Windows, each with their own disadvantages and weaknesses. All approaches are poorly documented. Many of them involve intercepting kernel-mode functions or writing device drivers. This works, sure, but you had better make sure the code is solid or you will experience frequent blue screens.

Another problem is that these methods usually don't interact well with others - don't try installing two personal firewalls, or chances are you will have strange problems. And of course, writing hooks into other drivers can sometimes cause problems when installing service packs or hotfixes. There are just more places for things to break.

Personal firewalls don't work well for unattended servers, either. Many of them have pop-up windows asking the user to allow certain network packets. This obviously doesn't work on an unattended server. Some firewalls I have tried rely on a tray icon that you cannot even access via Terminal Services!

My last attempt to find the holy grail of a Windows server firewall was with installing ISA Server 2004. To my surprise, it worked quite well. Its footprint was a bit hefty and it was total overkill for something used for little more than a personal firewall, but it still worked well in that role. There's just one problem: the ISA Server software license costs more than the server itself. That makes it far too difficult to justify its use.

What do I do now? I find myself buying small hardware firewalls to sit on top of the server - just because I'm a little too paranoid to leave it standing alone.

Not all hope is lost, at least. Microsoft is working on a new Windows Filtering Platform (WFP) for the upcoming Longhorn OS, due to be released perhaps in the next few years. WFP is basically a packet filtering engine built into the OS. Third party firewall companies will simply tap into this single interface and configure the rules. WFP provides access to packets at various layers of the new TCP/IP protocol stack and it has support for filtering traffic after it has been decrypted. It even has IPv6 suppport. WFP sounds great, but it still doesn't help me today. It's some ways off. And it also remains to be seen how effective and stable this feature turns out.

You would think the answer is simple, but it's not. It still amazes me that that an adequate, affordable firewall solution for Windows servers just doesn't exist.

Copyright © 2004, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.

Related stories

MS plugs weak XP firewall
Update for Microsoft's Windows Server 2003 secures new beta status
Security Report: Windows vs Linux

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
The cloud that goes puff: Seagate Central home NAS woes
4TB of home storage is great, until you wake up to a dead device
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
Intel offers ingenious piece of 10TB 3D NAND chippery
The race for next generation flash capacity now on
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
SAVE ME, NASA system builder, from my DEAD WORKSTATION
Anal-retentive hardware nerd in paws-on workstation crisis
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.