Where, oh where, is my Windows firewall?

Server lament

  • alert
  • submit to reddit

Remote control for virtualized desktops

I have a problem: I can't seem to find a good host-based firewall for my Windows servers. In fact, people constantly ask me what I recommend and I find myself with no good answer.

Even though most of my servers are already behind firewalls, I like having additional protection on the server itself. Sometimes I use remotely co-located servers where I have no firewall, and that makes me completely dependent upon software on the server itself.

It seems like the solution would be simple enough. I have been patiently waiting for someone to come along with a capable, full-featured Windows firewall so I can stop explaining to everyone why the right way to go is probably Linux with iptables. But my wait has mostly been in vain. Every time I think I have found the ultimate Windows firewall solution, I end up being disappointed in one way or another. Let's consider our current offerings.

Sure, there's TCP/IP filtering. It's actually quite fast. But it is also so limited that it's only good for the most basic filtering of incoming traffic. If you use TCP/IP filter, you will definitely need additional layers of protection.

IPSec is better, once you sort out the difference between rules, rulesets, filters, and filtersets. You can use either the UI or the scripting interface, but they are both just as confusing. Once you finally get it up and running, you might notice the network is slower - because IPSec with packet filtering alone can slow down the network by 10-15 per cent. Oh, and here's the thing I hate most about IPSec: it logs to the Windows EventLog. If you want to browse your firewall logs, you either have click on each event to view the properties or export them to another format. That's enough to make me avoid it altogether.

The Internet Connection Firewall (ICF) in Windows 2003 is somewhat better. It has decent performance and some flexibility with the rules. When Windows 2003 SP1 comes around, the new Windows Firewall will be even better. Windows Firewall is a big improvement and it has Group Policy support. Unfortunately, Windows Firewall doesn't let you set any rules on outgoing traffic. Furthermore, it requires turning on the Remote Access Connection Manager and Telephony services - something I normally wouldn't need to do on, say, a mail or web server that I'm trying to secure.

What about RAS? You may have noticed that it has packet filtering capabilities, and in fact there is a good API for other tools to set these filters. But these filters do not let you control low-level traffic such as ICMP, so it's not very useful.

There are plenty of personal firewalls out there that work quite well for desktop computers, but they all fall short for server use. Some are obviously better than others, but all are plagued with common problems such as poor logging facilities, limited configuration capabilities, slow performance, and worst of all, many of them seem to be prone to blue screens when traffic gets very high.

The problem with personal firewalls is the way they integrate with Windows. There are actually numerous ways to intercept packets in Windows, each with their own disadvantages and weaknesses. All approaches are poorly documented. Many of them involve intercepting kernel-mode functions or writing device drivers. This works, sure, but you had better make sure the code is solid or you will experience frequent blue screens.

Another problem is that these methods usually don't interact well with others - don't try installing two personal firewalls, or chances are you will have strange problems. And of course, writing hooks into other drivers can sometimes cause problems when installing service packs or hotfixes. There are just more places for things to break.

Personal firewalls don't work well for unattended servers, either. Many of them have pop-up windows asking the user to allow certain network packets. This obviously doesn't work on an unattended server. Some firewalls I have tried rely on a tray icon that you cannot even access via Terminal Services!

My last attempt to find the holy grail of a Windows server firewall was with installing ISA Server 2004. To my surprise, it worked quite well. Its footprint was a bit hefty and it was total overkill for something used for little more than a personal firewall, but it still worked well in that role. There's just one problem: the ISA Server software license costs more than the server itself. That makes it far too difficult to justify its use.

What do I do now? I find myself buying small hardware firewalls to sit on top of the server - just because I'm a little too paranoid to leave it standing alone.

Not all hope is lost, at least. Microsoft is working on a new Windows Filtering Platform (WFP) for the upcoming Longhorn OS, due to be released perhaps in the next few years. WFP is basically a packet filtering engine built into the OS. Third party firewall companies will simply tap into this single interface and configure the rules. WFP provides access to packets at various layers of the new TCP/IP protocol stack and it has support for filtering traffic after it has been decrypted. It even has IPv6 suppport. WFP sounds great, but it still doesn't help me today. It's some ways off. And it also remains to be seen how effective and stable this feature turns out.

You would think the answer is simple, but it's not. It still amazes me that that an adequate, affordable firewall solution for Windows servers just doesn't exist.

Copyright © 2004, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.

Related stories

MS plugs weak XP firewall
Update for Microsoft's Windows Server 2003 secures new beta status
Security Report: Windows vs Linux

Secure remote control for conventional and virtual desktops

More from The Register

next story
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Fat fingered geo-block kept Aussies in the dark
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
Turnbull should spare us all airline-magazine-grade cloud hype
Box-hugger is not a dirty word, Minister. Box-huggers make the cloud WORK
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story


Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.