Where, oh where, is my Windows firewall?

Server lament

  • alert
  • submit to reddit

High performance access to file storage

I have a problem: I can't seem to find a good host-based firewall for my Windows servers. In fact, people constantly ask me what I recommend and I find myself with no good answer.

Even though most of my servers are already behind firewalls, I like having additional protection on the server itself. Sometimes I use remotely co-located servers where I have no firewall, and that makes me completely dependent upon software on the server itself.

It seems like the solution would be simple enough. I have been patiently waiting for someone to come along with a capable, full-featured Windows firewall so I can stop explaining to everyone why the right way to go is probably Linux with iptables. But my wait has mostly been in vain. Every time I think I have found the ultimate Windows firewall solution, I end up being disappointed in one way or another. Let's consider our current offerings.

Sure, there's TCP/IP filtering. It's actually quite fast. But it is also so limited that it's only good for the most basic filtering of incoming traffic. If you use TCP/IP filter, you will definitely need additional layers of protection.

IPSec is better, once you sort out the difference between rules, rulesets, filters, and filtersets. You can use either the UI or the scripting interface, but they are both just as confusing. Once you finally get it up and running, you might notice the network is slower - because IPSec with packet filtering alone can slow down the network by 10-15 per cent. Oh, and here's the thing I hate most about IPSec: it logs to the Windows EventLog. If you want to browse your firewall logs, you either have click on each event to view the properties or export them to another format. That's enough to make me avoid it altogether.

The Internet Connection Firewall (ICF) in Windows 2003 is somewhat better. It has decent performance and some flexibility with the rules. When Windows 2003 SP1 comes around, the new Windows Firewall will be even better. Windows Firewall is a big improvement and it has Group Policy support. Unfortunately, Windows Firewall doesn't let you set any rules on outgoing traffic. Furthermore, it requires turning on the Remote Access Connection Manager and Telephony services - something I normally wouldn't need to do on, say, a mail or web server that I'm trying to secure.

What about RAS? You may have noticed that it has packet filtering capabilities, and in fact there is a good API for other tools to set these filters. But these filters do not let you control low-level traffic such as ICMP, so it's not very useful.

There are plenty of personal firewalls out there that work quite well for desktop computers, but they all fall short for server use. Some are obviously better than others, but all are plagued with common problems such as poor logging facilities, limited configuration capabilities, slow performance, and worst of all, many of them seem to be prone to blue screens when traffic gets very high.

The problem with personal firewalls is the way they integrate with Windows. There are actually numerous ways to intercept packets in Windows, each with their own disadvantages and weaknesses. All approaches are poorly documented. Many of them involve intercepting kernel-mode functions or writing device drivers. This works, sure, but you had better make sure the code is solid or you will experience frequent blue screens.

Another problem is that these methods usually don't interact well with others - don't try installing two personal firewalls, or chances are you will have strange problems. And of course, writing hooks into other drivers can sometimes cause problems when installing service packs or hotfixes. There are just more places for things to break.

Personal firewalls don't work well for unattended servers, either. Many of them have pop-up windows asking the user to allow certain network packets. This obviously doesn't work on an unattended server. Some firewalls I have tried rely on a tray icon that you cannot even access via Terminal Services!

My last attempt to find the holy grail of a Windows server firewall was with installing ISA Server 2004. To my surprise, it worked quite well. Its footprint was a bit hefty and it was total overkill for something used for little more than a personal firewall, but it still worked well in that role. There's just one problem: the ISA Server software license costs more than the server itself. That makes it far too difficult to justify its use.

What do I do now? I find myself buying small hardware firewalls to sit on top of the server - just because I'm a little too paranoid to leave it standing alone.

Not all hope is lost, at least. Microsoft is working on a new Windows Filtering Platform (WFP) for the upcoming Longhorn OS, due to be released perhaps in the next few years. WFP is basically a packet filtering engine built into the OS. Third party firewall companies will simply tap into this single interface and configure the rules. WFP provides access to packets at various layers of the new TCP/IP protocol stack and it has support for filtering traffic after it has been decrypted. It even has IPv6 suppport. WFP sounds great, but it still doesn't help me today. It's some ways off. And it also remains to be seen how effective and stable this feature turns out.

You would think the answer is simple, but it's not. It still amazes me that that an adequate, affordable firewall solution for Windows servers just doesn't exist.

Copyright © 2004, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.

Related stories

MS plugs weak XP firewall
Update for Microsoft's Windows Server 2003 secures new beta status
Security Report: Windows vs Linux

High performance access to file storage

More from The Register

next story
Seagate brings out 6TB HDD, did not need NO STEENKIN' SHINGLES
Or helium filling either, according to reports
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Bored with trading oil and gold? Why not flog some CLOUD servers?
Chicago Mercantile Exchange plans cloud spot exchange
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.