Attack and Defense notice-defects of Windows Firewall

Source: China Computer Education News

There is a problem: "I don't know what firewall to choose for a Windows Server ". In fact, people often ask me this question, but I cannot find the best answer myself. Many times, even if the server is protected by a hardware firewall, I still like to install additional software protection on the server itself. Sometimes, my servers may be located in a remote location without a hardware-level firewall to protect them, so I have to rely entirely on installing software on the server to ensure their security.

It sounds simple. However, in fact, I have been patiently waiting for one day to find the perfect Windows Firewall, in this way, I don't need to explain to those who ask me why I often prefer to deploy the iptables Linux system. But I think my waiting is futile. Many times I thought I finally found the best Windows Firewall solution, but that was just the first time I was disappointed.

The speed of the TCP/IP filter is indeed very fast, but its advantages are limited to this, because when you use the TCP/IP filter, you must add protection from other layers.

IPSec is good. After you select the applicable rules and filter terms, you can set them through the GUI or command line interface, however, the graphic interface and command line interface are easy to confuse people. Finally, you finally complete the configuration and successfully let it run -- at this time, you will find that the network is slowing down, because when IPSec filters "packets, it can slow down the network by 10% ~ 15%. Here, by the way, other things that make me hate IPSec: It records logs in the form of Windows events-when you want to watch your firewall logs, you need to click the Event Logs and find out what you want-this is enough for me to stop using it.

Internet Connection Firewall (ICF) is a little better in Windows Server 2003. It has good performance and is flexible in terms of rules. When Windows Server 2003 SP1 comes, the new Windows Firewall will become better. Windows Firewall is a big improvement and has group policies. Unfortunately, Windows Firewall does not allow you to set any rules for the sender. In addition, it also needs to enable remote management and communication services, which I do not need at ordinary times.

Some may ask what is Ras like? You may notice that it has the packet filtering function, and in fact it also provides a good API interface for other tools to configure the filter. However, these filters cannot control the underlying protocols, such as ICMP, so they are actually useless.

There are also many personal firewalls that can run very well on the desktop system, but they cannot meet the needs of server users. Although some of these products obviously exceed the level of similar products, the common problem with all personal firewalls is: simple record tools, slow execution efficiency, and worst of all, most personal firewalls may cause blue screens when the data traffic is very high.

These problems arise from the combination of Personal Edition firewalls and windows. They intercept information packets in multiple ways, which also causes some defects. Some Personal Edition Firewall Products involve intercepting system kernel information or rewriting hardware drivers. Because of this way of work, you 'd better pray that their products are stable. Otherwise, you will often see the blue screen phenomenon. You see, when the flow is large, we often see the system blue screen.

Another problem is that because of the working modes of these personal firewalls, they are usually rejected, so do not try to install two sets of personal firewalls in the PC at the same time, as is the case with the server. Otherwise, you may encounter some problems. The Personal Firewall is not suitable for unattended servers, because most personal firewalls bring up a dialog box when blocking packets, allowing users to choose how to handle/operate. Some firewalls also fail to smoothly access terminal services through the system tray icon.

The last time I thought I had found the best solution for Windows Firewall was when I tried to install ISA Server 2004 on Windows Server. To my surprise, it runs very well. Its functions are very complete and the protection scope is similar to that of the Personal Edition, but it runs more stably. I found that there is only one problem: ISA Server 2004 license is more expensive than the server itself. This makes it difficult for users to accept.

What should I do now? I think it's crazy if I spend money to buy a small hardware-level firewall to protect my servers-just because I sometimes leave it for a short time.

Not all hopes are shattered. At least Microsoft is trying to build a new filtering platform, WFP, on the "Longhorn" system that will come soon. The actual release date of this version may be in the next one or two years. WFP is an integrated package filtering technology solution within the operating system.

In the future, the firewalls of third-party vendors may simply access the WFP system and provide the rule configuration function. The WFP plan supports multiple layers of the new TCP/IP protocol and can be filtered before the communication stream is parsed. WFP even supports IPv6. WFP sounds good, but it still cannot help us today. It is still a little away from us. In addition, whether it is effective and stable still needs to be observed in actual use.

You may think the answer is too simple, of course not. These still surprise us appropriately. Currently, the perfect solution for Windows Server Firewall does not exist.