瞭解Windows防火牆的優缺點

Learn the pros and cons of Windows Firewall
瞭解Windows防火牆的優缺點

《endurer註：pros and cons 正反面，優缺點，利弊》

英文來源：http://techrepublic.com.com/5100-1009_11-6063367.html?tag=nl.e101
by  Michael Mullins CCNA, MCP
作者：Michael Mullins CCNA, MCP
翻譯：endurer 2006-04-28　第1版
Keywords:  Security applications/tools | Firewalls | Security | Internet
關鍵字：安全應用程式/工具 | 防火牆 | 安全 | Internet
Takeaway:
Is Windows Firewall up to the task of securing your network? Mike Mullins has his doubts. In this edition of Security Solutions, he delves into the details of Windows Firewall and weighs its pros and cons. 
概述：Windows防火牆勝任您的網路安全任務嗎？Mike Mullins有疑。在這期安全解決方案中，他深入研究Windows防火牆的細節，並權衡其優缺點。

《endurer註：1。up to 一直到,等於;正在做(直到,相當於,勝任,該由...決定)
2。delve into 鑽研, 深入研究》

 
Windows Firewall debuted with the release of Windows XP, and Windows XP Service Pack 2 enabled this feature by default. This host-based stateful firewall replaced Windows' Internet Connection Firewall.
Windows防火牆隨著Windows XP的發布初次登場，Windows XP Service Pack 2預設增強了特性。該主機型運用狀態(檢測)防火牆替代了WindowsInternet串連防火牆。

Stateful firewall 是一種新型防火牆技術，請點擊參考：防火牆新生代：Stateful－inspection(http://www.bupt.edu.cn/regnet/document/network/firewall1.htm)

This feature's default configuration rejects incoming IP traffic unless you've specifically allowed it. To configure or adjust the Windows Firewall settings, go to Start | Control Panel, and double-click the Windows Firewall applet. Let's take a closer look at the various settings.
這個特性的預設配置拒絕來訪IP流量，除非您已經特別允許。要配置或調整Windows防火牆設定，開始-->設定-->控制台，雙擊Windows防火牆程式。

Know your options
弄清選項

On the General tab, you can use the On and Off radio buttons to enable or disable Windows Firewall. You can also choose to disallow exceptions.
在常規選項卡，您可以使用啟用或禁用選項按鈕來啟用或禁用Windows防火牆。您也可以選擇禁用例外。

The Exceptions tab includes a list of programs and services that you can select or deselect to allow or remove access to the network. You can also add or delete ports (both TCP and UDP).
例外選項卡包含一個程式和服務列表，您可以選定或者取消選定來允許或去掉網路訪問權。你也可以添加或刪除連接埠（TCP和UDP均可）。

When adding programs or ports, you also have the following options to limit the scope of access: Any Computer (Including Those On The Internet), My Network (Subnet) Only, or Custom List, which allows you to choose a mix of IP addresses and subnets.
在添加程式或連接埠時，你也有下列選項來限制存取範圍：一些電腦（包括Internet上），僅限我的網路（子網），或自訂序列，這個自訂序列允許您選擇IP地址和子網集合。

《endurer註：1。custom list 【微軟】自訂序列》

On the Advanced tab, you can choose which connections the firewall will apply to, and you can specify logging features. You can also control, with some granularity, how the firewall handles Internet Control Message Protocol (ICMP) packets.
在進階選項卡，您可以選擇防火牆應用到哪個串連，並能指定登入特性。您也能較精確地控制防火牆如何處理Internet控制訊息協議 (ICMP)包。

Finally, if you get completely lost and make changes that prevent the computer from connecting to the Internet, you can click the Restore Defaults button. This removes all of your changes, returning Windows Firewall to the Microsoft default state.
最後，如果您完全迷路並使防止電腦串連到Internet的更改，可以點擊恢複預設按鈕。這將清除您所做的一切修改，讓Windows防火牆回複到微軟預設狀態。

《endurer註：1。get lost 迷路》

Know how to adjust the settings
瞭解怎麼調整設定

You can use the method described above to manually change the Windows Firewall settings. However, you can also use a variety of methods more suited for enterprise deployments. Here are some of your options:
您可以用上述方法手動更改Windows防火牆設定。然而，你也可以使用多種更適合企業部署的方法。這是一些選擇：

• Unattend.txt: You can use this text file used during unattended setup when deploying multiple systems that have similar configurations.
  Unattend.txt:在布署有相似配置的多個系統時，您可以在無人值守時使用這個文字檔
• Netfw.ini: You can modify and deploy this file via login scripts or a control system such as Systems Management Server (SMS). You can find this file in the %windir%/Inf folder.
  Netfw.ini: 您可以修改並通過登入指令檔或諸如Windows系統組態管理解決方案(SMS)之類的控制系統來部署。您可以在%windir%/Inf找到這個檔案。
• Netsh: You can execute this command at the command prompt or through a scripted batch file deployed at login.
  folder.Netsh: 您可以在命令提示字元，或通過布署的登入時指令碼批次檔來執行這個命令。
• Group Policy: In an Active Directory environment you can use Group Policy to deploy Windows Firewall configurations. Update existing Group Policy Objects with the Windows Firewall policy settings from the updated System.adm template included with Windows XP SP2. You can find these new settings under Computer Configuration | Administrative Templates | Network | Network Connections.
  組策略：在活動目錄環境中，您可以使用組策略來布署Windows防火牆配置。利用Windows XP SP2包含的已升級的System.adm模板中的Windows防火牆原則設定來更新現存組策略對象。您可以在電腦配置-->系統管理範本-->網路-->網路連接裡找到這些新設定。

Of course, all of these available configuration and deployment options beg the question: Does this firewall adequately protect your computer?
Weigh the pros and cons

當然所有這些可用配置和布署選項迴避問題的實質：這個防火牆充分保護你的電腦了嗎？

《endurer註：1。beg the question 以尚未解決的問題作為論據(迴避問題的實質)》

Weigh the pros and cons
權衡優缺點

The Windows Firewall does a good job of proxying inbound responses to outbound connection requests, and it does a good job of blocking inbound connection requests for TCP or UDP conversations that you haven't initiated. It will block any connection attempts that you haven't specifically allowed in the settings. However, that's only half of what a firewall needs to do.
Windows防火牆代理對出站串連請求的入站響應的工作做得好，並且阻塞您未發起的TCP或UDP會話入站串連請求的工作做得好，它將阻塞你未在設定中特別允許的串連企圖。然而，這隻是防火牆需要做的事情的中的一半。
《endurer註：1。do a good job 工作幹得好
2。inbound[電腦] 入站
3。outbound[電腦] 出站》

A firewall should also monitor, inspect, and proxy outbound communication—and this is where Windows Firewall fails. Any program on your computer can initiate any type of connection to any IP address on the Internet, and the Windows Firewall will sit by passively and let it happen!
防火牆也要監視，檢測和代理出站通訊——並且這是Windows防火牆失敗的地方。您電腦中的一些程式可以初始化到Internet上任何IP地址的任何類型的串連，而Windows防火牆將袖手旁觀，任其發生。

《endurer註：1。sit by 袖手旁觀, 無動於衷》

Don't let any prompts fool you: Even though it tells you a program has initiated a connection to the Internet and asks if you want to allow this connection, the connection has already occurred. What it's really asking is whether you want to allow the Internet to connect to this program.
別讓任何提示欺騙您：甚至它告訴你一個程式已經初始化了一個對Internet的串連，並詢問您是否允許該串連，該串連已經存在了。它實際問的是你是否想允許Internet串連到這個程式。

Final thoughts
最終思索

As far as I'm concerned, a firewall mechanism that only works one way is a security feature—not a firewall. Thanks to viruses, worms, Trojans, and a host of other malware and spyware that arrive on your computer daily, you need to be able to control communications from both directions.
至於我關心的，要努力改進的防火牆機制是安全特性——不是防火牆。由於天天到達您的電腦的病毒，蠕蟲，木馬，和其它惡意軟體和間諜軟體，你要能控制雙向通訊。
《endurer註：1。as far as 遠到, 直到, 至於
2。work one's way費力前進
3。 thanks to由於,多虧,歸功於》

Every computer connected to any network (e.g., dial-up, Ethernet, or wireless) needs a firewall, and Windows Firewall just isn't up to the task. Find yourself a free firewall or pay for one from a reputable vendor, but don't let Windows Firewall fool you into thinking it completely protects your computer. Half a firewall is no better than no firewall at all.
每台串連到任何網路（例如，拔號，乙太網或無線）的電腦需要防火牆，而Windows防火牆卻不能勝任這個任務。為自己找到一個免費防火牆或從名牌供應商那付費購買，但不要讓Windows防火牆欺騙您認為它完全保護了您的電腦。實際上半個防火牆和沒有防火牆一樣不好。

《endurer註：1。fool sb. into doing 哄騙某人做
2。no better than和...一樣不好》
 

endurer附註：相關參考：
如何配置 Windows XP Service Pack 2 中的 Windows 防火牆功能
http://support.microsoft.com/kb/875356/zh-cn