How Firewalls Work

To understand what a firewall is, you first need to understand what a network connection is. Even though you have only one skinny set of wires connecting your computer to the Internet (through a DSL phone line or cable outlet), that connection consists of 65,535 ports. Each port can simultaneously carry on its own conversation with the outside world. So, theoretically, you could have 65,535 things going on at a time. Of course, nobody ever has that much going on all at one time. Most people use a handful of ports at one time.

The ports are divided into two categories:

• TCP (Transmission Control Protocol): This generally is used to send text and pictures (web pages and e-mail), and includes some error checking to make sure all the information that's received by a computer matches what the sending computer sent.
• UDP (User Datagram Protocol): This works more like broadcast TV or radio, where the information is sent out with no error checking. UDP generally is used for real-time communications, such as voice conversations and radio broadcasts sent over the Internet.

Each port has two directions: incoming (or ingress) and outgoing (or egress). The directions indicate whether data traffic is coming into your computer from the outside — over the Internet — or going out from your computer to the Internet. Data traffic coming into your computer is what you have to watch out for. You can't close all ports to all incoming traffic, because if you do, you have no way to get the good information in. But you don't want to let everything in, either. You need a way to separate the wheat from the chaff, so to speak.

Anti-spyware and antivirus software are good tools for keeping out viruses and other bad things that are attached to files coming into your computer. But hackers can sneak worms and other bad things in through unprotected ports without involving a file in the process. That's where the firewall comes into play. A stateful firewall, such as the one that comes with Windows 10, keeps track of everything you request. When traffic from the Internet wants to come in through a port, the firewall checks to make sure the traffic is something you requested. If it isn't, the firewall assumes a hacker is trying to sneak something in and, therefore, prevents the traffic from entering your computer. Figure 7.1 illustrates how a stateful firewall works.

Firewall security means more than having a port open or closed. It's also about filtering — making sure that data coming into an open port is something you requested and not some rogue, uninvited traffic sent by a hacker. Many of the worms that infected computers in the 1990s did so by sneaking in undetected through unfiltered ports. To prevent such things, make sure you have a firewall up whenever you go online.

Introducing Security and Maintenance

Before you explore Windows Firewall, take a look at the Security and Maintenance Control Panel program. This program is a single point of notification for most of your PC's security. You can open Security and Maintenance in several ways. Use the method that is most convenient for you:

• In Cortana, type maint and click Security and Maintenance.
• On the desktop, press Windows+X, choose Control Panel, and then click Security and Maintenance.

Whichever method you use, the Security and Maintenance window opens. Figure 7.2 shows an example. We clicked the arrow button to the right of each heading so that you can see the descriptive text under each heading. You can click that button to show or hide the descriptive text.

Turning Windows Firewall on or off

To turn Windows Firewall on or off, you must have administrative privileges. In the System and Security Control Panel window, click Windows Firewall. You should see the current firewall status in the right pane, and options for controlling the firewall in the left pane. Click Change Notification Settings or Turn Windows Firewall On or Off in the left pane to see the options shown in the foreground of Figure 7.3.

If you have a third-party firewall that you feel is more secure than the Windows Firewall, you can choose the Turn off Windows Firewall option to turn off Windows Firewall. Just make sure you have a firewall up when you go online. Otherwise, you don't have anything to stop uninvited traffic on your network connection after the traffic gets past your Internet service provider.

Making Exceptions to Firewall Protection

When Windows Firewall is turned on and running, you don't have to do anything special to use it. It remains on constant vigil, automatically protecting your computer from hackers and worms trying to sneak in through unprotected ports. Ports for common Internet protocols, such as e-mail and web browsing, remain open and monitored so that you can easily use protocols safely.

Internet protocols that don't use standard e-mail and web ports may require that you create an exception to the default firewall rules for incoming traffic. Examples include instant messaging programs and some online games. When you try to use such a program, Windows Firewall displays a security alert.

The message doesn't mean the program is “bad.” It means that to use the program, Firewall has to open a port. If you don't recognize the program name and publisher shown, click Cancel. If you want to use the program, decide for which networks the exception should be allowed. For example, if the traffic is coming from another computer on your local network, select the Private Networks option. For traffic coming from the Internet, select Public Networks (you can select either or both, as needed). Then click Allow Access. Allowing access for a program doesn't leave the associated port wide open; it only creates a new rule that allows that one program to use the port. You're still protected because the port is closed when you aren't using that program. The port is also closed to programs other than the one for which you unblocked the port. If you change your mind in the future, you can reblock the port, as described in the next section.

Manually configuring firewall exceptions (allowed apps and features)

Normally, when you try to use a program also referred to in Windows 10 Firewall as an app) that needs to work through the firewall, you get a security alert message. Occasionally, you may want, to manually allow or block an app through the firewall. If you have administrative privileges, you can do that through the Allowed Apps page shown in Figure 7.4. To open that page, click Allow an App through Windows Firewall in System and Security (near the Windows Firewall item in the Control Panel).

Items on the list with a check mark beside them represent apps that work through the firewall. You also see any exceptions you created in response to a security alert.

You probably aren't familiar with most of the apps listed in the Allowed Apps and Features list, so you shouldn't guess which ones to select or deselect. Leave the selections as they are. If you later decide to use one of the listed features, you're prompted at that point to allow access for the app or program if necessary.

Adding an app exception

You can unblock ports for apps that aren't listed under Allowed Apps and Features. Do this only if specifically instructed to do so by an app manufacturer you know and trust.

If the app for which you want to create an exception isn't listed under Allowed Apps and Features, you can do the following:

1. Click Change Settings and then click the Allow Another App button. When you do so, you see a list of installed apps that might require Internet access, as shown in Figure 7.5.
2. Click the app that you want to add to the list. Optionally, if the program isn't listed, but you know where it's installed, you can use the Browse button to get to the main executable for that program (typically the .exe file).
3. Clicking the Network Types button lets you define the addresses from which any unsolicited traffic is expected to originate. For example, if you're using an app that provides communications among programs within your local network only, you don't want to accept unsolicited traffic coming to that port from the Internet. You want to accept unsolicited traffic coming only from computers in your own network. When you click Network Types, you see the options shown in Figure 7.6. Your options are as follows:
   • Private: Use this for home or workplace networks. If the program in question has nothing to do with the Internet and is for your home or business network only, choose this option to block Internet access, but allow apps within your own network to communicate with each other through the program.
   • Public: Use this option for public networks, such as those in an airport or coffee shop. If you want the app to be able to connect to the Internet, choose this option.
4. Click OK to save your settings.

Advanced Firewall Configuration

The rest of this chapter goes well beyond anything that concerns the average home computer user. It's for advanced users and network and security administrators who need to configure Windows Firewall to comply with an organization's security policy. All these options require administrative privileges. We don't go into great detail about what the options mean because we assume you're working to comply with an existing policy.

Open Windows Firewall with Advanced Security

To get to the advanced configuration options for Windows Firewall, open Windows Firewall from the System and Security item in the Control Panel. Then click the Advanced Settings link in the left pane. The firewall console, shown in Figure 7.7, opens.

You have three independently configurable profiles to work with:

• Domain Profile is active when the computer is logged in to a network domain, such as in a corporation or business setting.
• Private Profile applies to computers within a local, private network.
• Public Profile protects your computer from the public Internet.

Changing firewall profile properties

Clicking the Windows Firewall Properties link near the bottom of the console takes you to the dialog box shown in Figure 7.8. You can use tabs at the top of the dialog box to configure the Domain, Private, and Public settings. The fourth option applies to IPsec (IP Security), commonly used with virtual private networks (VPNs), which are described later in this section. By default, Inbound Connections are set to Block and Outbound Connections are set to Allow. You can change either setting by clicking its button.

Firewall alerts, unicast responses, local administrator control

Each profile tab has a Customize button in its Settings section. Clicking that button provides an option to turn off firewall notifications for that profile. Administrators can also use options on that tab to allow or prevent unicast responses to multicast and broadcast traffic. You also have an option to merge local administrator rules with rules defined through group policy.

Security logging

Each profile tab offers a Logging section with a Customize button. Click the Customize button to set a name and location for the log file, to set a maximum size, and to choose whether you want to log dropped packets, successful connections, or both. You can use the log file to review firewall activity and to troubleshoot connection problems caused by the firewall configuration.

Customizing IPsec settings

The IPsec Settings tab in the firewall properties provides a way to configure IPsec (IP Security). Clicking the Customize button under IPsec Defaults reveals the options shown in Figure 7.9. The Default settings in each case cause settings to be inherited from a higher-level group policy object (GPO). To override the GPO, choose the options you want to apply to the current Windows Firewall instance. When you override the default, you can choose key exchange and data integrity algorithms. You can fine-tune Kerberos V5 authentication through those settings.

Clicking OK or Cancel in the Customize IPsec Defaults dialog box takes you back to the IPsec Settings tab. There you can use the IPsec Exemptions section to exempt ICMP from IPsec, which may help with connection problems caused by ICMP rules.

That covers the main firewall properties. You can configure plenty more outside the Properties dialog box, but. most of these go far beyond anything the average home user needs to be concerned with. Advanced users needing more information can find plenty of information in Firewall's Help section.

Inbound and outbound rules

In the left column of the main Windows Firewall with Advanced Security window shown back in Figure 7.7, you see Inbound Rules and Outbound Rules links. These provide very precise control over Windows Firewall rules for incoming and outgoing connections. Figure 7.10 shows a small part of the possibilities there. Scroll up or down to see more.

The settings in this window go beyond the scope of this book but should be a simple matter for most professional administrators. Options (and the Help link) in the Actions column on the right provide additional information to assist you. You can also change any exception in the center column by right-clicking and choosing Properties.

Wrapping Up

A firewall is an important component of a larger overall security strategy. Windows 10 comes with a built-in firewall that's turned on and working from the moment you start your computer. The firewall is automatically configured to prevent unsolicited Internet traffic from getting into your computer, thereby protecting you from worms and other hacking attempts. The Windows 10 firewall also provides advanced options for professional network and security administrators who need more control over its behavior. In summary:

• A firewall protects your computer from unsolicited network traffic, which is a major cause of worms and other hack attempts.
• A firewall does not protect your computer from viruses, pop-up ads, or junk e-mail.
• You don't need to configure the firewall to use standard Internet services such as the web and e-mail. Those work through the firewall automatically.
• When you start an Internet program that requires access to the Internet through a closed port, you're given a security alert with options to Unblock, or Keep Blocking, the port. Choose Unblock to use that program.
• Windows Firewall is one of the programs in the System and Security Control Panel section. To open System and Security, press Windows+X and choose Control Panel→System and Security.
• To get to Windows Firewall configuration options, in Cortana type firewall and click Windows Firewall.
• Exceptions in Windows Firewall are programs that are allowed to work through the firewall.
• Professional network and security administrators can configure Windows Firewall through the Windows Firewall with Advanced Security console in Administrative Tools.