Windows Firewall Technologies

Purpose

Windows Firewall with Advanced Security and the related firewall technologies documented here enable developers to share Internet connections, protect connections using a firewall, and provide Network Address Translation (NAT).

Microsoft has released several versions of the firewall product, each building on the previous technology. The current release, Windows Firewall with Advanced Security, allows the creation of extremely specific firewall rules.

The specific technologies are as follows (listed here from newest to oldest):

• Windows Firewall with Advanced Security is the most recent version. It was first released with WindowsВ Vista.
• Windows Firewall was first released as a component of WindowsВ XP with Service PackВ 2 (SP2).
• IPv6 Internet Connection Firewall was released as a component of the Advanced Networking Pack for WindowsВ XP. It is unavailable in subsequent versions of Windows.
• Internet Connection Sharing and Internet Connection Firewall was first released in WindowsВ XP and is supported in WindowsВ Vista. It may be altered or unavailable in subsequent versions of Windows.

Developer audience

Developers must be knowledgeable in networking, TCP port management, and C/C++ programming.

Run-time requirements

The technologies described in this section have varied run-time requirements. Consult the documentation for the technology being used for its run-time requirements.

Защитник Windows брандмауэра с расширенными мерами безопасности Windows Defender Firewall with Advanced Security

Область применения Applies to

• Windows 10 Windows 10
• Windows Server2016 Windows Server 2016
• Windows Server 2019 Windows Server 2019

Это обзор функций брандмауэра Защитник Windows advanced Security (WFAS) и IPsec. This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.

Обзор Защитник Windows брандмауэра с расширенными мерами безопасности Overview of Windows Defender Firewall with Advanced Security

Защитник Windows брандмауэра в Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 и Windows Server 2008 R2 — это брандмауэр хоста с состоянием, который помогает защитить устройство, позволяя создавать правила, определяющие, какой сетевой трафик разрешено вводить на устройство из сети и какой сетевой трафик устройство может отправлять в сеть. Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Защитник Windows брандмауэр также поддерживает протокол IPsec, который можно использовать для обязательной проверки подлинности с любого устройства, которое пытается связаться с устройством. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. Если требуется проверка подлинности, устройства, которые не могут быть аутентификацией как доверенные устройства, не могут взаимодействовать с вашим устройством. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. С помощью IPsec можно также требовать шифрования определенного сетевого трафика, чтобы предотвратить его чтение анализаторами сетевых пакетов, которые могут быть подключены к сети злоумышленником. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.

Брандмауэр Защитник Windows с оснасткой MMC «Advanced Security» является более гибким и предоставляет гораздо больше функциональных возможностей, чем пользовательский интерфейс Защитник Windows брандмауэра на панели управления. The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Оба интерфейса взаимодействуют с одними и теми же службами, но обеспечивают разные уровни контроля над этими службами. Both interfaces interact with the same underlying services, but provide different levels of control over those services. Хотя программа Защитник Windows панели управления брандмауэром может защитить одно устройство в домашней среде, она не предоставляет достаточно возможностей централизованного управления или безопасности для защиты более сложного сетевого трафика в типичной корпоративной среде. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.

Описание компонента Feature description

Защитник Windows брандмауэра с расширенными уровнями безопасности является важной частью многоуровневой модели безопасности. Windows Defender Firewall with Advanced Security is an important part of a layered security model. Обеспечивая двунаправную фильтрацию сетевого трафика на основе хост-трафика для устройства, Защитник Windows брандмауэр блокирует несанкционированный сетевой трафик, который проходит в локальное устройство или из него. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Защитник Windows брандмауэр также работает с информированием о сети, чтобы применить параметры безопасности, соответствующие типам сетей, к которым подключено устройство. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Защитник Windows брандмауэра и IPsec интегрированы в единую консоль управления (MMC) с именем Защитник Windows Firewall, поэтому брандмауэр Защитник Windows также является важной частью стратегии изоляции сети. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.

Практическое применение Practical applications

Чтобы решить проблемы безопасности сети организации, Защитник Windows брандмауэр предоставляет следующие преимущества: To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits:

Снижает риск угроз сетевой безопасности. Reduces the risk of network security threats. Защитник Windows брандмауэра уменьшает поверхность атаки устройства, обеспечивая дополнительный уровень для модели глубокой защиты. Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Уменьшение числа атак на устройстве повышает управляемость и снижает вероятность успешной атаки. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.

Защищает конфиденциальные данные и интеллектуальную собственность. Safeguards sensitive data and intellectual property. Благодаря интеграции с IPsec Защитник Windows брандмауэра предоставляет простой способ применения межсетевых коммуникаций с проверкой подлинности. With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. Это обеспечивает масштабируемый многоуровневый доступ к надежным сетевым ресурсам, помогая обеспечивать целостность данных и при желании помогая защищать конфиденциальность данных. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.

Расширяет ценность существующих инвестиций. Extends the value of existing investments. Поскольку Защитник Windows брандмауэр — это брандмауэр на основе хост-компьютера, включаемой в операционную систему, не требуется дополнительное оборудование или программное обеспечение. Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Защитник Windows брандмауэр также разработан для дополнения существующих решений по обеспечению безопасности сети от корпорации Майкрософт с помощью задокументированных программных интерфейсов (API). Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).

Firewall & network protection in Windows Security

Firewall & network protection in Windows Security lets you view the status of Microsoft Defender Firewall and see what networks your device is connected to. You can turn Microsoft Defender Firewall on or off and access advanced Microsoft Defender Firewall options for the following network types:

Domain (workplace) networks

Private (discoverable) networks

Public (non-discoverable) networks

If you want to change a setting select the network type you want to change it on.

You can specify that a particular network your device connects to is «private» or «public». The key difference is whether other devices on the same network are allowed to see, and maybe connect to, your device.

Your home network might be an example of a private network — in theory the only devices on that network are your devices, and devices owned by your family. So you might be fine with those other devices being able to see yours. We call that «discoverable» because all the devices on that network are allowed to «discover» each other.

The Wi-Fi at your local coffee shop, however, is a public network. Most of the other devices connected to it belong to strangers and you’d probably prefer they not be able to see, connect to, or «discover» your device.

Network settings

When you select one of the three network types you’ll get the settings page for it. Here Windows Security will tell you which, if any, networks of that type you’re currently connected to. Usually your computer will only be connected to one network at a time.

You’ll also find a simple slider for turning the firewall on, or off, for that type of network.

Important: Turning the firewall off may increase the risk to your device or data. We recommend leaving it on unless you absolutely need to turn it off.

Under the Incoming connections section you’ll find a single checkbox for Blocks all incoming connections, including those in the list of allowed apps. Checking this box tells the Microsoft Defender Firewall to ignore the allowed apps list and block everything. Turning this on increases your security, but may cause some apps to stop working.

Also on the Firewall & network protection page:

Allow an app through firewall — If the firewall is blocking an app you really need, you can add an exception for that app, or open a specific port. Learn more about that process (and why you might not want to) at Risks of allowing apps through Microsoft Defender Firewall.

Network and Internet troubleshooter — If you’re having general network connectivity issues you can use this troubleshooter to try and automatically diagnose and fix them.

Firewall notification settings — Want more notifications when your firewall blocks something? Fewer? Here’s where you can configure that.

Advanced settings — If you’re knowledgeable about firewall settings this will open the classic Windows Defender Firewall tool which lets you create inbound or outbound rules, connection security rules, and see monitoring logs for the firewall. Most users won’t want to dig into it that deeply; adding, changing, or deleting rules incorrectly can cause your system to be more vulnerable or can cause some apps not to work.

Restore firewalls to default — If someone, or something, has made changes to your Windows Firewall settings that is causing things not to work properly you’re just two clicks away from resetting the settings back to the way they were when you first got the computer. If your organization has applied any policies to configure the firewall those will be reapplied.

What Are Windows Firewall and IPsec?

One key component in securing your IT infrastructure is protecting against network-related security threats. Windows Server offers several network security features to help:

• Windows Firewall with Advanced Security
• IPsec
• Message Analyzer Free Tool

Windows Firewall with Advanced Security

Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of a local device by providing host-based, two-way network traffic filtering. You can either manually configure Windows Firewall with Advanced Security on each server or use Group Policy to centrally configure the firewall rules.

While the old Windows Firewall allowed you to configure only a single set of inbound and outbound rules (a profile), Windows Firewall with Advanced Security includes three profiles (Domain, Private and Public), so you can apply the appropriate rules to each server based on its connection to the network. These profiles are tightly connected to three network profiles in the Network and Sharing Center:

• Domain networks. Networks at a workplace that are attached to a domain.
• Private networks. Networks at home or at work where you trust the people and devices on the network. When private networks are selected, network discovery is turned on but file and printer sharing is turned off.
• Guest or public networks. Networks in public places. This location keeps the computer from being visible to other computers. When a public network is the selected network location, network discovery and file and printer sharing are turned off.

You can also configure the following options for each of the three network profiles:

• Firewall State. You can turn the firewall on or off independently for each profile.
• Inbound Connections. You can block connections that do not match any active firewall rules (this is the default), block all connections regardless of inbound rule specifications, or allow inbound connections that do not match an active firewall rule.
• Outbound Connections. You can allow connections that do not match any active firewall rules (this is the default) or block outbound connections that do not match an active firewall rule.
• Protected Network Connections. You can select the connections — for example, the Local Area Connection — that you want Windows Firewall to help protect.
• You can configure display notifications and unicast responses, and merge rules that are distributed through Group Policy.
• You can configure and enable logging.
• IPsec Settings. You can configure the default values for IPsec configuration.

IPsec

Connecting to the internet exposes a company to many types of security threats, from malware to drive-by downloads to social engineering attacks. IPsec is a set of industry-standard, cryptography-based protection services and protocols that can help to protect data in transit through a network by providing authentication, integrity checking and encryption. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).

The design of IPsec helps it provide much better security than protection methods such as Transport Layer Security (TLS) and Secure Shell (SSH), which provide only partial protection. Network administrators who use IPsec do not have to configure security for individual programs because all network traffic between the specified hosts is protected when they use IPsec.

• Offers mutual authentication before and during communications.
• Forces both parties to identify themselves during the communication process.
• Enables confidentiality through IP traffic encryption and digital packet authentication.

Message Analyzer

You can use Message Analyzer to capture, display and analyze protocol messaging traffic, events and other system or application messages in network troubleshooting and other diagnostic scenarios. Message Analyzer enables you to save and reload captures, aggregate saved captures, and analyze data from current and saved trace files. When Message Analyzer performs network captures, it limits irrelevant data, and exposes issues and hidden information that is critical for quick analysis. It accomplishes this by enabling you to remove lower-level details so you can perform analysis on higher-layer data of interest.

You can use Message Analyzer in a variety of scenarios:

• Capturing network traffic for security review
• Troubleshooting application issues
• Troubleshooting network and firewall configuration issues

Using these Windows Server features can greatly enhance your security during network communications, and help you block man-in-the-middle (MITM), replay, hijacking, distributed denial-of-service (DDoS) and other attacks.