Setup rules on router to block all access into it except ping
Lesson 1: Configuring Windows FirewallWindows Firewall filters incoming traffic to help block unwanted network traffic. Optionally, Windows Firewall can also filter outgoing traffic to help limit the risk of malware. Although Windows Firewall’s default settings will work well with components built into Windows, they might prevent other applications from functioning correctly. Windows Firewall’s default settings can also be significantly improved to provide even stronger protection by requiring authorization or limiting the scope of allowed connections. Show
Why Firewalls Are ImportantIn networking, firewalls analyze communications and drop packets that haven’t been specifically allowed. This is an important task, because connecting to the Internet means any of the millions of other Internet-connected computers can attack you. A successful compromise can crash a service or computer, compromise confidential data, or even allow the attacker to take complete control of the remote computer. In the case of worms, automated software attacks computers across the Internet, gains elevated privileges, copies itself to the compromised computer, and then begins attacking other computers (typically at random). The purpose of a firewall is to drop unwanted traffic, such as traffic from worms, while allowing legitimate traffic, such as authorized file sharing. The more precisely you use firewall rules to identify legitimate traffic, the less you risk exposure to unwanted traffic from worms. Firewall ProfilesWhen you create firewall rules to allow or block traffic, you can separately apply them to the Domain, Private, and Public profiles. These profiles enable mobile computers to allow incoming connections while connected to a domain network (for example, to allow incoming Remote Desktop connections) but block connection attempts on less secure networks (such as public wireless hotspots). The firewall profiles are:
Most servers are always connected to a domain environment. To ensure consistent operation even when a domain controller is not available, configure the same firewall rules for all three profiles when configuring a server. Filtering Inbound TrafficBy default, Windows Firewall (as well as most other firewalls) blocks any inbound traffic that hasn’t been specifically allowed. By default, the Public profile allows absolutely no incoming connections—this provides excellent security when connecting to public hotspots or other untrusted networks. The Domain and Private profiles allow some incoming connections, such as connections for file and printer sharing. If you install or enable a Windows feature that requires incoming connections, Windows will automatically enable the required firewall rules. Therefore, you do not need to manually adjust the firewall rules. Figure 8-1 shows the default inbound firewall rules for a Windows Server 2008 R2 computer configured as a domain controller. As you can see, rules exist to allow each of the protocols required for a domain controller. Figure 8-1 Default inbound firewall rules If you install an application that does not automatically enable the required firewall rules, you will need to create the rules manually. You can create firewall rules by using the stand-alone Windows Firewall With Advanced Security console, or you can apply the rules with Group Policy by using the same interface at Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall With Advanced Security\Windows Firewall With Advanced Security. To create an inbound filter, follow these steps:
The inbound rule takes effect immediately, allowing incoming connections that match the criteria you specified. Filtering Outbound TrafficBy default, Windows Firewall allows all outbound traffic. Allowing outbound traffic is much less risky than allowing inbound traffic. However, outbound traffic still carries some risk:
By default, all versions of Windows (including Windows Server 2008 R2) do not filter outbound traffic. However, Windows Server 2008 R2 does include outbound filters for core networking services, enabling you to quickly enable outbound filtering while retaining basic network functionality. By default, outbound rules are enabled for:
Blocking outbound communications by default will prevent many built-in Windows features, and all third-party applications you might install, from communicating on the network. For example, Windows Update will no longer be able to retrieve updates, Windows will no longer be able to activate across the Internet, and the computer will be unable to send Simple Network Management Protocol (SNMP) alerts to a management host. If you do enable outbound filtering, you must be prepared to test every application to verify that it runs correctly. Most applications are not designed to support outbound filtering and will require you to both identify the firewall rules that need to be created and then create those rules. To create an outbound filter, follow these steps:
The outbound rule takes effect immediately, allowing outgoing packets that match the criteria you specified. To block outbound connections by default, first create and enable any outbound firewall rules so that applications do not immediately stop functioning. Then, follow these steps:
You will need to perform extensive testing to verify that all required applications function correctly when outbound connections are blocked by default. This testing should include background processes, such as Automatic Updates. Configuring ScopeOne of the most powerful ways to increase computer security is to configure firewall scope. Using scope, you can allow connections from your internal network and block connections from external networks. Scope can be used in the following ways:
To configure the scope of a rule, follow these steps:
Authorizing ConnectionsIf you are using IPsec connection security in an Active Directory environment, you can also require the remote computer or user to be authorized before a connection can be established. For example, imagine that your organization had a custom accounting application that used TCP port 1073, but the application had no access control mechanism—any user who connected to the network service could access confidential accounting data. Using Windows Firewall connection authorization, you could limit inbound connections to users who are members of the Accounting group—adding access control to the application without writing any additional code. Most network applications do have access control built in, however. For example, you can configure Internet Information Server (a web server installed as part of the Application Server role) to authenticate users and allow only authorized users to connect to a web application. Similarly, if you share a folder on the network, you can use file permissions and share permissions to restrict who can access the folder. Application-layer authorization should always be your first layer of security; however, connection authorization using Windows Firewall can provide an additional layer of security. Using multiple layers of security—a technique known as defense-in-depth—reduces risk by providing protection even when one layer has a vulnerability. To configure connection authorization for a firewall rule, follow these steps:
Any future connections that match the firewall rule will require IPsec for the connection to be established. Additionally, if the authenticated computer or user is not on the list of authorized computers and users that you specified, the connection will be immediately dropped. Configuring Firewall Settings with Group PolicyYou can configure Windows Firewall locally, by using Server Manager or the Windows Firewall With Advanced Security console in the Administrative Tools folder; or globally, by using the Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall With Advanced Security\Windows Firewall With Advanced Security node of a Group Policy Object (GPO). Typically, you edit server-specific policies (such as configuring the range of IP addresses a DNS server accepts queries from) by using local tools, and you configure policies that apply to groups of computers (including IPsec connection security policies) by using GPOs. You can use Group Policy to manage Windows Firewall settings for computers running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 by using two nodes:
For best results, create one GPO for Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008, and create a second GPO for Windows Server 2003 and Windows XP. Then, use WMI filters to target the GPOs to computers running only the appropriate version of Windows. Enabling Logging for Windows FirewallIf you are ever unsure about whether Windows Firewall is blocking or allowing traffic, you should enable logging, re-create the problem you’re having, and then examine the log files. To enable logging, follow these steps:
By default, Windows Firewall writes log entries to %SystemRoot%\System32\LogFiles\Firewall\Pfirewall.log and stores only the last 4 MB of data. In most production environments, this log will be almost constantly written to, which can cause a performance impact. For that reason, you should enable logging only when actively troubleshooting a problem and then immediately disable logging when you’re finished. Identifying Network CommunicationsThe documentation included with network applications often does not clearly identify the communication protocols the application uses. Fortunately, creating Program firewall rules allows any communications required by that particular program. If you prefer to use Port firewall rules, or if you need to configure a network firewall that can identify communications based only on port number and the application’s documentation does not list the firewall requirements, you can examine the application’s behavior to determine the port numbers in use. The simplest tool to use is Netstat. On the server, run the application, and then run the following command to examine which ports are listening for active connections: netstat -a -bAny rows in the output with a State of LISTENING are attempting to receive incoming connections on the port number specified in the Local Address column. The executable name listed after the row is the executable that is listening for the connection. For example, the following output demonstrates that RpcSs, running under the SvcHost.exe process (which runs many services), is listening for connections on TCP port 135. Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 Dcsrv1:0 LISTENING RpcSs [svchost.exe]Similarly, the following output demonstrates that the DNS service (Dns.exe) is listening for connections on TCP port 53: Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:53 Dcsrv1:0 LISTENING [dns.exe]Although Windows Firewall has existing rules in place for these services (because they are built into Windows), the same technique would allow you to identify the port numbers used by any third-party application. Practice: Configuring Windows FirewallIn this practice, you configure both inbound and outbound filtering. These are common tasks that occur when you install new applications in almost any network environment, from small businesses to large enterprises. EXERCISE 1 Configuring Inbound Filtering In this exercise, you will install the Telnet Server feature, which configures Windows Server 2008 R2 to accept incoming connections on TCP port 23. Then, you will examine the incoming firewall rule that applies to the Telnet Server and adjust the rule configuration.
EXERCISE 2 Configuring Outbound Filtering In this exercise, you configure Windows Server 2008 R2 to block outbound requests by default. Then, you test it by attempting to visit a website with Internet Explorer. Next, you create an outbound rule to allow requests from Internet Explorer and verify that the outbound rule works correctly. Finally, you return your computer to its original state.
Lesson Summary
Lesson ReviewYou can use the following questions to test your knowledge of the information in Lesson 1, “Configuring Windows Firewall.” The questions are also available on the companion CD if you prefer to review them in electronic form.
How can I block all IP addresses except one?To do that, click on Windows Firewall with Advanced Security in the left pane, and choose Windows Firewall Properties from the right pane. Next to Outbound connections, choose Block. Then, click OK. Once you've done that, just delete the block all outgoing traffic rule and you should be all set.
How do I set a firewall rule on my router?Enable and Configure Your Router's Built-In Firewall. Access your router's configuration page.. Locate an entry labeled Firewall, SPI Firewall, or something similar.. Select Enable.. Select Save and then Apply.. After you select Apply, your router will likely state that it is going to reboot to apply the settings.. How do I block all traffic from my IP?The first method is to use Filter Rules. This is located at Config > Network > Filter Rules. Select Source Address as a condition to block traffic originating from the IP address that you want to block. To block traffic destined to the IP address, use the Destination Address condition.
What are firewall access rules?Firewall Access Rules control the flow of inbound and outbound Internet traffic from the local network to the public Internet. Both routers and firewalls use access rules to control traffic and verify the source and destination addresses are permitted to send and receive traffic on the local network.
|