For something as simple as a firewall for Windows servers, a good solution just doesn't exist.
"...my wait has mostly been in vain. Every time I think I have found the ultimate Windows firewall solution, I end up being disappointed one way or another."
Even though most of my servers are already behind firewalls, I like having additional protection on the server itself. Sometimes I use remotely co-located servers where I have no firewall, and that makes me completely dependent upon software on the server itself.
It seems like the solution would be simple enough. I have been patiently waiting for someone to come along with a capable, full-featured Windows firewall so I can stop explaining to everyone why the right way to go is probably Linux with iptables. But my wait has mostly been in vain. Every time I think I have found the ultimate Windows firewall solution, I end up being disappointed in one way or another. Let's consider our current offerings.
Sure, there's TCP/IP filtering. It's actually quite fast. But it is also so limited that it's only good for the most basic filtering of incoming traffic. If you use TCP/IP filter, you will definitely need additional layers of protection.
IPSec is better, once you sort out the difference between rules, rulesets, filters, and filtersets. You can use either the UI or the scripting interface, but they are both just as confusing. Once you finally get it up and running, you might notice the network is slower -- because IPSec with packet filtering alone can slow down the network by 10%-15%. Oh, and here's the thing I hate most about IPSec: it logs to the Windows EventLog. If you want to browse your firewall logs, you either have click on each event to view the properties or export them to another format. That's enough to make me avoid it altogether.
The Internet Connection Firewall (ICF) in Windows 2003 is somewhat better. It has decent performance and some flexibility with the rules. When Windows 2003 SP1 comes around, the new Windows Firewall will be even better. Windows Firewall is a big improvement and it has Group Policy support. Unfortunately, Windows Firewall doesn't let you set any rules on outgoing traffic. Furthermore, it requires turning on the Remote Access Connection Manager and Telephony services -- something I normally wouldn't need to do on, say, a mail or web server that I'm trying to secure.
What about RAS? You may have noticed that it has packet filtering capabilities, and in fact there is a good API for other tools to set these filters. But these filters do not let you control low-level traffic such as ICMP, so it's not very useful.
There are plenty of personal firewalls out there that work quite well for desktop computers, but they all fall short for server use. Some are obviously better than others, but all are plagued with common problems such as poor logging facilities, limited configuration capabilities, slow performance, and worst of all, many of them seem to be prone to blue screens when traffic gets very high.
The problem with personal firewalls is the way they integrate with Windows. There are actually numerous ways to intercept packets in Windows, each with their own disadvantages and weaknesses. All approaches are poorly documented. Many of them involve intercepting kernel-mode functions or writing device drivers. This works, sure, but you had better make sure the code is solid or you will experience frequent blue screens. Lo and behold, with heavy traffic we often do. Another problem is that these methods usually don't interact well with others -- don't try installing two personal firewalls aFor something as simple as a firewall for Windows servers, a good solution just doesn't exist.t once, for example, or chances are you will have strange problems. And of course, writing hooks into other drivers can sometimes cause problems when installing service packs or hotfixes. There are just more places for things to break.
Personal firewall don't work well for unattended servers, either. Many of them have pop-up windows asking the user to allow certain network packets. This obviously doesn't work on an unattended server. Some firewalls I have tried rely on a tray icon that you cannot even access via Terminal Services!
My last attempt to find the holy grail of a Windows server firewall was with installing ISA Server 2004. To my surprise, it worked quite well. Its footprint was a bit hefty and it was total overkill for something used for little more than a personal firewall, but it still worked well in that role. There's just one problem: the ISA Server software license costs more than the server itself. That makes it far too difficult to justify its use.
What do I do now? I find myself buying small hardware firewalls to sit on top of the server -- just because I'm a little too paranoid to leave it standing alone.
Not all hope is lost, at least. Microsoft is working on a new Windows Filtering Platform (WFP) for the upcoming Longhorn OS, due to be released perhaps in the next few years. WFP is basically a packet filtering engine built into the OS. Third party firewall companies will simply tap into this single interface and configure the rules. WFP provides access to packets at various layers of the new TCP/IP protocol stack and it has support for filtering traffic after it has been decrypted. It even has IPv6 suppport. WFP sounds great, but it still doesn't help me today. It's some ways off. And it also remains to be seen how effective and stable this feature turns out.
You would think the answer is simple, but it's not. It still amazes me that that an adequate, affordable firewall solution for Windows servers just doesn't exist.