Chapter 11. Managing Windows Firewall

When Windows XP was introduced in 2001 it included a feature called Internet Connection Firewall (ICF). Unlike the TCP/IP Filtering that was included in prior Windows releases, ICF was a stateful, packet filtering firewall. It even blocked unsolicited SYN-ACK packets, but that was pretty much where its benefits stopped. To be fair, at the time, it was roughly at the stage where other host-based firewalls were, but it certainly was no leap forward.

Among the many shortcomings of ICF were:

  • Lack of central management

  • Single-profile — no separate settings for different networks

  • Not on at boot

In Windows XP Service Pack 2 (SP2) some of these shortcomings were addressed, and the Windows Firewall in Windows XP SP2 still is one of the lowest overhead, most reliable, and least intrusive firewall products available for Windows XP. In spite of this, it was still lacking a few features:

  • Limited integration with IPsec, including separate management interfaces

  • Strict source address mapping

  • ACLs on TCP and UDP ports

  • Outbound filtering

  • Extensibility

  • Support of more than two profiles

  • Scriptability

Get WINDOWS VISTA™ SECURITY: Securing Vista Against Malicious Attacks now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.