IP Firewall Security (Windows CE 5.0)
The IP Firewall has been implemented to avoid the most common security attacks, but some security risks remain. The IP Firewall is designed to run over a public network, such as the Internet. If the security of the IP Firewall is compromised, it could expose the device or local network to attacks originating from the public network.
Windows CE .NET 4.2 and later supports the IP firewall for both IPv4 and IPv6. You can enable and configure this firewall by using APIs (programming elements) and registry settings. For more information about the IP firewall, see IP Firewall OS Design Development.
Windows CE .NET 4.2 and later also supports a legacy packet filter built into the NAT driver that can be used as a simple firewall for devices that include NAT but do not include IP firewall. The packet filter is disabled by default if the IP firewall is included.
To further help protect your device from security attacks, you should follow the security recommendations provided in the subsequent sections.
Best Practices
Enable a firewall on your network device
Security Note The IP Firewall handles fragments in a manner that helps to prevent attacks on the private host stack. Do not add a rule to allow traffic to a host if the host's stack does not support these defense mechanisms. The following list shows these defense mechanisms:
- If no rule allows traffic to the packet destination, the firewall blocks fragments to that destination.
- If a fragment contains a transport layer header, the firewall drops the fragment.
Consider the security implications before disabling ICMP messages
When a host on the private side of the firewall tries to contact a host on the public side, the IP Firewall enables some types of ICMP protocol packets. This allows ICMP error messages to reach the private host in the event that an error occurs during delivery, if for example, a packet is dropped or the destination is unreachable. The IP Firewall sets a rule to enable this error message feedback.
Although you can disable the ICMP messages, before doing so you should consider the security implications: Debugging is more difficult, and you cannot detect that a packet delivery error has occurred. This may result in the inability to use tools, such as Ping and Tracert, or in the inability to reach some remote hosts. For information about the ICMP types that are allowed inbound, see IP Firewall OS Design Development.
If you want to disable ICMP, you can create a blocking rule that drops inbound ICMP packets of a specific type, or that drops all inbound ICMP packets.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For TCP/IP registry information, see IP Firewall Registry Settings.
Ports
No specific ports are used for the IP Firewall.
See Also
IP Firewall OS Design Development | Default IP Firewall Rules | Enhancing the Security of a Device
Send Feedback on this topic to the authors