IP Firewall Security (Windows Embedded CE 6.0)

1/6/2010

The IP Firewall has been implemented to avoid the most common security attacks, but some security risks remain. The IP Firewall is designed to run over a public network, such as the Internet. If the security of the IP Firewall is compromised, it could expose the device or local network to attacks originating from the public network.

Windows CE .NET 4.2 and later supports the IP firewall for both IPv4 and IPv6. You can enable and configure this firewall by using APIs (programming elements) and registry settings. For more information about the IP firewall, see IP Firewall OS Design Development.

Windows CE .NET 4.2 and later also supports a legacy packet filter built into the NAT driver that can be used as a simple firewall for devices that include NAT but do not include IP firewall. The packet filter is disabled by default if the IP firewall is included.

To further help protect your device from security attacks, you should follow the security recommendations provided in the subsequent sections.

Best Practices

Ee494468.collapse(en-US,WinEmbedded.60).gifEnable a firewall on your network device

Ee494468.security(en-US,WinEmbedded.60).gifSecurity Note:
The IP Firewall handles fragments in a manner that helps to prevent attacks on the private host stack. Do not add a rule to allow traffic to a host if the host's stack does not support these defense mechanisms. The following list shows these defense mechanisms:
  • If no rule allows traffic to the packet destination, the firewall blocks fragments to that destination.
  • If a fragment contains a transport layer header, the firewall drops the fragment.

Consider the security implications before disabling ICMP messages

When a host on the private side of the firewall tries to contact a host on the public side, the IP Firewall enables some types of ICMP protocol packets. This allows ICMP error messages to reach the private host in the event that an error occurs during delivery, if for example, a packet is dropped or the destination is unreachable. The IP Firewall sets a rule to enable this error message feedback.

Although you can disable the ICMP messages, before doing so you should consider the security implications: Debugging is more difficult, and you cannot detect that a packet delivery error has occurred. This may result in the inability to use tools, such as Ping and Tracert, or in the inability to reach some remote hosts. For information about the ICMP types that are allowed inbound, see IP Firewall OS Design Development.

If you want to disable ICMP, you can create a blocking rule that drops inbound ICMP packets of a specific type, or that drops all inbound ICMP packets.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For TCP/IP registry information, see IP Firewall Registry Settings.

Ports

No specific ports are used for the IP Firewall.

See Also

Concepts

IP Firewall OS Design Development
Default IP Firewall Rules

Other Resources

Firewall
Enhancing the Security of a Device