Networking Basics:Firewalls

Applies To: Windows SBS 2008

A firewall helps screen out malicious users, viruses, and worms that try to access your network from the Internet. For a small business environment, a firewall is the most effective and important first step you can take to help protect your network.

Firewalls can be hardware or software, and they help prevent unauthorized access to your local area network (LAN) from the Internet by blocking incoming network traffic that is attempting to use a port that is not open. It is recommended that you close all ports on the firewall that are not required by applications and services that are running on your network. A firewall hides information on your LAN from the Internet, such as computer names, network topology, and network device types. A firewall can also log traffic to and from the LAN.

Hardware firewall

Hardware firewalls are easy to use and install. One of the real benefits of a hardware firewall is that it comes bundled with additional services. Your hardware firewall may also act as a router or Internet gateway device (IGD), and as a switch.

During installation, Windows SBS 2008 attempts to discover and set up your router. Most of the available low-cost or business-class routers that are UPnP certified are compatible with Windows SBS 2008. For a list of routers that are compatible with Windows SBS 2008, see the Windows Vista Hardware Compatibility List at the Microsoft Web site (

Server software firewall

Windows Firewall, which is included with Windows SBS 2008, is a software firewall. It is turned on by default and begins protecting your server when the installation begins. When it is properly configured, Windows Firewall can stop many kinds of malicious software (malware) before it infects your server or the other computers on your network.

The Windows Firewall helps protect your server by preventing unwanted inbound network traffic from accessing the server. The firewall also helps prevent unauthorized network traffic from leaving the local network, and it restricts other operating system resources if they behave in unexpected ways, which is a common indicator of the presence of malware. For example, if a component of Windows SBS 2008 that is designed to send network messages over a given port on your server tries to send messages through a different port due to an attack, Windows Firewall can prevent that message from leaving your server. This prevents the malware from spreading to other computers on your network.

Client software firewall

Client computers on the network can become infected through a separate Internet connection, such as a laptop that is used on your internal network and on public networks. Or a virus can be introduced to a computer on your network, for example, from e-mail, Web browsing, or software that is installed from an external storage drive. To help protect your internal network, when client computers that are running Windows XP Professional with SP2 or Windows Vista join the local domain, Windows SBS 2008 uses Group Policy settings to configure the firewall on each client computer.

Additional resources

"Understanding Windows Firewall Settings" at the Microsoft Web site (

"The New Windows Firewall in Windows Vista and Windows Server 2008" at the Microsoft Web site (