了解Windows防火墙的优缺点

Learn the pros and cons of Windows Firewall
了解Windows防火墙的优缺点

《endurer注：pros and cons 正反面，优缺点，利弊》

英文来源：http://techrepublic.com.com/5100-1009_11-6063367.html?tag=nl.e101
by  Michael Mullins CCNA, MCP
作者：Michael Mullins CCNA, MCP
翻译：endurer 2006-04-28　第1版
Keywords:  Security applications/tools | Firewalls | Security | Internet
关键字：安全应用程序/工具 | 防火墙 | 安全 | Internet
Takeaway:
Is Windows Firewall up to the task of securing your network? Mike Mullins has his doubts. In this edition of Security Solutions, he delves into the details of Windows Firewall and weighs its pros and cons. 
概述：Windows防火墙胜任您的网络安全任务吗？Mike Mullins有疑。在这期安全解决方法中，他深入研究Windows防火墙的细节，并权衡其优缺点。

《endurer注：1。up to 一直到,等于;正在做(直到,相当于,胜任,该由...决定)
2。delve into 钻研, 深入研究》

 
Windows Firewall debuted with the release of Windows XP, and Windows XP Service Pack 2 enabled this feature by default. This host-based stateful firewall replaced Windows' Internet Connection Firewall.
Windows防火墙随着Windows XP的发布初次登场，Windows XP Service Pack 2默认增强了特性。该主机型运用状态(检测)防火墙替代了WindowsInternet连接防火墙。

Stateful firewall 是一种新型防火墙技术，请点击参考：防火墙新生代：Stateful－inspection(http://www.bupt.edu.cn/regnet/document/network/firewall1.htm)

This feature's default configuration rejects incoming IP traffic unless you've specifically allowed it. To configure or adjust the Windows Firewall settings, go to Start | Control Panel, and double-click the Windows Firewall applet. Let's take a closer look at the various settings.
这个特性的默认配置拒绝来访IP流量，除非您已经特别允许。要配置或调整Windows防火墙设置，开始-->设置-->控制面板，双击Windows防火墙程序。

Know your options
弄清选项

On the General tab, you can use the On and Off radio buttons to enable or disable Windows Firewall. You can also choose to disallow exceptions.
在常规选项卡，您可以使用启用或禁用单选按钮来启用或禁用Windows防火墙。您也可以选择禁用例外。

The Exceptions tab includes a list of programs and services that you can select or deselect to allow or remove access to the network. You can also add or delete ports (both TCP and UDP).
例外选项卡包含一个程序和服务列表，您可以选定或者取消选定来允许或去掉网络访问权。你也可以添加或删除端口（TCP和UDP均可）。

When adding programs or ports, you also have the following options to limit the scope of access: Any Computer (Including Those On The Internet), My Network (Subnet) Only, or Custom List, which allows you to choose a mix of IP addresses and subnets.
在添加程序或端口时，你也有下列选项来限制访问范围：一些计算机（包括Internet上），仅限我的网络（子网），或自定义序列，这个自定义序列允许您选择IP地址和子网集合。

《endurer注：1。custom list 【微软】自定义序列》

On the Advanced tab, you can choose which connections the firewall will apply to, and you can specify logging features. You can also control, with some granularity, how the firewall handles Internet Control Message Protocol (ICMP) packets.
在高级选项卡，您可以选择防火墙应用到哪个连接，并能指定登录特性。您也能较精确地控制防火墙如何处理Internet控制消息协议 (ICMP)包。

Finally, if you get completely lost and make changes that prevent the computer from connecting to the Internet, you can click the Restore Defaults button. This removes all of your changes, returning Windows Firewall to the Microsoft default state.
最后，如果您完全迷路并使防止计算机连接到Internet的更改，可以点击恢复默认按钮。这将清除您所做的一切修改，让Windows防火墙回复到微软默认状态。

《endurer注：1。get lost 迷路》

Know how to adjust the settings
了解怎么调整设置

You can use the method described above to manually change the Windows Firewall settings. However, you can also use a variety of methods more suited for enterprise deployments. Here are some of your options:
您可以用上述方法手动更改Windows防火墙设置。然而，你也可以使用多种更适合企业部署的方法。这是一些选择：

• Unattend.txt: You can use this text file used during unattended setup when deploying multiple systems that have similar configurations.
  Unattend.txt:在布署有相似配置的多个系统时，您可以在无人值守时使用这个文本文件
  
• Netfw.ini: You can modify and deploy this file via login scripts or a control system such as Systems Management Server (SMS). You can find this file in the %windir%\Inf folder.
  Netfw.ini: 您可以修改并通过登录脚本或诸如Windows系统配置管理解决方案(SMS)之类的控制系统来部署。您可以在%windir%\Inf找到这个文件。
  
• Netsh: You can execute this command at the command prompt or through a scripted batch file deployed at login.
  folder.Netsh: 您可以在命令提示符，或通过布署的登录时脚本批处理文件来执行这个命令。
  
• Group Policy: In an Active Directory environment you can use Group Policy to deploy Windows Firewall configurations. Update existing Group Policy Objects with the Windows Firewall policy settings from the updated System.adm template included with Windows XP SP2. You can find these new settings under Computer Configuration | Administrative Templates | Network | Network Connections.
  组策略：在活动目录环境中，您可以使用组策略来布署Windows防火墙配置。利用Windows XP SP2包含的已升级的System.adm模板中的Windows防火墙策略设置来更新现存组策略对象。您可以在计算机配置-->管理模板-->网络-->网络连接里找到这些新设置。

Of course, all of these available configuration and deployment options beg the question: Does this firewall adequately protect your computer?
Weigh the pros and cons

当然所有这些可用配置和布署选项回避问题的实质：这个防火墙充分保护你的电脑了吗？

《endurer注：1。beg the question 以尚未解决的问题作为论据(回避问题的实质)》

Weigh the pros and cons
权衡优缺点

The Windows Firewall does a good job of proxying inbound responses to outbound connection requests, and it does a good job of blocking inbound connection requests for TCP or UDP conversations that you haven't initiated. It will block any connection attempts that you haven't specifically allowed in the settings. However, that's only half of what a firewall needs to do.
Windows防火墙代理对出站连接请求的入站响应的工作做得好，并且阻塞您未发起的TCP或UDP会话入站连接请求的工作做得好，它将阻塞你未在设置中特别允许的连接企图。然而，这只是防火墙需要做的事情的中的一半。
《endurer注：1。do a good job 工作干得好
2。inbound[计算机] 入站
3。outbound[计算机] 出站》

A firewall should also monitor, inspect, and proxy outbound communication—and this is where Windows Firewall fails. Any program on your computer can initiate any type of connection to any IP address on the Internet, and the Windows Firewall will sit by passively and let it happen!
防火墙也要监视，检测和代理出站通信——并且这是Windows防火墙失败的地方。您电脑中的一些程序可以初始化到Internet上任何IP地址的任何类型的连接，而Windows防火墙将袖手旁观，任其发生。

《endurer注：1。sit by 袖手旁观, 无动于衷》

Don't let any prompts fool you: Even though it tells you a program has initiated a connection to the Internet and asks if you want to allow this connection, the connection has already occurred. What it's really asking is whether you want to allow the Internet to connect to this program.
别让任何提示欺骗您：甚至它告诉你一个程序已经初始化了一个对Internet的连接，并询问您是否允许该连接，该连接已经存在了。它实际问的是你是否想允许Internet连接到这个程序。

Final thoughts
最终思索

As far as I'm concerned, a firewall mechanism that only works one way is a security feature—not a firewall. Thanks to viruses, worms, Trojans, and a host of other malware and spyware that arrive on your computer daily, you need to be able to control communications from both directions.
至于我关心的，要努力改进的防火墙机制是安全特性——不是防火墙。由于天天到达您的电脑的病毒，蠕虫，木马，和其它恶意软件和间谍软件，你要能控制双向通信。
《endurer注：1。as far as 远到, 直到, 至于
2。work one's way费力前进
3。 thanks to由于,多亏,归功于》

Every computer connected to any network (e.g., dial-up, Ethernet, or wireless) needs a firewall, and Windows Firewall just isn't up to the task. Find yourself a free firewall or pay for one from a reputable vendor, but don't let Windows Firewall fool you into thinking it completely protects your computer. Half a firewall is no better than no firewall at all.
每台连接到任何网络（例如，拔号，乙太网或无线）的电脑需要防火墙，而Windows防火墙却不能胜任这个任务。为自己找到一个免费防火墙或从名牌供应商那付费购买，但不要让Windows防火墙欺骗您认为它完全保护了您的电脑。实际上半个防火墙和没有防火墙一样不好。

《endurer注：1。fool sb. into doing 哄骗某人做
2。no better than和...一样不好》
 

endurer附注：相关参考：
如何配置 Windows XP Service Pack 2 中的 Windows 防火墙功能
http://support.microsoft.com/kb/875356/zh-cn