Computers are widely used in both business and personal settings. Frequently, the utility of a computer is greatly enhanced by its ability to send or access data over a network. Unfortunately, expanding the functionality of a computer by connecting it with devices operated by other legitimate users also creates the risks that the computer will become connected to devices operated by third parties who, either maliciously or inadvertently may send message over the network that cause damage to the computer or the data that it stores. Alternatively, using the network, a third party may improperly gain access to information stored on the computer that was intended to be secret. In these scenarios, rather than enabling desired functionality, the network connection poses a security risk for a computer and its user. To combat security risks posed by network connections, firewalls are frequently used. A firewall may be a hardware or software component that filters network traffic so that communications with unauthorized third parties are blocked but legitimate network functions may be carried out. Frequently, the filters applied by a firewall are specified by a set of policies defining characteristics of network messages that either should pass through the firewall or that should be blocked. Because different levels of communication may be appropriate depending on the origin or destination of messages, firewall policies may be provided for each application that executes on a computing device and communicates over a network.
Further, different security settings and therefore different firewall policies may be appropriate in different operating contexts. To accommodate different firewall settings in different network contexts, policies may be categorized into profiles based on the context in which they are to be used. It is known to provide a profile for use when a computer is domain-joined to a network and another policy store, which may contain different policies, for use when the computer is not domain-joined.
Further, firewall policies may be obtained from different sources. Some policies may be set by a user, which requires the user to make a determination of whether an application should be allowed or blocked from network access. For domain-joined computers, policies may be set by a domain administrator. To hold policies set by the domain administrator, a group policy store may be provided. A local policy store may hold policies set by a user. A dynamic policy store may be provided for temporary policies.
When a decision is required to allow or block access, a firewall may consult the profiles in the policy stores to identify an application policy. If multiple applicable policies are present, an order of priority, based on the source of the applicable policies, may be used to pick one. If no applicable policy is available in a current context, a user may be prompted to make a decision which is then used to generate a policy.