How to use Windows Defender Firewall to protect your IoT network

Network security IoT and OT environments are not just about updating firmware or isolating devices: it also depends on how you filter traffic in Windows with a firewall. Windows Defender Firewall allows you to decide what comes in and what goes out in each network profile, and that can make the difference between a minor incident and a serious problem.

In addition to protecting your PC, a firewall can help provide visibility and control over traffic affecting industrial segments, both on home networks with connected devices and in plants with sensors, PLCs, or HMIs. We explain how to configure it step by step and how it fits with OT/IoT networks., including segmentation, the Purdue model, monitoring points, and even data diode displays.

What is Windows Defender Firewall and how does it help in an IoT network?

The Windows-built firewall acts as a filter that allows or denies connections based on rules. Block unauthorized access and reduce risk controlling IP addresses, ports, and program paths. In networks with cameras, sensors, or smart devices, limiting traffic is key to minimizing attack surfaces.

From the Windows Security app, you can view and manage the status of each network type: domain, private, or public. It is possible to activate or deactivate it by profile and access advanced options. that allow you to fine-tune behavior in different locations.

Network profiles: private, public, and domain

When you connect your device, you can mark the network as private or public. A private network (e.g., your home) assumes trust between devices and that they can discover each other and Share a network folder in Windows 11. On the other hand, a public network (e.g., Wi-Fi in a coffee shop) is unreliable and should be further secured.

Choosing the right profile changes the level of exposure and the automatic rules applied. On public networks, it is sensible to harden incoming connections, while on private networks you can allow certain internal functions if you trust the computers.

Configure Windows Defender Firewall from Windows Security

To easily adjust your firewall, go to Windows Security and open the Firewall & network protection section. Select the active profile (domain, private, or public) and activate Microsoft Defender Firewall so that it starts filtering traffic in that context.

You'll also find a very useful control: Block all incoming connections, including those on the allowed apps list. When checked, the firewall ignores exceptions and blocks everything in that profile.. Increases security, but can break apps that need to listen for connections.

In the same panel there are accesses to additional functions. Allow an application through the firewall Add exceptions (or open specific ports) if a legitimate app is blocked. Use this wisely: Opening them unnecessarily can create security holes.

If something is wrong with your overall connectivity, run the Network and Internet Troubleshooter. This wizard can automatically diagnose and repair typical network and firewall issues.

You can also adjust your firewall notification settings if you're receiving too many notifications or missing alerts. Adjusting the notification level helps prevent you from missing relevant blocks. without overloading you with messages.

The Advanced settings option opens the classic Windows Defender Firewall console. There you create inbound, outbound and connection security rules., and review monitoring logs. Caution: Unwittingly changing rules can open loopholes or break applications.

If everything has gone wrong, there is an emergency button: Restore firewalls to default settings. Returns the team to its original state and if you're in an organization, corporate policies apply.

Block a program and manage whitelists

There are situations where you want to prevent an app from going online (prevent telemetry, downloads, unsupervised online gaming, or conflicting updates). The most effective way is to create an outbound rule that blocks the executable. of the program in question.

1. Open the Start menu and go to the Control Panel. Access Windows Defender Firewall and click on Advanced Settings.
2. In the left panel, choose Outbound Rules. In the right pane, click New Rule.
3. Select Rule Type: Program, and click Next. Indicates this program path and find the .exe to block (or write its path if you know it).
4. Check Block the connection and continue. Applies to Domain, Private and Public (the usual) and assign a descriptive name to the rule.

The rule is activated upon completion. You can view and edit it in Outbound Rules. To temporarily block it, simply disable/enable the rule. with right click when you need it.

What if you need to allow a trusted app through? From the main panel, select Allow an app or feature through Windows Firewall. Click Change settings and select Private or Public. as appropriate (do not open apps with sensitive data on public networks).

OT/IoT Network Layers and the Purdue Model

In industrial networks and IoT, not all devices and services are at the same level. Architecture is often divided into endpoint devices (PCs, servers, IoT) and network devices (switches, firewalls, routers and APs), organized in layers.

Many designs follow a three-layer hierarchical model: Access, Distribution, and Core. The access layer hosts most of the endpoints and usually relies on a default gateway. to route outside the subnet. The distribution aggregates access and enforces services (VLAN routing, QoS, policies), and the core provides server farms and fast, low-latency transit.

Additionally, the Purdue reference model expands segmentation into OT/ICS environments with levels 0 through 5. Level 0 includes sensors, actuators and process elements (measure, conduct, actuate). Level 1 houses embedded controllers (PLC, RTU, DCS) that govern these field devices.

Level 2 focuses on supervision: HMIs, alarms, batch management and checkpoints, often about teams and OS standard (Windows or UNIX). These systems communicate with PLC/RTU and sometimes exchange data with higher levels.

Levels 3 and 3,5 group the industrial and site perimeter network: plant-scale operations management applications (production reports, analytics, programming, industrial AD, file servers or terminal). From here, data is usually integrated into IT.

Levels 4 and 5 correspond to corporate IT: centralized services managed by the organization where the business systems reside.

Placement of sensors and interesting traffic points

For passive monitoring of OT networks with Defender for IoT, sensors receive mirrored traffic (SPAN on switches or TAPs). The sensor management port connects to the management or corporate network to send data to the Azure portal, unless the perimeter prevents it.

Where to capture useful traffic? Identify the interfaces that connect the default gateway to the distribution or core switches. They are "interesting" points because they see the traffic leaving the IP segment, which allows observing communications towards other segments.

Not all traffic is unicast: consider broadcast and multicast. Broadcast and multicast typically reach all entities in the subnet., including the gateway, so they are usually covered. With IGMP snooping, multicast forwarding is optimized, but not guaranteed, to a specific host.

Unicast traffic can go directly from source to destination without touching all hosts. To see it, it is advisable to place sensors on access switches., so you capture conversations that would not go through the default gateway.

When transmitting traffic to sensors, some devices only reflect one direction. Try to monitor both directions to improve conversation context and detection accuracy.

In critical subnets, there may be flows that do not reach the typical interesting point. Consider adding RSPAN, TAPs or specific solutions to cover atypical traffic or visibility gaps.

If you are working with one-way gateways (Waterfall, Owl, Hirschmann) with data diodes, you have two scenarios. Recommended: Place OT sensors outside the perimeter to receive one-way SPAN from the network to the sensor's monitoring port (ideal for large deployments). Alternatively, place them within the perimeter and send UDP syslog alerts outward via the diode.

In the latter case, the sensors are isolated from the outside and require local management: no cloud connection or management from Azure and intelligence updates must be applied manually. If you need cloud-connected sensors, place them outside the perimeter.

Traffic flows: in and out of the segment

Routing behavior depends on whether the destination is within or outside the range of the source's subnet mask. Devices compare the destination IP with their subnet and decide to send directly or to the gateway. This process can trigger ARP to resolve addresses MAC.

When the destination is outside the segment, the device sends the flow to its default gateway as the first hop. Placing a sensor on that interface ensures that you see everything that comes out of the segment., something crucial to detect anomalous communications to other areas.

Example: A PC with IP 10.52.2.201/24 initiates connection to 10.17.0.88. The system calculates that 10.17.0.88 is not on 10.52.2.0/24, so it directs traffic to its gateway. That point is ideal for monitoring flow.

If the destination is within the range (e.g., 10.52.2.17 to 10.52.2.131 with /24), the traffic does not cross the gateway, It is resolved using ARP to find the destination MAC address. and is delivered locally. Without on-access capture, these intra-segment flows could go undetected.

Reasons to block programs with the firewall

A firewall monitors and controls incoming and outgoing connections according to rules. It's like a digital border control: Decide who enters and who leaves based on risk. Blocking programs prevents unauthorized access, malware and unwanted behaviors.

Additionally, you can prevent automatic updates that break compatibility, limit gaming platforms for minors, or cut off advertising and connections on unsecured public Wi-Fi networks. Granular rules offer that fine control that you sometimes need in everyday life.

Other ways to limit connections on Windows, macOS, and Linux

On Windows, if you don't want to mess with the rules, you can pull up Airplane Mode from the Action Center to temporarily turn off the internet. Turn it off to return to normal when you're done. There are also free third-party firewalls if you prefer other interfaces or extra features.

On macOS, go to System Preferences, find the Network/Security & Privacy section, and then select Firewall. Activate it and, in Options, add apps and check to allow or block incoming connections. Keep in mind that blocking can affect dependencies between apps.

En Linux (Ubuntu), UFW simplifies management: install with sudo apt-get install ufw, Check status with sudo ufw status and define basic rules before enabling. allow SSH with sudo ufw allow ssh, enable HTTP/HTTPS with sudo ufw allow http/https and enable with sudo ufw enable. Check with sudo ufw status.

Maintenance, notifications, temporary deactivation and restoration

Adjusting the notification level helps you stay informed about relevant crashes without excessive noise. The Notification Settings section in Windows Security This is where you calibrate the verbosity of firewall warnings.

If you occasionally need to turn off the firewall, do so on a profile-by-profile basis and be aware of what you're doing. Disabling the firewall is not recommended because it exposes you. It's better to create a controlled exception or disable a specific rule for a limited time.

To turn it off from Control Panel: System and Security > Windows Defender Firewall > Turn it on or off. You can deactivate by profile, but the system itself warns you that it is not recommended.. Please turn it back on as soon as possible.

If your settings have become messed up, go back to Restore Defaults in the same firewall panel and follow the prompts. Restoring the original state fixes inconsistencies and reapply your organization's policies if any.

You've got the basics covered: well-chosen network profiles, fine-tuned ingress/egress rules, justified exceptions, visibility into OT/IoT networks via sensors at key locations, and procedures for blocking apps or resetting settings. This comprehensive approach reduces risks in both your PC and industrial segments and allows you to react accurately when touched.

Related article:

Audit network connections in Windows with TCPView, TCPvcon, and Netstat

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.