how to use the windows filtering platform to integrate with windows networking madhurima pawar...
TRANSCRIPT
How To Use The How To Use The Windows Filtering Platform Windows Filtering Platform To Integrate With To Integrate With Windows NetworkingWindows Networking
Madhurima PawarMadhurima PawarProgram ManagerProgram ManagerMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Filtering TechnologiesFiltering Technologies
Benefits of Windows Filtering PlatformBenefits of Windows Filtering Platform
Secure Socket APIsSecure Socket APIs
Pre-Windows Vista technologies Windows Vista technologies
TDI filter driver
WFP APIs are strongly recommended
TDI is on the path to deprecation, but will be supported
TDI Interface to communicate with the TCP/IP stack
WSK APIs are strongly recommended
TDI is on the path to deprecation, but will be supported
Firewall hook driver in Windows 2000 allowed managing of network packets
WFP APIs are strongly recommended
Firewall hooks no longer supported
LSPs were used for high level application filtering
WFP APIs are strongly recommend
LSPs will continue to be supported
NDIS Shim for non-IP and MAC filtering LWF are strongly recommended
Filtering TechnologiesFiltering Technologies
Benefits Of WFPBenefits Of WFP
WFP robust, easier to use and provides WFP robust, easier to use and provides better performancebetter performance
WFP provides rich functionality for better WFP provides rich functionality for better user experienceuser experience
WFP filters and secures network traffic WFP filters and secures network traffic
WFP supports both IPv4 as well as WFP supports both IPv4 as well as IPv6 trafficIPv6 traffic
Integrated with hardware Offload Integrated with hardware Offload capabilities in Windows Vistacapabilities in Windows Vista
WFP ArchitectureWFP Architecture
3rd party NAT
3rd party IDS
3rd party parentalcontrol
3rd party anti-virus Callo
ut m
od
ules
Callo
ut m
od
ules
useruser
kernelkernel
Filtering Engine
Base Filtering Engine(BFE)
WFP APIs
Callo
ut A
PIs
Network Layer
Transport Layer
Forward Layer
IPsec
Stream Layer
TDI/WSK
ALE
Firewall Application AV Application
Layers Data Representations
Protocol specific RPC, IKE
Stream/Data Layer Datagram and streams
ALE Layers Control events
Transport Layer TCP/UDP
IP Packet Layer Network layer traffic and local fragments
Forward Layer Forwarded traffic
ICMP ICMP error packets
Discard Discarded/dropped packets
WFP LayersWFP Layers
CalloutCallout
A A calloutcallout extends the capabilities of WFP extends the capabilities of WFP
Callouts can be registered at all layersCallouts can be registered at all layers
Each callout has a unique GUIDEach callout has a unique GUID
Callouts are used forCallouts are used forDeep InspectionDeep Inspection
Packet ModificationPacket Modification
Stream ModificationStream Modification
Data LoggingData Logging
Boot time securityBoot time security
CalloutCallout
Callout implementsCallout implementsclassifyFnclassifyFn: Filter engine calls classify : Filter engine calls classify whenever there is data to be processedwhenever there is data to be processed
flowDeleteFnflowDeleteFn: Filter engine calls callout to : Filter engine calls callout to notify when the flow is being terminated notify when the flow is being terminated
notifyFnnotifyFn: Filter engine calls callout about : Filter engine calls callout about events associated with the calloutevents associated with the callout
Application Layer EnforcementApplication Layer Enforcement
Maintains connection state for all trafficMaintains connection state for all traffic
Filter-based on Filter-based on Local/remote address and port, protocolLocal/remote address and port, protocol
App ID, user ID, and machine IDApp ID, user ID, and machine ID
IPv4 and IPv6 filteringIPv4 and IPv6 filtering
ALE use case scenariosALE use case scenariosPort blockingPort blocking
Application filteringApplication filtering
Authorization based on user idAuthorization based on user id
Application Layer EnforcementApplication Layer Enforcement
ALE LayersALE LayersFWPM_LAYER_ALE_RESOURCE_ASSIGNMENT for authorizing FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT for authorizing port assignments, bind request etcport assignments, bind request etc
ALE_AUTH_LISTEN for authorizing TCP listenALE_AUTH_LISTEN for authorizing TCP listen
ALE_AUTH_RECV_ACCEPT for authorizing all incoming trafficALE_AUTH_RECV_ACCEPT for authorizing all incoming traffic
ALE_AUTH_CONNECT for authorizing all outgoing trafficALE_AUTH_CONNECT for authorizing all outgoing traffic
ALE_FLOW_ESTABLISHED for receiving notification on ALE_FLOW_ESTABLISHED for receiving notification on established flowestablished flow
Filtering actionsFiltering actionsBlockBlock
PermitPermit
PendPend
ContinueContinue
Modify session timeout for UDP, broadcast, and multicast trafficModify session timeout for UDP, broadcast, and multicast traffic
ALE PendALE Pend
Application Foo.exe
ALE Firewall callout Policy store
Do you wish to grant Foo.exe access to the
network?
ClassifyOut()ClassifyOut()
FwpsPendOperation0()FwpsPendOperation0()FwpsCompleteOperation0()FwpsCompleteOperation0()
User User ModeMode
Kernel Kernel ModeMode
Stream LayerStream Layer
Use Case scenarioUse Case scenarioWeb filtering for parental controlWeb filtering for parental control
Content filteringContent filtering
Stream throttling Stream throttling
Stream layer sees the TCP streamStream layer sees the TCP stream
Filtering options available at stream Filtering options available at stream layer are layer are
Local/remote address and portLocal/remote address and port
DirectionDirection
IPv4 and IPv6 filteringIPv4 and IPv6 filtering
Stream LayerStream Layer
LayersLayersFWPM_LAYER_STREAM_V4FWPM_LAYER_STREAM_V4
FWPM_LAYER_STREAM_V6FWPM_LAYER_STREAM_V6
Filtering actionsFiltering actionsBlockBlock
Permit Permit
ContinueContinue
Pend/un-pend Pend/un-pend
Need more dataNeed more data
Stream Pend Stream Pend
Application
Stream Layer Firewall callout Policy store
ClassifyOutClassifyOut()
actionType = DeferactionType = DeferFwpsStreamContinue0()FwpsStreamContinue0()
Policy store
Kernel ModeKernel Mode
User ModeUser Mode
Stream Need More Data Stream Need More Data
Application
Stream Layer Firewall callout Policy store
ClassifyOut ClassifyOut (100bytes)(100bytes)
actionType = Need more data
Policy store
ClassifyOut ClassifyOut (200bytes)(200bytes)
Kernel ModeKernel Mode
User ModeUser Mode
Stream Inject Stream Inject
Application
Stream Layer Firewall callout Policy store
ClassifyOut ClassifyOut (100bytes)(100bytes)
actionType = Need more actionType = Need more datadata
Policy store
ClassifyOut ClassifyOut (200bytes)(200bytes)
150bytes150bytesFwpsStreamInject()FwpsStreamInject()
Kernel ModeKernel Mode
User ModeUser Mode
Packet ModificationPacket Modification
Use stream layer for data modificationUse stream layer for data modificationHeader modificationHeader modification
NATNATProxyProxy
In place modification is NOT supportedIn place modification is NOT supportedClone original packet, drop original, and Clone original packet, drop original, and re-inject copyre-inject copyClone + drop + re-inject does not incur Clone + drop + re-inject does not incur buffer copybuffer copy
MAC layer modificationMAC layer modificationUse NDIS LWFUse NDIS LWF
Packet Modification APIsPacket Modification APIs
LayersLayersNetwork, Transport, Forward, Datagram, Network, Transport, Forward, Datagram, ALE send/recvALE send/recv
Re-inject on send pathRe-inject on send path
Re-inject on receive pathRe-inject on receive pathBefore routingBefore routing
Re-inject on forward pathRe-inject on forward pathRemotely destinedRemotely destined
Filter ArbitrationFilter Arbitration
GoalsGoalsTraffic can always be inspectedTraffic can always be inspected
Traffic can be blocked even if the higher Traffic can be blocked even if the higher priority filter has permitted itpriority filter has permitted it
Change the action or vetoChange the action or veto
Multiple actions can be performed on the Multiple actions can be performed on the same datasame data
Permit and loggingPermit and logging
Multiple providers can inspect the trafficMultiple providers can inspect the trafficFirewall + IDSFirewall + IDS
Filter ArbitrationFilter Arbitration
DesignDesignLayers in Filtering Engine are divided into Layers in Filtering Engine are divided into sub-layerssub-layers
Within a sub-layer filters are evaluated in Within a sub-layer filters are evaluated in weight order weight order
Evaluation stops at first match (permit/block)Evaluation stops at first match (permit/block)
If a callout returns continue, next matching If a callout returns continue, next matching filter is evaluatedfilter is evaluated
Traffic goes through each sub-layerTraffic goes through each sub-layer
Filter ArbitrationFilter Arbitration
FeaturesFeaturesOverridingOverriding
A block can override a permitA block can override a permit
If FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT If FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT on filters or FWPS_RIGHT_ACTION_WRITE on on filters or FWPS_RIGHT_ACTION_WRITE on callouts is cleared, then action type cannot be callouts is cleared, then action type cannot be over-ridenover-riden
VetoVetoChanging the action without the write action rightChanging the action without the write action right
Classification ExampleClassification Example
* -> permit
* -> ids_calloutContinueContinue
PermitPermit
* -> permit
Inbound TransportInbound Transport
PermitPermit
MSN.exe -> permit
BlockBlock
PermitPermit
port80 -> block
ALE recv/acceptALE recv/accept
ContinueContinue * -> log_callout
block
Resultant policy blocks inbound to port 80Resultant policy blocks inbound to port 80
FW
FW
Boot Time FilteringBoot Time Filtering
System Boot BFE starts3rd party Service starts
Boot time filtersBoot time filters Persistent filtersPersistent filters BFE FiltersBFE Filters
NotificationNotification
Feature support
Applications can register to receive notification during the addition/deletion of BFE objects
Notification is available for
Callout
Filters
Providers and provider context
Layers and sub layers
Flow delete
Use Case Scenarios
Multiple providers can better co-exit on WFP
Providers can use the notification to predict the traffic flow
Providers can use the notification to provide rich functional support to the user/admin
Providers can use the notification to grant exceptions
DiagnosticsDiagnostics
Feature
BFE provides a rich set of eventing APIs
The event APIs provide rich information around IPsec/IKE failure events, dropped packets.
Audit Event APIs to get rich set of audit events
Connection start/stop, policy changes
Use Case Scenario
Applications can build diagnostic support providing rich eventing information to the user/admin
Applications can write helper class and plug into the Network Diagnostic Framework for richer diagnostic experience
IPsec ConfigurationIPsec Configuration
Use caseUse caseVPN applicationsVPN applications
Filtering IPsec trafficFiltering IPsec traffic
IPsec management toolsIPsec management tools
WFP APIs can configureWFP APIs can configureIKE policiesIKE policies
IPsec policiesIPsec policies
Filter IPsec at transport layerFilter IPsec at transport layer
Applications can guarantee security byApplications can guarantee security byPlumbing filter at ALE connect for outbound and ALE Plumbing filter at ALE connect for outbound and ALE accept for inbound layer that references built-in accept for inbound layer that references built-in WFP calloutWFP callout
Secure Socket ArchitectureSecure Socket Architecture
Base Filtering Engine
Filtering Engine
Callout A
PIs
Secure Socket API
Socket Application
Winsock
WSK/TDI ALE
Stream Layer
Transport Layer
Network Layer
NDIS
IPsec
WFP APIs
IPsecMgmt Firewall
Keying Module
Data Logging
IDS
NAT callout
Anti VirusSocket
Application
Secure Socket APIs
Winsockuseruser
KernelKernel
Secure Socket APIsSecure Socket APIs
Secure Socket applications can fall in the Secure Socket applications can fall in the following bucketsfollowing buckets
P2P applicationP2P application
VPN clients (L2TP/IPsec)VPN clients (L2TP/IPsec)
Line of Business applicationsLine of Business applications
Winsock applications can directly call into Secure Socket Winsock applications can directly call into Secure Socket APIs to secure network connectionsAPIs to secure network connections
Secure Socket can be used forSecure Socket can be used forPeer authentication (who the peer is)Peer authentication (who the peer is)
Peer authorization (peer has the right security tokens)Peer authorization (peer has the right security tokens)
Packet encryptionPacket encryption
Packet integrity protectionPacket integrity protection
Other security features offered by IPsecOther security features offered by IPsec
Secure Socket ApplicationsSecure Socket Applications
Secure Sockets are easy to useSecure Sockets are easy to useWSASetSockSecurity(..)WSASetSockSecurity(..)
Applications using Secure sockets can Applications using Secure sockets can have eitherhave either
Default policies appliedDefault policies applied
Specify policies appliedSpecify policies applied
Group policies appliedGroup policies applied
WFP Scenarios Snap ShotWFP Scenarios Snap Shot
Scenario WFP Feature support
Proxy and Firewalls Inspect, Drop, or Modify Connections
Content Filtering Inspect or Drop Connections
Deep Content Filtering Modification, Inspect, Drop Connections
Virus Scanning Stream Modification
Parental Guidance Stream Modification
User Logging /Spy ware Modification, Inspect, Drop
NAT Packet Modification
Data logging/diagnostics Callouts and Event APIs
Authorization and security IPsec
Application-based filtering ALE
Socket applications using secure connection Secure Socket APIs
Call To ActionCall To Action
Use ALE layers to filter on control events Use ALE layers to filter on control events Using data path can have negative Using data path can have negative performance impact performance impact
Use sub-layers to avoid arbitration conflictsUse sub-layers to avoid arbitration conflicts
Use NDIS LWF for MAC/NetBIOS filteringUse NDIS LWF for MAC/NetBIOS filtering
WFP PartnersWFP Partners
The following companies have started The following companies have started
building their internet security products onbuilding their internet security products on
WFP:WFP:
ResourcesResources
Join the WFP beta programJoin the WFP beta programGo to Go to http://http://beta.microsoft.combeta.microsoft.com
Choose the Guest ID sign-up optionChoose the Guest ID sign-up option
Enter the Guest ID: WFPBeta5Enter the Guest ID: WFPBeta5
Fill out the WFP beta program sign up surveyFill out the WFP beta program sign up survey
Contact Contact for questions about the for questions about the Windows Filtering PlatformWindows Filtering Platform
WFP development white paperWFP development white paperhttp://www.microsoft.com/http://www.microsoft.com/whdc/device/network/WFP.mspxwhdc/device/network/WFP.mspx
wfp @ microsoft.comwfp @ microsoft.com
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.