Transcript How To Use The Windows Filtering Platform To Integrate

How To Use The
Windows Filtering Platform
To Integrate With
Windows Networking
Madhurima Pawar
Program Manager
Microsoft Corporation
Agenda
Filtering Technologies
Benefits of Windows Filtering Platform
Secure Socket APIs
Filtering Technologies
Pre-Windows Vista
technologies
TDI filter driver
TDI Interface to
communicate with the
TCP/IP stack
Windows Vista technologies
WFP APIs are strongly
recommended
TDI is on the path to deprecation,
but will be supported
WSK APIs are strongly
recommended
TDI is on the path to deprecation,
but will be supported
Firewall hook driver
in Windows 2000
allowed managing of
network packets
WFP APIs are strongly
recommended
Firewall hooks no longer supported
LSPs were used for high
level application filtering
WFP APIs are strongly recommend
LSPs will continue to be supported
NDIS Shim for non-IP and
MAC filtering
LWF are strongly recommended
TDI
Firewall Hook
LSP
NDIS shim
Others
14%
33%
25%
14%
14%
Benefits Of WFP
WFP robust, easier to use and provides
better performance
WFP provides rich functionality for better
user experience
WFP filters and secures network traffic
WFP supports both IPv4 as well as
IPv6 traffic
Integrated with hardware Offload
capabilities in Windows Vista
WFP Architecture
Firewall Application
AV Application
WFP APIs
Base Filtering Engine
(BFE)
user
kernel
ALE
TDI/WSK
Stream Layer
Transport Layer
IPsec
Filtering Engine
3rd party parental
control
Network Layer
3rd party IDS
Forward Layer
3rd party NAT
Callout modules
3rd party anti-virus
WFP Layers
Layers
Data Representations
Protocol specific
RPC, IKE
Stream/Data Layer
Datagram and streams
ALE Layers
Control events
Transport Layer
TCP/UDP
IP Packet Layer
Network layer traffic and local fragments
Forward Layer
Forwarded traffic
ICMP
ICMP error packets
Discard
Discarded/dropped packets
Callout
A callout extends the capabilities of WFP
Callouts can be registered at all layers
Each callout has a unique GUID
Callouts are used for
Deep Inspection
Packet Modification
Stream Modification
Data Logging
Boot time security
Callout
Callout implements
classifyFn: Filter engine calls classify
whenever there is data to be processed
flowDeleteFn: Filter engine calls callout to
notify when the flow is being terminated
notifyFn: Filter engine calls callout about
events associated with the callout
Application Layer Enforcement
Maintains connection state for all traffic
Filter-based on
Local/remote address and port, protocol
App ID, user ID, and machine ID
IPv4 and IPv6 filtering
ALE use case scenarios
Port blocking
Application filtering
Authorization based on user id
Application Layer Enforcement
ALE Layers
FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT for authorizing
port assignments, bind request etc
ALE_AUTH_LISTEN for authorizing TCP listen
ALE_AUTH_RECV_ACCEPT for authorizing all incoming traffic
ALE_AUTH_CONNECT for authorizing all outgoing traffic
ALE_FLOW_ESTABLISHED for receiving notification on
established flow
Filtering actions
Block
Permit
Pend
Continue
Modify session timeout for UDP, broadcast, and multicast traffic
ALE Pend
Do you wish to
grant Foo.exe
access to the
network?
Application Foo.exe
User
Mode
ClassifyOut()
ALE
Firewall callout
FwpsCompleteOperation0()
FwpsPendOperation0()
Kernel
Mode
Policy store
Stream Layer
Use Case scenario
Web filtering for parental control
Content filtering
Stream throttling
Stream layer sees the TCP stream
Filtering options available at stream
layer are
Local/remote address and port
Direction
IPv4 and IPv6 filtering
Stream Layer
Layers
FWPM_LAYER_STREAM_V4
FWPM_LAYER_STREAM_V6
Filtering actions
Block
Permit
Continue
Pend/un-pend
Need more data
Stream Pend
Application
Policy store
User Mode
Kernel Mode
ClassifyOut()
Stream Layer
Firewall callout
actionType = Defer
FwpsStreamContinue0()
Policy store
Stream Need More Data
Application
Policy store
User Mode
ClassifyOut
(100bytes)
(200bytes)
Stream Layer
Kernel Mode
Firewall callout
actionType = Need more
data
Policy store
Stream Inject
Application
Policy store
ClassifyOut
ClassifyOut
(100bytes)
(200bytes)
Stream Layer
User Mode
Kernel Mode
Firewall callout
actionType = Need more
150bytes
FwpsStreamInject()
data
Policy store
Packet Modification
Use stream layer for data modification
Header modification
NAT
Proxy
In place modification is NOT supported
Clone original packet, drop original, and
re-inject copy
Clone + drop + re-inject does not incur
buffer copy
MAC layer modification
Use NDIS LWF
Packet Modification APIs
Layers
Network, Transport, Forward, Datagram,
ALE send/recv
Re-inject on send path
Re-inject on receive path
Before routing
Re-inject on forward path
Remotely destined
Filter Arbitration
Goals
Traffic can always be inspected
Traffic can be blocked even if the higher
priority filter has permitted it
Change the action or veto
Multiple actions can be performed on the
same data
Permit and logging
Multiple providers can inspect the traffic
Firewall + IDS
Filter Arbitration
Design
Layers in Filtering Engine are divided into
sub-layers
Within a sub-layer filters are evaluated in
weight order
Evaluation stops at first match (permit/block)
If a callout returns continue, next matching
filter is evaluated
Traffic goes through each sub-layer
Filter Arbitration
Features
Overriding
A block can override a permit
If FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT
on filters or FWPS_RIGHT_ACTION_WRITE on
callouts is cleared, then action type cannot be
over-riden
Veto
Changing the action without the write action right
Classification Example
ALE recv/accept
Inbound Transport
FW
Permit
* -> permit
MSN.exe ->
permit
Permit
FW
Continue
Permit
* -> ids_callout
port80 -> block
* -> permit
Block
Continue
* -> log_callout
Resultant policy blocks inbound to port 80
block
Boot Time Filtering
System Boot
Boot time filters
BFE starts
Persistent filters
3rd party
Service
starts
BFE Filters
Notification
Applications can register to receive notification during the
addition/deletion of BFE objects
Feature
support
Notification is available for
Callout
Filters
Providers and provider context
Layers and sub layers
Flow delete
Multiple providers can better co-exit on WFP
Use Case
Scenarios
Providers can use the notification to predict the traffic flow
Providers can use the notification to provide rich functional
support to the user/admin
Providers can use the notification to grant exceptions
Diagnostics
Feature
BFE provides a rich set of eventing APIs
The event APIs provide rich information around
IPsec/IKE failure events, dropped packets.
Audit Event APIs to get rich set of audit events
Connection start/stop, policy changes
Applications can build diagnostic support providing rich
eventing information to the user/admin
Use Case
Scenario
Applications can write helper class and plug into the
Network Diagnostic Framework for richer
diagnostic experience
IPsec Configuration
Use case
VPN applications
Filtering IPsec traffic
IPsec management tools
WFP APIs can configure
IKE policies
IPsec policies
Filter IPsec at transport layer
Applications can guarantee security by
Plumbing filter at ALE connect for outbound and ALE
accept for inbound layer that references built-in
WFP callout
Secure Socket Architecture
IPsec
Mgmt
Socket
Firewall
Application
Socket
Application
WFP APIs
Secure Socket APIs
Secure Socket API
Winsock
Anti
Virus
Base
Filtering
Engine
Keying
Module
Winsock
user
Kernel
WSK/TDI
Data
Logging
ALE
Transport Layer
Network Layer
NDIS
IPsec
Filtering Engine
Callout APIs
Stream Layer
IDS
NAT
callout
Secure Socket APIs
Secure Socket applications can fall in the
following buckets
P2P application
VPN clients (L2TP/IPsec)
Line of Business applications
Winsock applications can directly call into Secure Socket
APIs to secure network connections
Secure Socket can be used for
Peer authentication (who the peer is)
Peer authorization (peer has the right security tokens)
Packet encryption
Packet integrity protection
Other security features offered by IPsec
Secure Socket Applications
Secure Sockets are easy to use
WSASetSockSecurity(..)
Applications using Secure sockets can
have either
Default policies applied
Specify policies applied
Group policies applied
WFP Scenarios Snap Shot
Scenario
WFP Feature support
Proxy and Firewalls
Inspect, Drop, or Modify Connections
Content Filtering
Inspect or Drop Connections
Modification, Inspect,
Drop Connections
Deep Content Filtering
Virus Scanning
Stream Modification
Parental Guidance
Stream Modification
User Logging /Spy ware
Modification, Inspect, Drop
NAT
Packet Modification
Data logging/diagnostics
Callouts and Event APIs
Authorization and security
IPsec
Application-based filtering
ALE
Socket applications using
secure connection
Secure Socket APIs
Call To Action
Use ALE layers to filter on control events
Using data path can have negative
performance impact
Use sub-layers to avoid arbitration conflicts
Use NDIS LWF for MAC/NetBIOS filtering
WFP Partners
The following companies have started
building their internet security products on
WFP:
Resources
Join the WFP beta program
Go to http://beta.microsoft.com
Choose the Guest ID sign-up option
Enter the Guest ID: WFPBeta5
Fill out the WFP beta program sign up survey
Contact wfp @ microsoft.com
for questions about the
Windows Filtering Platform
WFP development white paper
http://www.microsoft.com/whdc/device/network/WFP.mspx
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.