Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Multiprotocol Label Switching wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Network tap wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Internet protocol suite wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
How To Use The Windows Filtering Platform To Integrate With Windows Networking Madhurima Pawar Program Manager Microsoft Corporation Agenda Filtering Technologies Benefits of Windows Filtering Platform Secure Socket APIs Filtering Technologies Pre-Windows Vista technologies TDI filter driver TDI Interface to communicate with the TCP/IP stack Windows Vista technologies WFP APIs are strongly recommended TDI is on the path to deprecation, but will be supported WSK APIs are strongly recommended TDI is on the path to deprecation, but will be supported Firewall hook driver in Windows 2000 allowed managing of network packets WFP APIs are strongly recommended Firewall hooks no longer supported LSPs were used for high level application filtering WFP APIs are strongly recommend LSPs will continue to be supported NDIS Shim for non-IP and MAC filtering LWF are strongly recommended TDI Firewall Hook LSP NDIS shim Others 14% 33% 25% 14% 14% Benefits Of WFP WFP robust, easier to use and provides better performance WFP provides rich functionality for better user experience WFP filters and secures network traffic WFP supports both IPv4 as well as IPv6 traffic Integrated with hardware Offload capabilities in Windows Vista WFP Architecture Firewall Application AV Application WFP APIs Base Filtering Engine (BFE) user kernel ALE TDI/WSK Stream Layer Transport Layer IPsec Filtering Engine 3rd party parental control Network Layer 3rd party IDS Forward Layer 3rd party NAT Callout modules 3rd party anti-virus WFP Layers Layers Data Representations Protocol specific RPC, IKE Stream/Data Layer Datagram and streams ALE Layers Control events Transport Layer TCP/UDP IP Packet Layer Network layer traffic and local fragments Forward Layer Forwarded traffic ICMP ICMP error packets Discard Discarded/dropped packets Callout A callout extends the capabilities of WFP Callouts can be registered at all layers Each callout has a unique GUID Callouts are used for Deep Inspection Packet Modification Stream Modification Data Logging Boot time security Callout Callout implements classifyFn: Filter engine calls classify whenever there is data to be processed flowDeleteFn: Filter engine calls callout to notify when the flow is being terminated notifyFn: Filter engine calls callout about events associated with the callout Application Layer Enforcement Maintains connection state for all traffic Filter-based on Local/remote address and port, protocol App ID, user ID, and machine ID IPv4 and IPv6 filtering ALE use case scenarios Port blocking Application filtering Authorization based on user id Application Layer Enforcement ALE Layers FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT for authorizing port assignments, bind request etc ALE_AUTH_LISTEN for authorizing TCP listen ALE_AUTH_RECV_ACCEPT for authorizing all incoming traffic ALE_AUTH_CONNECT for authorizing all outgoing traffic ALE_FLOW_ESTABLISHED for receiving notification on established flow Filtering actions Block Permit Pend Continue Modify session timeout for UDP, broadcast, and multicast traffic ALE Pend Do you wish to grant Foo.exe access to the network? Application Foo.exe User Mode ClassifyOut() ALE Firewall callout FwpsCompleteOperation0() FwpsPendOperation0() Kernel Mode Policy store Stream Layer Use Case scenario Web filtering for parental control Content filtering Stream throttling Stream layer sees the TCP stream Filtering options available at stream layer are Local/remote address and port Direction IPv4 and IPv6 filtering Stream Layer Layers FWPM_LAYER_STREAM_V4 FWPM_LAYER_STREAM_V6 Filtering actions Block Permit Continue Pend/un-pend Need more data Stream Pend Application Policy store User Mode Kernel Mode ClassifyOut() Stream Layer Firewall callout actionType = Defer FwpsStreamContinue0() Policy store Stream Need More Data Application Policy store User Mode ClassifyOut (100bytes) (200bytes) Stream Layer Kernel Mode Firewall callout actionType = Need more data Policy store Stream Inject Application Policy store ClassifyOut ClassifyOut (100bytes) (200bytes) Stream Layer User Mode Kernel Mode Firewall callout actionType = Need more 150bytes FwpsStreamInject() data Policy store Packet Modification Use stream layer for data modification Header modification NAT Proxy In place modification is NOT supported Clone original packet, drop original, and re-inject copy Clone + drop + re-inject does not incur buffer copy MAC layer modification Use NDIS LWF Packet Modification APIs Layers Network, Transport, Forward, Datagram, ALE send/recv Re-inject on send path Re-inject on receive path Before routing Re-inject on forward path Remotely destined Filter Arbitration Goals Traffic can always be inspected Traffic can be blocked even if the higher priority filter has permitted it Change the action or veto Multiple actions can be performed on the same data Permit and logging Multiple providers can inspect the traffic Firewall + IDS Filter Arbitration Design Layers in Filtering Engine are divided into sub-layers Within a sub-layer filters are evaluated in weight order Evaluation stops at first match (permit/block) If a callout returns continue, next matching filter is evaluated Traffic goes through each sub-layer Filter Arbitration Features Overriding A block can override a permit If FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT on filters or FWPS_RIGHT_ACTION_WRITE on callouts is cleared, then action type cannot be over-riden Veto Changing the action without the write action right Classification Example ALE recv/accept Inbound Transport FW Permit * -> permit MSN.exe -> permit Permit FW Continue Permit * -> ids_callout port80 -> block * -> permit Block Continue * -> log_callout Resultant policy blocks inbound to port 80 block Boot Time Filtering System Boot Boot time filters BFE starts Persistent filters 3rd party Service starts BFE Filters Notification Applications can register to receive notification during the addition/deletion of BFE objects Feature support Notification is available for Callout Filters Providers and provider context Layers and sub layers Flow delete Multiple providers can better co-exit on WFP Use Case Scenarios Providers can use the notification to predict the traffic flow Providers can use the notification to provide rich functional support to the user/admin Providers can use the notification to grant exceptions Diagnostics Feature BFE provides a rich set of eventing APIs The event APIs provide rich information around IPsec/IKE failure events, dropped packets. Audit Event APIs to get rich set of audit events Connection start/stop, policy changes Applications can build diagnostic support providing rich eventing information to the user/admin Use Case Scenario Applications can write helper class and plug into the Network Diagnostic Framework for richer diagnostic experience IPsec Configuration Use case VPN applications Filtering IPsec traffic IPsec management tools WFP APIs can configure IKE policies IPsec policies Filter IPsec at transport layer Applications can guarantee security by Plumbing filter at ALE connect for outbound and ALE accept for inbound layer that references built-in WFP callout Secure Socket Architecture IPsec Mgmt Socket Firewall Application Socket Application WFP APIs Secure Socket APIs Secure Socket API Winsock Anti Virus Base Filtering Engine Keying Module Winsock user Kernel WSK/TDI Data Logging ALE Transport Layer Network Layer NDIS IPsec Filtering Engine Callout APIs Stream Layer IDS NAT callout Secure Socket APIs Secure Socket applications can fall in the following buckets P2P application VPN clients (L2TP/IPsec) Line of Business applications Winsock applications can directly call into Secure Socket APIs to secure network connections Secure Socket can be used for Peer authentication (who the peer is) Peer authorization (peer has the right security tokens) Packet encryption Packet integrity protection Other security features offered by IPsec Secure Socket Applications Secure Sockets are easy to use WSASetSockSecurity(..) Applications using Secure sockets can have either Default policies applied Specify policies applied Group policies applied WFP Scenarios Snap Shot Scenario WFP Feature support Proxy and Firewalls Inspect, Drop, or Modify Connections Content Filtering Inspect or Drop Connections Modification, Inspect, Drop Connections Deep Content Filtering Virus Scanning Stream Modification Parental Guidance Stream Modification User Logging /Spy ware Modification, Inspect, Drop NAT Packet Modification Data logging/diagnostics Callouts and Event APIs Authorization and security IPsec Application-based filtering ALE Socket applications using secure connection Secure Socket APIs Call To Action Use ALE layers to filter on control events Using data path can have negative performance impact Use sub-layers to avoid arbitration conflicts Use NDIS LWF for MAC/NetBIOS filtering WFP Partners The following companies have started building their internet security products on WFP: Resources Join the WFP beta program Go to http://beta.microsoft.com Choose the Guest ID sign-up option Enter the Guest ID: WFPBeta5 Fill out the WFP beta program sign up survey Contact wfp @ microsoft.com for questions about the Windows Filtering Platform WFP development white paper http://www.microsoft.com/whdc/device/network/WFP.mspx © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.