Windows Filtering Platform Enhancements in Windows 7

Mohan Prabhala Jorge Coronel MendozaSenior Program Manager Program ManagerWindows Networking Windows Networkingmohanp@microsoft.com

jcoronel@microsoft.com

Session Goals

• Attendees should leave this session with an understanding of:• Windows Filtering Platform (WFP) benefits and Architecture• What’s new in WFP for Windows 7 and how it may be used

Agenda

• What is Windows Filtering Platform (WFP)• Evolution of Filtering Technologies• Why Use WFP• Vista WFP Architecture• WFP Basics• What’s New• WFP Architecture in Windows 7• New WFP Feature Specifics and Design

Considerations• Call to Action• Resources

What Is Windows Filtering Platform?

• Set of API & System Services providing a platform to create Network Filtering software • User-mode and Kernel-mode APIs

• Introduced with Windows Vista• Firewall built into Windows Vista and Windows Server 2008 uses WFP

• Designed to eventually replace filtering technologies such as:• Transport Driver Interface (TDI)• NDIS Light Weight Filtering (LWF) • WinSock Layered Service Provider (LSP)

What Is Windows Filtering Platform? (cont.)

• May be used to implement • Host firewalls• Packet inspection software• Host based intrusion detection systems (IDS)• Antivirus (AV) software• Network monitoring tools• And more…

Pre-Windows Vista Technologies Windows Vista Technologies Windows 7 Technologies

TDI filter driver WFP APIs are strongly recommendedTDI is on the path to deprecation, but is supported on Vista

WFP APIs are required for host firewall driver certification; strongly recommended for other filtering softwareTDI is on the path to deprecation, but is supported

TDI kernel client

Winsock kernel (WSK) APIs are strongly recommendedTDI is on the path to deprecation, but is supported on Vista

WSK APIs are strongly recommendedTDI is on the path to deprecation, but is supported

Firewall and filter hookWFP APIs required.Firewall/Filter hooks drivers are no longer supported

WFP APIs are required for host firewall driver certification

LSPWFP stream layer may be usedLSPs are supported

WFP stream layer may be usedLSPs are supported

NDIS intermediate (IM) driverLWF is strongly recommendedNo WFP support

New WFP APIs are recommended

Filtering Technology Evolution

Why Use WFP?

• Business Considerations• Reduced development time and total cost of ownership• Can be used for complete development of consumer firewalls• Aligned with filtering technology evolution

• Supported in Vista and future Windows releases

• Technical Considerations• Less complex due to consistent semantics and layered filtering

model• Rich features

• Enables both deep packet inspection and packet manipulation at several layers in the stack

• Supports connection based filtering• Packet filtering supported from both user mode and kernel mode

• Performance• Hardware offload friendly

Vista WFP Architecture

3rd party networkaddress translation

(NAT)

3rd party IDS

3rd party parentalcontrol

3rd party anti-virus

Callo

ut m

od

ules

User

Kernel

Filtering Engine

Base Filtering Engine(BFE)

WFP Management APIs

Callo

ut A

PIs

Network Layer

Transport Layer

Forward Layer

IPsec

Stream Layer

TDI/WSK

Application layer enforcement (ALE)

Firewall Application AV Application

WFP Basics

• WFP Management APIs• Set of APIs used by applications to plumb filters in the Filtering Engine

• Base Filtering Engine (BFE)• Service in charge of coordinating WFP components.• Enforces WFP configuration security during boot• Applications communicate with BFE through the management APIs

• Filter Objects• Extensive filtering options• Filter arbitration

• Callouts• Kernel components that provide additional filtering functionality

• Diagnostics• Network Diagnostic Framework (NDF) integrated • Extensible Filtering Platform Helper Class (FPHC) diagnoses:

• Packet drops• IPsec/IKE failures

What’s New?

• TCP/UDP proxy layer • Redirection of IP packets without per-packet processing

• NDIS filtering layer• Extends WFP to filter against 802.3 frame headers

• New COM API to selectively replace Windows Firewall functionality• WFP packet tagging

• Avoids re-inspection of already inspected packets when callout drivers register at multiple layers

• Identify packet-to-interface relationship

• WFP dynamic stream inspection• Enhanced ability to inspect without restarting network applications or reboot

• Connection pending, closure, and lifetime notifications• Allows WFP drivers to intercept socket closures to claim resources allocated

during bind time

• Richer filtering options• Condition based - OR/NOT

WFP Architecture – Windows 7

3rd party NAT

3rd party IDS

3rd party parentalcontrol

3rd party anti-virus Callo

ut m

od

ules

User

Kernel

Filtering Engine

Base Filtering Engine(BFE)

WFP Management APIs

Callo

ut A

PIs

Network Layer

Transport Layer

Forward Layer

IPsec

Stream Layer

TDI/WSK

ALE

Firewall Application AV Application

NDIS Layer

Register API

IP Proxy Layer

New API to replace Windows Firewall functionality

New WFP API

Legend

Key Issues Addressed in Windows 7

• Redirection of IP packets• WFP ALE extension

• Filtering at lower levels• New WFP layer for MAC/ARP filtering

• Coexistence with Windows Firewall• Selectively replacing Windows Firewall functionality

• Inspection of same packet multiple times• Packet tagging

• Filter count reduction• Combine multiple filters into a single, more complex filter

TCP/UDP Proxy Layer

• 2 new WFP layers to facilitate redirection of IP packets without per packet complexity• FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6}• FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4|6}

TCP/UDP Proxy Layer (contd.)

• Attributes that apply to FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6}• ALE_APP_ID (FWP_BYTE_BLOB_TYPE)

• Normalized image path of the process from which connecting socket is created

• ALE_USER_ID (FWP_TOKEN_ACCESS_INFORMATION_TYPE)• Process or impersonation token using the connecting

socket is created• IP_LOCAL_ADDRESS

• IPv4 or IPv6 address in host order• IP_LOCAL_PORT

• Source port in host order• IP_LOCAL_ADDRESS_TYPE• IP_PROTOCOL

TCP/UDP Proxy Layer (contd.)

• FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4|6} has all the attributes for FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6} as well as:• IP_REMOTE_ADDRESS (FWP_UINT32 or

TWP_BYTE_ARRAY16_TYPE• IPv4 or IPv6 address in host order

• IP_REMOTE_PORT• Destination port in host order

• IP_DESTINATION_ADDRESS_TYPE

NDIS Filtering Layer

• 2 new WFP layers to filter against 802.3 frame headers• FWPM_LAYER_INBOUND_MAC_FRAME_802_3 • FWPM_LAYER_OUTBOUND_MAC_FRAME_802_3

NDIS Filtering Layer (contd.)

• Attributes for FWPM_LAYER_INBOUND_MAC_FRAME_802_3 and FWPM_LAYER_OUTBOUND_MAC_FRAME_802_3

• ETHER_SRC_ADDRESS• Source MAC address

• ETHER_DST_ADDRESS• Destination MAC address

• ETHER_DST_ADDRESS_TYPE• Scope of destination address—Unicast, multicast, or broadcast

• ETHER_ENCAP_METHOD• Frame encoding—Ethernet v2/DIX, SNAP w/OUI=00.00.0, or SNAP with unrecognized OUI

• ETHER_TYPE• Network protocol type value

• ETHER_SNAP_CONTROL• If SNAP, the 3 bytes of DSAP, SSAP, and Control, padded to 32 bits

• ETHER_SNAP_OUI• If SNAP, the 3 bytes of OUI, padded to 32 bits

• ETHER_VLAN_TAG• VLAN (802.1q) user priority, CFI, and VLAN ID

• INTERFACE_LUID• Synonym for IP_LOCAL_INTERFACE

• FLAGS• Boolean indicating whether NIC is in promiscuous mode

• INTERFACE_TYPE

Replacing Windows Firewall Functionality

• New API to selectively replace Windows Firewall functionality• Boot time• Firewall and stealth• Connection security

• Vendor firewalls need to hold a handle for the functionality that is replaced

• Existing Vista based functionality (non-stoppable)• Windows Service Hardening • Service Hardening

• New “Register” COM interface• Supported by the HNetCfg.FwProducts COM object

• NET_FW_RULE_CATEGORY_BOOT• NET_FW_RULE_CATEGORY_STEALTH• NET_FW_RULE_CATEGORY_FIREWALL• NET_FW_RULE_CATEGORY_CONSEC

Filter Count Reduction

• Policy authoring may affect filter count• Reduce filter count to increase performance• Policy optimization may dramatically reduce filter count

• Microsoft IT policy optimizations reduced filter count by half

• OR/NOT filtering options feature may reduce filter count• With Vista

• Filter 1: Block TCP port 1234• Filter 2: Block UDP port 1234

• With Windows 7 • Filter 1: Block (TCP || UDP) port 1234

• Windows 7 extends WFP to make it a more comprehensive filtering platform solution• Use of WFP strongly recommended• Required for consumer host firewall driver certification

• Send us your feedback and WFP implementation stories• wfp@microsoft.com

Call to Action

Resources

• Windows Filtering Platform on MSDN• http://msdn.microsoft.com/en-us/library/aa366510(VS.85

).aspx• Windows Filtering Platform on the WHDC Web site

• http://www.microsoft.com/whdc/device/network/WFP.mspx

• Please visit the WFP forum on MSDN for Discussions, Questions, and Suggestions• http://forums.microsoft.com/msdn/ShowForum.aspx?For

umID=1637&SiteID=1

Backup

How does WFP Work – Continued

• Filter Arbitration• Layers are divided into sub-layers• Within a sub-layer

• Filters are evaluated in weight order• First match: execute action (permit/block/callout)

• Permit/block: the evaluation stops• A callout returns “continue”: the next matching filter is evaluated

• Jump to the next sub-layer• Traffic goes through each sub-layer

• A callout at the last sub-layer can still inspect blocked traffic

Arbitration Example

* -> permit

* -> ids_calloutContinue

Permit

* -> permit

Inbound Transport

Permit

IIS.exe -> permit

Block

Permit

port80 -> block

ALE recv/accept

Continue * -> log_callout

Resultant policy blocks inbound to port 80 block