windows filtering platform enhancements in windows 7 mohan prabhalajorge coronel mendoza senior...
TRANSCRIPT
Windows Filtering Platform Enhancements in Windows 7
Mohan Prabhala Jorge Coronel MendozaSenior Program Manager Program ManagerWindows Networking Windows [email protected]
Session Goals
• Attendees should leave this session with an understanding of:• Windows Filtering Platform (WFP) benefits and Architecture• What’s new in WFP for Windows 7 and how it may be used
Agenda
• What is Windows Filtering Platform (WFP)• Evolution of Filtering Technologies• Why Use WFP• Vista WFP Architecture• WFP Basics• What’s New• WFP Architecture in Windows 7• New WFP Feature Specifics and Design
Considerations• Call to Action• Resources
What Is Windows Filtering Platform?
• Set of API & System Services providing a platform to create Network Filtering software • User-mode and Kernel-mode APIs
• Introduced with Windows Vista• Firewall built into Windows Vista and Windows Server 2008 uses WFP
• Designed to eventually replace filtering technologies such as:• Transport Driver Interface (TDI)• NDIS Light Weight Filtering (LWF) • WinSock Layered Service Provider (LSP)
What Is Windows Filtering Platform? (cont.)
• May be used to implement • Host firewalls• Packet inspection software• Host based intrusion detection systems (IDS)• Antivirus (AV) software• Network monitoring tools• And more…
Pre-Windows Vista Technologies Windows Vista Technologies Windows 7 Technologies
TDI filter driver WFP APIs are strongly recommendedTDI is on the path to deprecation, but is supported on Vista
WFP APIs are required for host firewall driver certification; strongly recommended for other filtering softwareTDI is on the path to deprecation, but is supported
TDI kernel client
Winsock kernel (WSK) APIs are strongly recommendedTDI is on the path to deprecation, but is supported on Vista
WSK APIs are strongly recommendedTDI is on the path to deprecation, but is supported
Firewall and filter hookWFP APIs required.Firewall/Filter hooks drivers are no longer supported
WFP APIs are required for host firewall driver certification
LSPWFP stream layer may be usedLSPs are supported
WFP stream layer may be usedLSPs are supported
NDIS intermediate (IM) driverLWF is strongly recommendedNo WFP support
New WFP APIs are recommended
Filtering Technology Evolution
Why Use WFP?
• Business Considerations• Reduced development time and total cost of ownership• Can be used for complete development of consumer firewalls• Aligned with filtering technology evolution
• Supported in Vista and future Windows releases
• Technical Considerations• Less complex due to consistent semantics and layered filtering
model• Rich features
• Enables both deep packet inspection and packet manipulation at several layers in the stack
• Supports connection based filtering• Packet filtering supported from both user mode and kernel mode
• Performance• Hardware offload friendly
Vista WFP Architecture
3rd party networkaddress translation
(NAT)
3rd party IDS
3rd party parentalcontrol
3rd party anti-virus
Callo
ut m
od
ules
User
Kernel
Filtering Engine
Base Filtering Engine(BFE)
WFP Management APIs
Callo
ut A
PIs
Network Layer
Transport Layer
Forward Layer
IPsec
Stream Layer
TDI/WSK
Application layer enforcement (ALE)
Firewall Application AV Application
WFP Basics
• WFP Management APIs• Set of APIs used by applications to plumb filters in the Filtering Engine
• Base Filtering Engine (BFE)• Service in charge of coordinating WFP components.• Enforces WFP configuration security during boot• Applications communicate with BFE through the management APIs
• Filter Objects• Extensive filtering options• Filter arbitration
• Callouts• Kernel components that provide additional filtering functionality
• Diagnostics• Network Diagnostic Framework (NDF) integrated • Extensible Filtering Platform Helper Class (FPHC) diagnoses:
• Packet drops• IPsec/IKE failures
What’s New?
• TCP/UDP proxy layer • Redirection of IP packets without per-packet processing
• NDIS filtering layer• Extends WFP to filter against 802.3 frame headers
• New COM API to selectively replace Windows Firewall functionality• WFP packet tagging
• Avoids re-inspection of already inspected packets when callout drivers register at multiple layers
• Identify packet-to-interface relationship
• WFP dynamic stream inspection• Enhanced ability to inspect without restarting network applications or reboot
• Connection pending, closure, and lifetime notifications• Allows WFP drivers to intercept socket closures to claim resources allocated
during bind time
• Richer filtering options• Condition based - OR/NOT
WFP Architecture – Windows 7
3rd party NAT
3rd party IDS
3rd party parentalcontrol
3rd party anti-virus Callo
ut m
od
ules
User
Kernel
Filtering Engine
Base Filtering Engine(BFE)
WFP Management APIs
Callo
ut A
PIs
Network Layer
Transport Layer
Forward Layer
IPsec
Stream Layer
TDI/WSK
ALE
Firewall Application AV Application
NDIS Layer
Register API
IP Proxy Layer
New API to replace Windows Firewall functionality
New WFP API
Legend
Key Issues Addressed in Windows 7
• Redirection of IP packets• WFP ALE extension
• Filtering at lower levels• New WFP layer for MAC/ARP filtering
• Coexistence with Windows Firewall• Selectively replacing Windows Firewall functionality
• Inspection of same packet multiple times• Packet tagging
• Filter count reduction• Combine multiple filters into a single, more complex filter
TCP/UDP Proxy Layer
• 2 new WFP layers to facilitate redirection of IP packets without per packet complexity• FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6}• FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4|6}
TCP/UDP Proxy Layer (contd.)
• Attributes that apply to FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6}• ALE_APP_ID (FWP_BYTE_BLOB_TYPE)
• Normalized image path of the process from which connecting socket is created
• ALE_USER_ID (FWP_TOKEN_ACCESS_INFORMATION_TYPE)• Process or impersonation token using the connecting
socket is created• IP_LOCAL_ADDRESS
• IPv4 or IPv6 address in host order• IP_LOCAL_PORT
• Source port in host order• IP_LOCAL_ADDRESS_TYPE• IP_PROTOCOL
TCP/UDP Proxy Layer (contd.)
• FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4|6} has all the attributes for FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6} as well as:• IP_REMOTE_ADDRESS (FWP_UINT32 or
TWP_BYTE_ARRAY16_TYPE• IPv4 or IPv6 address in host order
• IP_REMOTE_PORT• Destination port in host order
• IP_DESTINATION_ADDRESS_TYPE
NDIS Filtering Layer
• 2 new WFP layers to filter against 802.3 frame headers• FWPM_LAYER_INBOUND_MAC_FRAME_802_3 • FWPM_LAYER_OUTBOUND_MAC_FRAME_802_3
NDIS Filtering Layer (contd.)
• Attributes for FWPM_LAYER_INBOUND_MAC_FRAME_802_3 and FWPM_LAYER_OUTBOUND_MAC_FRAME_802_3
• ETHER_SRC_ADDRESS• Source MAC address
• ETHER_DST_ADDRESS• Destination MAC address
• ETHER_DST_ADDRESS_TYPE• Scope of destination address—Unicast, multicast, or broadcast
• ETHER_ENCAP_METHOD• Frame encoding—Ethernet v2/DIX, SNAP w/OUI=00.00.0, or SNAP with unrecognized OUI
• ETHER_TYPE• Network protocol type value
• ETHER_SNAP_CONTROL• If SNAP, the 3 bytes of DSAP, SSAP, and Control, padded to 32 bits
• ETHER_SNAP_OUI• If SNAP, the 3 bytes of OUI, padded to 32 bits
• ETHER_VLAN_TAG• VLAN (802.1q) user priority, CFI, and VLAN ID
• INTERFACE_LUID• Synonym for IP_LOCAL_INTERFACE
• FLAGS• Boolean indicating whether NIC is in promiscuous mode
• INTERFACE_TYPE
Replacing Windows Firewall Functionality
• New API to selectively replace Windows Firewall functionality• Boot time• Firewall and stealth• Connection security
• Vendor firewalls need to hold a handle for the functionality that is replaced
• Existing Vista based functionality (non-stoppable)• Windows Service Hardening • Service Hardening
• New “Register” COM interface• Supported by the HNetCfg.FwProducts COM object
• NET_FW_RULE_CATEGORY_BOOT• NET_FW_RULE_CATEGORY_STEALTH• NET_FW_RULE_CATEGORY_FIREWALL• NET_FW_RULE_CATEGORY_CONSEC
Filter Count Reduction
• Policy authoring may affect filter count• Reduce filter count to increase performance• Policy optimization may dramatically reduce filter count
• Microsoft IT policy optimizations reduced filter count by half
• OR/NOT filtering options feature may reduce filter count• With Vista
• Filter 1: Block TCP port 1234• Filter 2: Block UDP port 1234
• With Windows 7 • Filter 1: Block (TCP || UDP) port 1234
• Windows 7 extends WFP to make it a more comprehensive filtering platform solution• Use of WFP strongly recommended• Required for consumer host firewall driver certification
• Send us your feedback and WFP implementation stories• [email protected]
Call to Action
Resources
• Windows Filtering Platform on MSDN• http://msdn.microsoft.com/en-us/library/aa366510(VS.85
).aspx• Windows Filtering Platform on the WHDC Web site
• http://www.microsoft.com/whdc/device/network/WFP.mspx
• Please visit the WFP forum on MSDN for Discussions, Questions, and Suggestions• http://forums.microsoft.com/msdn/ShowForum.aspx?For
umID=1637&SiteID=1
Backup
How does WFP Work – Continued
• Filter Arbitration• Layers are divided into sub-layers• Within a sub-layer
• Filters are evaluated in weight order• First match: execute action (permit/block/callout)
• Permit/block: the evaluation stops• A callout returns “continue”: the next matching filter is evaluated
• Jump to the next sub-layer• Traffic goes through each sub-layer
• A callout at the last sub-layer can still inspect blocked traffic
Arbitration Example
* -> permit
* -> ids_calloutContinue
Permit
* -> permit
Inbound Transport
Permit
IIS.exe -> permit
Block
Permit
port80 -> block
ALE recv/accept
Continue * -> log_callout
Resultant policy blocks inbound to port 80 block