How To Use The Windows Filtering Platform To Integrate With Windows Networking

1. How To Use The Windows Filtering Platform To Integrate With Windows Networking Madhurima PawarProgram ManagerMicrosoft Corporation

2. Agenda • Filtering Technologies • Benefits of Windows Filtering Platform • Secure Socket APIs

3. Filtering Technologies

4. Benefits Of WFP • WFP robust, easier to use and provides better performance • WFP provides rich functionality for better user experience • WFP filters and secures network traffic • WFP supports both IPv4 as well as IPv6 traffic • Integrated with hardware Offload capabilities in Windows Vista

5. 3rd party NAT 3rd party IDS 3rd party parentalcontrol 3rd party anti-virus WFP Architecture Firewall Application AV Application WFP APIs Base Filtering Engine(BFE) user kernel ALE Filtering Engine TDI/WSK Stream Layer Transport Layer Callout APIs IPsec Network Layer Callout modules Forward Layer

6. WFP Layers

7. Callout • A callout extends the capabilities of WFP • Callouts can be registered at all layers • Each callout has a unique GUID • Callouts are used for • Deep Inspection • Packet Modification • Stream Modification • Data Logging • Boot time security

8. Callout • Callout implements • classifyFn: Filter engine calls classify whenever there is data to be processed • flowDeleteFn: Filter engine calls callout to notify when the flow is being terminated • notifyFn: Filter engine calls callout about events associated with the callout

9. Application Layer Enforcement • Maintains connection state for all traffic • Filter-based on • Local/remote address and port, protocol • App ID, user ID, and machine ID • IPv4 and IPv6 filtering • ALE use case scenarios • Port blocking • Application filtering • Authorization based on user id

10. Application Layer Enforcement • ALE Layers • FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT for authorizing port assignments, bind request etc • ALE_AUTH_LISTEN for authorizing TCP listen • ALE_AUTH_RECV_ACCEPT for authorizing all incoming traffic • ALE_AUTH_CONNECT for authorizing all outgoing traffic • ALE_FLOW_ESTABLISHED for receiving notification on established flow • Filtering actions • Block • Permit • Pend • Continue • Modify session timeout for UDP, broadcast, and multicast traffic

11. ALE Pend Do you wish to grant Foo.exe access to the network? Application Foo.exe User Mode Kernel Mode ClassifyOut() Firewall callout Policy store ALE FwpsCompleteOperation0() FwpsPendOperation0()

12. Stream Layer • Use Case scenario • Web filtering for parental control • Content filtering • Stream throttling • Stream layer sees the TCP stream • Filtering options available at stream layer are • Local/remote address and port • Direction • IPv4 and IPv6 filtering

13. Stream Layer • Layers • FWPM_LAYER_STREAM_V4 • FWPM_LAYER_STREAM_V6 • Filtering actions • Block • Permit • Continue • Pend/un-pend • Need more data

14. Stream Pend Application Policy store User Mode Kernel Mode ClassifyOut() Stream Layer Firewall callout Policy store actionType = Defer FwpsStreamContinue0()

15. Stream Need More Data Application Policy store User Mode ClassifyOut (100bytes) ClassifyOut (200bytes) Kernel Mode Stream Layer Firewall callout Policy store actionType = Need more data

16. Stream Inject Application Policy store ClassifyOut (100bytes) ClassifyOut (200bytes) User Mode Kernel Mode Stream Layer Firewall callout Policy store actionType = Need more data 150bytes FwpsStreamInject()

17. Packet Modification • Use stream layer for data modification • Header modification • NAT • Proxy • In place modification is NOT supported • Clone original packet, drop original, and re-inject copy • Clone + drop + re-inject does not incur buffer copy • MAC layer modification • Use NDIS LWF

18. Packet Modification APIs • Layers • Network, Transport, Forward, Datagram, ALE send/recv • Re-inject on send path • Re-inject on receive path • Before routing • Re-inject on forward path • Remotely destined

19. Filter Arbitration • Goals • Traffic can always be inspected • Traffic can be blocked even if the higher priority filter has permitted it • Change the action or veto • Multiple actions can be performed on the same data • Permit and logging • Multiple providers can inspect the traffic • Firewall + IDS

20. Filter Arbitration • Design • Layers in Filtering Engine are divided into sub-layers • Within a sub-layer filters are evaluated in weight order • Evaluation stops at first match (permit/block) • If a callout returns continue, next matching filter is evaluated • Traffic goes through each sub-layer

21. Filter Arbitration • Features • Overriding • A block can override a permit • If FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT on filters or FWPS_RIGHT_ACTION_WRITE on callouts is cleared, then action type cannot be over-riden • Veto • Changing the action without the write action right

22. Classification Example ALE recv/accept Inbound Transport FW MSN.exe -> permit Permit * -> permit Permit FW * -> ids_callout Continue port80 -> block * -> permit Block Permit * -> log_callout Continue Resultant policy blocks inbound to port 80 block

23. Boot Time Filtering 3rd party Service starts System Boot BFE starts Boot time filters Persistent filters BFE Filters

24. Notification

25. Diagnostics

26. IPsec Configuration • Use case • VPN applications • Filtering IPsec traffic • IPsec management tools • WFP APIs can configure • IKE policies • IPsec policies • Filter IPsec at transport layer • Applications can guarantee security by • Plumbing filter at ALE connect for outbound and ALE accept for inbound layer that references built-in WFP callout

27. Secure Socket Architecture IPsecMgmt Anti Virus Firewall Socket Application WFP APIs Socket Application Base Filtering Engine Secure Socket APIs Keying Module Secure Socket API Winsock Winsock user Kernel Data Logging ALE WSK/TDI Stream Layer Transport Layer Filtering Engine Callout APIs IDS IPsec Network Layer NDIS NAT callout

28. Secure Socket APIs • Secure Socket applications can fall in the following buckets • P2P application • VPN clients (L2TP/IPsec) • Line of Business applications • Winsock applications can directly call into Secure Socket APIs to secure network connections • Secure Socket can be used for • Peer authentication (who the peer is) • Peer authorization (peer has the right security tokens) • Packet encryption • Packet integrity protection • Other security features offered by IPsec

29. Secure Socket Applications • Secure Sockets are easy to use • WSASetSockSecurity(..) • Applications using Secure sockets can have either • Default policies applied • Specify policies applied • Group policies applied

30. WFP Scenarios Snap Shot

31. Call To Action • Use ALE layers to filter on control events • Using data path can have negative performance impact • Use sub-layers to avoid arbitration conflicts • Use NDIS LWF for MAC/NetBIOS filtering

32. WFP Partners The following companies have started building their internet security products on WFP:

33. Resources • Join the WFP beta program • Go to http://beta.microsoft.com • Choose the Guest ID sign-up option • Enter the Guest ID: WFPBeta5 • Fill out the WFP beta program sign up survey • Contact for questions about the Windows Filtering Platform • WFP development white paper • http://www.microsoft.com/whdc/device/network/WFP.mspx wfp @ microsoft.com

34. © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.