Thursday, January 22, 2009

Personal Firewall Development

I have been looking in to "Personal Firewall" development techniques during last couple of days for my interest. Despite the less documentation on the subject, there are several methods available for implementing personal firewalls. But unfortunately what I found was that, only a very few methods are actually suitable. Most of the articles and samples available are not really meant for serious product development.

First of all I should say that I'm not an expert on  "Windows network architecture". But let me try to explain the subject in simple terms as it is really interesting to study. Following is a diagram summarizes the layers (pale blue) and extension points (dark blue) of the Windows network stack.

One of the primary functions of a firewall is to control the network traffic by packet filtering (block ports, etc). In order to do this, firewall has to intercept the  network stack at some point. Important question is "what is the best place to do this?".

 - Any intercepts at user mode (e.g. Winsock LSP) is useless because malware can easily bypass user mode to operate at kernel mode. Windows 2000 packet filtering API is another user mode alternative but with same limitations (sample implementation).

 - In kernel mode, a popular model is to plug in to TDI layer but this is still too high in the stack. Malware can bypass TCP layer to access NDIS layer if it wishes. Also with this approach, your TCP layer is open to a hacker coming from outside. Despite these facts, several commercial firewall products seems to use this method for their packet filtering.

 - Windows TCP layer provide an extension called 'Firewall hook driver'. But according to MSDN documentation 'firewall hook driver' has some severe limitations. But apparently, Microsoft has gone against their own recommendations to use it for their own Windows Firewall. You can find a sample implementation here.

 - Another extension point of TCP layer is to use 'Filter hook driver'. Filter hook drivers are also not recommended by Microsoft due to the limitation of only a single application can use this extension on a machine. Sample implementation is found here.

With all above considerations, NDIS layer stays as the only sustainable alternative for a commercial grade firewalls. One model is to develop a NDIS intermediate driver which is the recommended method by Microsoft. But due to various compatibility and stability issues, most of the vendors have considered a different approach for their products. Rather developing an intermediate driver, they have overridden some of the NDIS functions to point at your custom functions. This approach is called NDIS hooking but mostly undocumented. Despite less documentation, NDIS hooking seems to remain as the most favored model for developing commercial grade firewalls. As no Microsoft provided API available this method is sensitive to the OS changes. Good discussion thread comparing the two methods can be found here.

What we have discussed up to now is implementation details for just one feature (packet filtering) of a firewall. There are many other features that cannot be done by tapping to NDIS but require upper level tapping as well.

One thing I have noted is that there is very little information available on the net and the available information is hard to find on this subject. I hope you have learnt something by reading this post!

Some Interesting Reads:
Windows Network Architecture
NDIS hooking sample
Article on firewall Development
Firewall-hook driver
Alternative model in Vista
Design of a ideal firewall

[tag: 99xt ]


student said... a computer science developing a personal u have any suggestion on what kind of language can be used to develop firewall??

Hasith Yaggahavita said...

C/C++ is the language for any commercial grade firewall (for best performance and OS kernel access).