A brief introduction to the implementation technology of Windows software firewall

From the birth of Windows software firewall, this kind of security protection products are following the continuous deepening of hacker and anti-black anti-drug fight, evolving and upgrading. From the earliest analysis only source address, port number and the original message of the packet filtering firewall, and then there are different applications can set different access to network permissions technology; In recent years by ZoneAlarm and other foreign well-known brands led, Also began to popular with unknown attack interception capability of intelligent behavior Monitoring firewall; Finally, due to the recent prevalence of spam plug-ins and rogue software, many firewalls are considering the ability to block their own rogue software. In summary, Windows software firewall from the beginning of a simple packet packet loss, interception of IP and port tools, developed into today's powerful overall security suite.

Next, this article gives a brief technical introduction to these components that a Windows software firewall should have.

Packet Filtration Technology

Packet-filtering technology is the first feature owned by the most primitive firewalls. But the feature is simple and powerful, and until now it is an essential feature of any firewall.

To intercept a network packet before it reaches the application, install a filter hook on the system's network protocol stack. For the Windows NT family kernel, it is possible to install a filter hook that is roughly the number of places from top to bottom: SPI layer (early Skynet firewall), AfD layer (lack of data, no examples), TDI layer (many domestic walls), NDIS layer (ZoneAlarm, Outpost, etc.). The more at the top, the lower the difficulty of product development, but the weaker the function, the easier it is to be traversed by attackers. Because the NDIS firewall has powerful, not easy to penetrate and other advantages, the recent trend of the major firewall manufacturers are to choose the NDIS layer to do packet filtering.

At present, there are two kinds of NDIS hook technology which are more popular. One is to hook up the Ndis.sys module's export function, thereby replacing its send (packets) handler and receive (packet) handler by intercepting the registration process for each NDIS protocol registration. The disadvantage of this method is that it cannot take effect immediately after the first security, it must be repeated, and must be reset if it is to be disabled.