Resolve the technical path of Personal Firewall under Windows

Firewall technology is another core point of data encryption and signature in the network security field. Based on the implementation of the Personal Firewall System on Windows platform, it is difficult to understand some unique underlying interfaces and network protocols of Windows Network Programming. In addition, many software technologies used in the implementation of the personal firewall system are basically the same as the principles of enterprise-level network firewalls and hardware firewalls, therefore, the research on the personal firewall system can greatly promote the advancement of network security technology and the emergence of talents, which is of great engineering significance.

Foreign countries have developed rapidly in this field. There are mainly Skynet firewalls in China and individual firewalls of many developers who used to develop antivirus software, such as KV series, KILL series, and Kingsoft series, in addition, it is not inferior to well-known foreign brands in terms of practicality. Because the network security field involves many secrets, it is impossible to get the technical implementation details of the commercial personal firewall.

1. Personal Firewall Function Analysis

(1) Real-time Monitoring: filters inbound and outbound network packets based on security rules;

(2) give Alarm instructions to users when being attacked;

(3) logs record detailed information about network access actions;

(4) email monitoring, which can filter emails according to custom filtering rules;

(5) Conduct Intrusion Detection Based on the feature database;

(6) online feature library upgrade;

(7) integrate anti-virus, anti-virus, and personal firewall.

Further analysis is performed here. However, many functions are not completely within the research scope of the firewall technology field, such as intrusion detection, anti-virus, and mail monitoring. The online upgrade is ~ Technical support methods. Intrusion detection is a complex technique with many implementation methods. The most common method is to define an Intrusion Feature Library Based on the working principle of anti-virus software, based on the data in this feature library, packet filtering technology is used to intercept intrusions, that is, data packet interception Analysis Based on the feature library, the difficulty is the improvement and self-learning of the feature Library (the establishment and self-learning of the feature library is not the research content of this Project), but the essence is still the core of packet filtering.

Intrusion detection and various rule filtering (including application rules and email rules) are based on the data packet interception analysis technology and can intercept network communication data packets at different network architecture layers, then, it analyzes and determines whether to intercept or allow access based on custom control rules. Therefore, the core of the firewall software technology is packet encapsulation interception-interception and Analysis of packets flowing on the network. The control rules are used to determine whether to allow or prohibit inbound/outbound traffic. Therefore, the personal firewall software system should have the following features:

(1) filtering and checking the networking activities of applications based on application control access rules;

(2) Self-learning for application access control rules;

(3) monitors network activities in real time;

(4) have logs to record detailed information about network access actions;

(5) An alarm is reported to the user through sound or blinking icons during interception. Among them, (1) is the basic function of the personal firewall, (4), (5) is a practical auxiliary function of the firewall system, (2) the requirements are relatively high, the personal firewall system is required to have certain smart learning capabilities to determine the allow or deny control actions when no fully compliant control rule definition is found.

2 Windows Network Architecture Analysis

OSI/RM (OSI reference model) is the first reference model for the network architecture provided by ISO. It first proposes protocol layer-based and peer-to-peer layer communication, it has become a standard term for describing and Understanding various network protocols and network communication processes. This section describes the network architecture of the Windows operating system as accurately as possible using the OSI reference model, and then analyzes the possible network layers and methods of data packet interception.

The OSI Layer-7 Reference Model and Window Network Driver layered structure are provided. Therefore, packet interception can occur at the data link layer where the NIC Driver is located and above the layers at the application layer, this provides us with the basic idea of intercepting network packets. MicrosoR provides some open standards or unconventional methods at various network protocol levels in Windows to facilitate developers to insert a layer, therefore, you can use these specifications or unconventional methods to intercept data packets at the inserted layer.

Network packet interception in user mode refers to packet interception at the Session Layer and the presentation layer, using WinsockSPl (serviceproviderinterface, Service Provider Interface) or directly replace the Winsock dynamic link library that comes with the system to capture the package. Note that the WinsockSPI programming here does not refer to the socket programming Winsock network programming on Windows. Another difficulty is the analysis of various network protocols. You can use some Sniffer software tools (such as the famous Sniffer) to learn various TCP/IP protocols.

The operations at the TDI layer and below must be performed using some interfaces and Development specifications provided by the TDI layer. The operating system works in the system-mode protection mode. In the system state, the interception uses WindowsDDK (windowsdevicedevelopingkit), TDI (transport layer device interface filter driver), and NDIS interface specifications (networkdriverinterfacespecification ). DDK is a Windows driver development kit. You can find a solution by learning some simple examples in W/NDDK.

In the system mode, first look at the bottom layer. From the network architecture perspective, it can be intercepted at the data link layer where the NIC Driver is located. However, the firewall system must obtain the IP address, protocol service type, and application information from the interception of data packets. The interception at the network layer is sufficient to obtain the information, it is not necessary to capture and analyze MAC frames of the NIC. In addition, the NIC interception adapts to a variety of NIC hardware environments, that is, developing a NIC Driver, which is not consistent with the development goal of the firewall system.

From the top down, we can also use the filter driver on the TDI layer or the NDIS middle layer driver on the network layer. The former is the TDI interface specification and the latter is the NDIS interface specification. The method of system state is to develop the driver, but here it is a software driver rather than a hardware driver that deals directly with the hardware.

In 1989, Microsoft and 3Com developed a set of standards for developing underlying drivers under Windows, known as NDIS, which is an interface specification for developing network drivers and nic drivers, all network communication will eventually pass through NDIS. The N-DIS provides a set of standard interfaces for network-driven development. The OSI Network Architecture spans three layers (data link layer, network layer and Transmission Layer ), this makes the network driver more cross-platform. NDlS provides the following APIs:

① NDIS small-port driver. The Miniport interface is opened for upper-layer driver calls. You can use the Miniport driver to implement the NIC Driver;

② Intermediate driver, which has both Miniport and Protocol interfaces for communication with the Protocol driver at the upper layer and the underlying small port driver at the bottom layer;

③ Protocol driver, for example, transmission driver Tcpip. sys.

3. Technical Route Selection

The work of a personal firewall is to monitor inbound and outbound data streams and prohibit or monitor the flow of data that users think is dangerous or harmful. Its core function is to monitor, analyze, and filter network data packets. At the underlying layer, because the intermediate driver of NDIS inserts a layer between the NIC driver and the transmission driver, it can intercept the packets at the underlying layer, you can perform lower-level operations (the bottom layer is interception at the NIC Driver layer, but the previous section describes that network packet interception at the NIC Driver layer is not of any value, there will be no network packet bypass from here, so its biggest advantage is the high security factor, but it should be pointed out that, network operations at the NDIS layer do not adopt the standard I/O mode (IRP). Therefore, it is difficult to determine which process is the cause of a network operation. Individual users cannot see which process the network data is from, and it is difficult for users to customize the filtering packet rules. This is a big pity and defect. Of course. The closer it is to the underlying driver, the more portability and robustness it is difficult to guarantee. encoding complexity is also a disadvantage.
For the TDI filter driver, because the standard Windows I/O Request (IRP) is used, it does not have the problem that the NDIS intermediate layer driver cannot obtain process information, however, because it works in the Transport Driver Tcpip. above sys, by Tepip. the data packets directly processed by sys are not transmitted to the upper layer TDI filter driver, such as the ICMP response packet. Ping and Traeert use ICMP to detect network accessibility and track routes. The NDIS intermediate driver and TDI filter driver are both provided on a 32-bit Windows platform. The concept of the entire NDIS specification and TDI is in Win. developed on the dows NT platform, Windows 2000 and Windows XP are supported in the future, but Windows 98 and WindOWS Me are not supported in the past. Therefore, if you want to develop a personal firewall software for a common Windows platform, these two methods are not suitable.

For user-mode SPI, it uses DLL monitoring to Use Winsock to call network data packets for network communication. It works on top of TDI customers and under all user processes, so it is very clear about the network requests and intentions that the user process gives to it-before going through the underlying segment (IP segment, it provides a more intuitive understanding of user process behaviors and is suitable for content filtering. And all the Winsock calls intercepted by it are widely supported by all Windows platforms. In addition, the programming is relatively simple and the platform is adaptable. The biggest drawback is that some network programs use some function routines provided by the TDI interface to directly send and receive communications. The user-mode data packet interception technology is powerless to such programs. In addition, like the TDI method. sys processes packets directly after receiving the packets, such as Ping and Tracert packets that use ICMP protocol to detect network accessibility. Because it is located in the upper layer of TDI, user-mode data packet interception technology does not support this bypass.

In combination with the project objectives, to realize the Personal Firewall System for Windows platform, only the SPI packet filtering technology is used for development. In addition, the personal firewall system should be able to record the access network information of various processes in detail, and the application layer intercepts the data packet information sent by the application layer process at the earliest to obtain the most complete data packet information sent by the receiver, therefore, a personal firewall system can record the most abundant network access information. You can also consider that the SPI packet filtering technology must be used to record the most detailed process access network information.

4 Conclusion

The core of the Personal Firewall is data packet filtering. This paper analyzes the functions of the Personal Firewall and compares the OSI Layer-7 Reference Model with the network-driven hierarchical structure of Window, detailed analysis provides various possible technical routes for filtering network data packets. Based on the project objectives, the preliminary conclusions of using SPI for data packet interception and filtering are given. SPI interception can obtain the most abundant process access network information, so it is particularly helpful for users to perform ACL control rule intervention. But SPI also has its own defect, that is, data packets may be "bypassed ". Looking forward, using composite data packet filtering technology for Personal Firewall development will become a trend.