Use package filtering technology to implement a personal firewall

Wang yongbiao Xu kaisheng

AbstractThis article introduces how to use the packet filtering technology to implement the personal firewall, analyzes the various technologies used in the personal firewall, and focuses on the network encapsulation package through the Microsoft NDIS intermediate driver, and the communication method between the driver and the application.KeywordsPackage filtering technology NDIS middle layer driverWith the rapid development of the network, a variety of network software also emerged, people's lives and learning are increasingly dependent on the network, but the problem also comes one after another, websites are attacked, and viruses flood, the theft of personal information poses a problem: Is the network secure? The firewall is the umbrella of the network, and there are many firewalls of all kinds. This article introduces the packet filtering technology to implement the personal firewall, so that you can have a better understanding of the firewall. I. Introduction to firewall and packet filtering technologies Firewall is a device used for access control between two networks, the firewall system defends against threats to network security from outside the protected network. It detects, limits, and modifies data streams that span the firewall, implement security protection for external networks as much as possible. Packet filtering is the most basic implementation technology of firewalls. A device with packet filtering technology is used to control inbound and outbound network data, most of the packet filtering technology's data packets are based on the TCP/IP protocol platform. Each packet in the data stream is checked based on the source address, Destination Address, TCP and IP Port Number of the data packet, and other TCP statuses to determine whether to allow data packets to pass.2. intercepting packets in a network encapsulation is the first step to implement a firewall. There are many methods to intercept packets, which can intercept network packets in user mode, it can also intercept data packets in the core state. There are several methods to intercept network data packets in user mode: (1) Winsock Layered Service Provider (LSP ). (2) Windows 2000 package filtering interface. (3) Replace the Winsock dynamic connection library that comes with the system. Obviously, data packets can be intercepted easily in the user mode, but the most fatal drawback is that data packets can only be intercepted at the Winsock level, however, data packets of the underlying protocol in the network protocol stack cannot be processed. For some Trojans and viruses, it is easy to avoid this layer of firewall. Therefore, most personal firewalls use network drivers. For example, the middle layer driver is used to intercept data packets. The middle layer driver is between the protocol layer driver and the small port driver. It can intercept all network packets (if it is Ethernet, It is Ethernet frame ). The NDIS middle layer driver is widely used, not only for personal firewalls, but also for VPN, Nat, pppoverethernet, and VLAN. The middle-layer driver concept is available only after window NT SP4, so Windows 9x cannot directly use the Middle-layer driver function. Windows DDK provides two well-known intermediate-layer driver examples: passthru and MUX. Developers can develop on the basis of passthru, while MUX implements VLAN functions. Currently, this technology is rarely used in Personal Firewall Products, mainly because the installation of the middle layer driver is too complex, especially in Windows NT. In Windows 2000, you can use a program to automatically install the driver. However, if the driver does not undergo a digital signature, the system will prompt you to continue the installation. The powerful driver of the middle layer should be the trend of personal firewall technology in the future, especially the implementation of some additional functions. Figure 1. NDIS driver model 3. Communication between drivers and applications when the driver intercepts network data packets, the driver must communicate with the application and notify the application to judge the data packets, if the filtering rule is met, the packet is accepted. Otherwise, the packet is discarded. The procedure is roughly as follows: (1) the application creates an event;(2) The application creates a driver instance through createfile; (3) transmits the event handle to the driver; (4) the driver accepts the event handle through the devicecontrol function; (5) the application transmits messages that control the driver through the deviceiocontrol function. (6) The driver obtains messages sent from the application through the dispatch process, and then performs different services based on the message type. (7) put the result data in the shared memory, and set the event to notify the application that the request has been completed;(8) The application learns about the event through waitforsingleobject. (9) the application obtains data in the shared memory area and resets the event. Figure 2 driver-Application Communication Model 4. Filter rule settings The packet filtering rule set of the firewall is composed of several rules. It should cover the handling methods for all incoming and outgoing packets of the firewall, There should be a default processing method for data packets that are not clearly defined; filter rules should be easy to understand and edit and modify; Consistency detection mechanisms should be in place to prevent conflicts. The IP packet filtering is mainly based on the IP packet header information, such as the source address and destination address, If the protocol field in the IP header indicates that the encapsulation protocol is ICMP, TCP, or UDP, then according to the ICMP header information (type and code value ), Filter TCP Header Information (source port and destination port) or UDP header information (source port and destination port), and filter other MAC addresses. Application layer protocol filtering requirements mainly include FTP filtering, RPC-based application service filtering, UDP-based application service filtering requirements, and dynamic packet filtering technology. In general, we can set the access rules from the following aspects: (1) Prohibit all IP packet paths for source routes from passing through; (2) the source address and destination address of the IP packet; (3) Source and Destination Ports of TCP and UDP in the IP packet; (4) Running protocol; (5) Selection of the IP packet. Action Protocol Direction Access time Remote IP Address Port Applications Remarks Allow IP Streaming Working hours 202.114.165.240 8080 IE   Inquiry TCP Streaming Working hours 202.114.165.192 1080 IE   Reject IP Outbound Working hours 202.114.204.153 80 IE   Figure 3 a typical rule tableV. Recording and alarming Firewall's method of processing complete logs: the firewall specifies that log service should provide log information management and storage methods for compliant packets. Automatic Log scanning: whether the firewall has the Automatic Log Analysis and scanning function, which can obtain more detailed statistical results, for the purpose of analyzing logs after the event and making up for it. Provides automatic report and log report writer: An output method implemented by the firewall, and provides automatic report and log report functions.   Action Start Time-End Time Protocol Incoming Traffic Outbound Traffic LocalIP:Port-RemoteIP:Port Applications Remarks Allow PM-PM TCP 200 400 202.114.165.240: 80202.114.165.225: 80 IE   Allow PM-PM IP 250 100 202.114.165.240: 80202.114.165.193: 80 IE   Figure 4 a typical log record table Warning and notification mechanism: the firewall should provide an alarm mechanism to notify administrators of necessary measures when detecting network intrusion and abnormal operation of equipment, including email, pager, and mobile phone. Provides brief reports (by user ID or IP address): a firewall-based output method that provides classified reports as required. Real-time statistics: An output method implemented by the firewall. The intelligent statistical results obtained after log analysis are generally displayed in charts. Packet Filtering Technology is easier to implement firewalls and provides good network security protection functions, but there are also some shortcomings. Because the filtering technology does not include the user name, it is only the IP address of the client, if you want to filter the user name, you cannot use the packet filtering technology. In addition, because the packet filtering technology follows the rule of "pass without prohibition", some unprohibited packets are allowed in and out, may pose security threats to the network. In the future, the development of the firewall will move towards simplification and security. The comprehensive packet filtering and application proxy functions can effectively combine the two features to implement the design of new encryption algorithms, making data transmission more secure, it will work with IDs, virus detection, and other related security products to give full play to their respective strengths and cooperate to establish an effective security defense system.References:[1] Terry William Ogletree. firewall Principle and Implementation [M]. beijing: Machinery Industry Press, 2001 [2] Xie xiiren. computer Network Technology [M]. beijing: Electronic Industry Press, 1999 [3] Chris cant. windows WDM Device Driver Development Guide [M]. beijing: Machinery Industry Press, 2000