Editor's note: In contrast to the traditional packet-filtering firewall technology, this paper probes into the problem of using WinSock2 SPI for network content access control from the application Layer Gateway technology. This is a new aspect of network security, or it provides a new way for enthusiasts and developers of network security technology.
Firewalls can implement and execute network access policies, but traditional firewall technology focuses on how to prevent the external network intrusion and attack on the internal network, and how to control the internal user access to the external network is not in-depth research, the relevant control technology is not much. According to authoritative information, the world's existing about 250,000 pornographic sites, simply rely on traditional packet filtering and other firewall technology, will seriously affect network performance. In order to solve this problem, we start with Application Layer Gateway technology, and make use of WinSock2 SPI technology to study and discuss.
Winsock2 SPI schematic diagram
The Winsock2 SPI Provider Interface service Provider interface is built on the windows Open Systems Architecture wosa (Windows open System architecture). is the system-oriented programming interface provided by the Winsock system components. The Winsock system component provides a standard API interface to the user application, and provides a standard SPI interface between the Winsock component and the Winsock service provider, such as the TCP/IP protocol stack. The various service providers are Windows-supported DLLs, anchored under the Winsock2 ws2_32.dll module.
For many of the internal functions defined in the Winsock2 API used by user applications, these service providers provide their corresponding operations (for example, API functions wsaconnect have corresponding SPI functions wspconnect). In most cases, when an application invokes the Winsock2 API function, Ws2_32.dll invokes the corresponding Winsock2 SPI function to perform the requested service with a specific service provider.
Winsock2 SPI allows the development of two types of service providers-transport service providers and namespace service providers. The transport provider (transport Providers, commonly referred to as a protocol stack, such as TCP/IP), provides services for building transport functions such as communication, transmission data, daily data flow control, and error control. The namespace provider (name space Providers, for example, DNS name resolution Service) associates the address attribute of a network protocol with one or more user-friendly names to enable an application-independent name resolution scheme.
There are two types of transport service providers used in Winsock2: the underlying service provider and the tiered service provider. The underlying service provider performs the specific details of a network transport protocol (such as TCP/IP), including core network protocol features such as sending and receiving data over the network. A tiered layered service provider is responsible for performing advanced custom communication functions and relies on the underlying service provider below for real data exchange on the network.
For internal user access control, we need to set up a layered URL filter manager on the existing base provider TCP/IP provider. URL Filter Manager We can intercept the URL address in the HTTP packet requested by the user, and then find the specified IP in the Access Rule library (the banned IP set) through efficient data retrieval algorithms (such as a hash table using the Fibonacci hash function). Deny or provide access services based on results.
The way the transport service provider is installed determines whether it is not only a tiered provider, but also an underlying service provider. Winsock 2 uses the system configuration database to configure the transport service provider. The configuration database lets Winsock2 know the presence of the service provider and defines the type of service provided. To successfully install and manage service providers within the Winsock2 service provider database, four functions are required: Wscenumprotocols, Wscinstallprovider, Wscwriteprovider order, Wscdeinstallprovider.
These functions use the WSAPROTOCOL_INFOW structure to query and manipulate the service provider database. To install a tiered service provider, you need to establish two WSPPROTOCOL_INFOW directory entry structures. One represents the hierarchy provider (the protocol chain length equals 0) and the other represents a protocol chain (protocol length greater than 1), which links the tiered provider to an underlying service provider. These two structures should be initialized with the properties of the existing service provider's WSAPROTOCOL_INFOW directory entry structure.
Call Wscenumprotocols to obtain the WSAPROTOCOL_INFOW directory entry structure of an existing service provider. After initialization, you first need to use Wscinstallprovider to install our access control tiered service provider directory entry, and then use Wscenumprotocols to enumerate all directory entries and obtain the directory IDs that were assigned to the structure after installation. Then, use this directory entry to set up a protocol chain directory entry, which links our access Control service provider to another provider (the TCP base provider). Then call Wscinstallprovider again to install our tiered-chain service provider.
When a service provider is installed with Wscinstallprovider, the directory entry automatically becomes the last entry in the configuration database. To implement access control, you must make our URL filtering service provider The default TCP/IP provider, and you must do this by calling the Wscwriteproviderorder function, reordering the provider directory entries in the database, and placing the protocol chain directory entries in the tcp/ IP base provider.
The Winsock2 transport service provider is executed with the standard Windows Dynamic link library module. We must import the DllMain function in our service provider dynamic link library module, and we must also import a single function entry named Wspstartup. Our URL filtering service provider must provide support for the Wspstartup function and the other 30 SPI functions. During the call to WSAStartup, Winsock determines which service provider to load according to the address family, socket type, and protocol parameters called by WSASocket. Only when an application creates a socket with an address family af_inet, a socket type of SOCK_STREAM through the socket or WSASocket API call, does Winsock search and load the corresponding, able to provide tcp/ IP capabilities of the transport service provider. Wspstartup's parameters upcalltable get Ws2_32.dll's SPI function dispatch table, our access control tiered service providers utilize these functions to manage I/O operations between themselves and Winsock2. [More brilliant technical Articles-★ programming introduction ★ NET]
We use the Wspconnect function to implement the access control function. When a user requests an HTTP service, it is necessary to establish a connection to the target site first, and then send the HTTP request packet based on the connection after the connection succeeds. When a user application invokes the Connect or WSAConnect function to establish a connection, the SPI invokes the corresponding Wspconnect function: INT wspapi wspconnect (..., const struct SOCKADDR FAR, *name, ..., INT FAR *lperrno). The IP address information for the target site that the user will access is included in the parameter name of the SOCKADDR type. We pass the name parameter to the IP accessibility decision routine IPFilter. If the IPFilter function returns the result of a delegate access, we use the protocol chain command route to invoke the underlying service provider (TCP/IP) at the next level to complete the connection request. If the IPFilter function returns the result of a denial of service, we set the Lperrno parameter to the corresponding error code, and then return without the call of the service provider next to the protocol chain to achieve access control.
Layered service providers have greatly realized the potential of networking services, enhanced the application of Winsock, played a great role in our URL filtering services, basically achieved access control for internal users to access external networks, and provided users with access to the health of the Internet.