Windows Filtering Platform Enhancements in Windows 7 Mohan Prabhala Jorge Coronel Mendoza Senior Program Manager Program Manager Windows Networking Windows Networking mohanp@microsoft.com jcoronel@microsoft.com

Session Goals Attendees should leave this session with an understanding of: Windows Filtering Platform (WFP) benefits and Architecture What’s new in WFP for Windows 7 and how it may be used

Agenda What is Windows Filtering Platform (WFP) Evolution of Filtering Technologies Why Use WFP Vista WFP Architecture WFP Basics What’s New WFP Architecture in Windows 7 New WFP Feature Specifics and Design Considerations Call to Action Resources

What Is Windows Filtering Platform? Set of API & System Services providing a platform to create Network Filtering software User-mode and Kernel-mode APIs Introduced with Windows Vista Firewall built into Windows Vista and Windows Server 2008 uses WFP Designed to eventually replace filtering technologies such as: Transport Driver Interface (TDI) NDIS Light Weight Filtering (LWF) WinSock Layered Service Provider (LSP)

What Is Windows Filtering Platform? (cont.) May be used to implement Host firewalls Packet inspection software Host based intrusion detection systems (IDS) Antivirus (AV) software Network monitoring tools And more…

Filtering Technology Evolution Pre-Windows Vista Technologies Windows Vista Technologies Windows 7 Technologies TDI filter driver WFP APIs are strongly recommended TDI is on the path to deprecation, but is supported on Vista WFP APIs are required for host firewall driver certification; strongly recommended for other filtering software TDI is on the path to deprecation, but is supported TDI kernel client Winsock kernel (WSK) APIs are strongly recommended WSK APIs are strongly recommended Firewall and filter hook WFP APIs required. Firewall/Filter hooks drivers are no longer supported WFP APIs are required for host firewall driver certification LSP WFP stream layer may be used LSPs are supported NDIS intermediate (IM) driver LWF is strongly recommended No WFP support New WFP APIs are recommended

Why Use WFP? Business Considerations Technical Considerations Reduced development time and total cost of ownership Can be used for complete development of consumer firewalls Aligned with filtering technology evolution Supported in Vista and future Windows releases Technical Considerations Less complex due to consistent semantics and layered filtering model Rich features Enables both deep packet inspection and packet manipulation at several layers in the stack Supports connection based filtering Packet filtering supported from both user mode and kernel mode Performance Hardware offload friendly

Vista WFP Architecture Firewall Application AV Application WFP Management APIs Base Filtering Engine (BFE) User Application layer enforcement (ALE) Kernel Filtering Engine TDI/WSK 3rd party anti-virus Stream Layer 3rd party parental control Transport Layer IPsec Callout APIs Callout modules Network Layer 3rd party IDS Forward Layer 3rd party network address translation (NAT)

WFP Basics WFP Management APIs Base Filtering Engine (BFE) Set of APIs used by applications to plumb filters in the Filtering Engine Base Filtering Engine (BFE) Service in charge of coordinating WFP components. Enforces WFP configuration security during boot Applications communicate with BFE through the management APIs Filter Objects Extensive filtering options Filter arbitration Callouts Kernel components that provide additional filtering functionality Diagnostics Network Diagnostic Framework (NDF) integrated Extensible Filtering Platform Helper Class (FPHC) diagnoses: Packet drops IPsec/IKE failures

What’s New? TCP/UDP proxy layer NDIS filtering layer Redirection of IP packets without per-packet processing NDIS filtering layer Extends WFP to filter against 802.3 frame headers New COM API to selectively replace Windows Firewall functionality WFP packet tagging Avoids re-inspection of already inspected packets when callout drivers register at multiple layers Identify packet-to-interface relationship WFP dynamic stream inspection Enhanced ability to inspect without restarting network applications or reboot Connection pending, closure, and lifetime notifications Allows WFP drivers to intercept socket closures to claim resources allocated during bind time Richer filtering options Condition based - OR/NOT

WFP Architecture – Windows 7 Firewall Application AV Application Legend WFP Management APIs Register API New WFP API Base Filtering Engine (BFE) New API to replace Windows Firewall functionality User Kernel IP Proxy Layer ALE Filtering Engine TDI/WSK Stream Layer 3rd party anti-virus Transport Layer 3rd party parental control IPsec Callout APIs Network Layer Callout modules 3rd party IDS Forward Layer 3rd party NAT NDIS Layer

Key Issues Addressed in Windows 7 Redirection of IP packets WFP ALE extension Filtering at lower levels New WFP layer for MAC/ARP filtering Coexistence with Windows Firewall Selectively replacing Windows Firewall functionality Inspection of same packet multiple times Packet tagging Filter count reduction Combine multiple filters into a single, more complex filter

TCP/UDP Proxy Layer 2 new WFP layers to facilitate redirection of IP packets without per packet complexity FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6} FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4|6}

TCP/UDP Proxy Layer (contd.) Attributes that apply to FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6} ALE_APP_ID (FWP_BYTE_BLOB_TYPE) Normalized image path of the process from which connecting socket is created ALE_USER_ID (FWP_TOKEN_ACCESS_INFORMATION_TYPE) Process or impersonation token using the connecting socket is created IP_LOCAL_ADDRESS IPv4 or IPv6 address in host order IP_LOCAL_PORT Source port in host order IP_LOCAL_ADDRESS_TYPE IP_PROTOCOL

TCP/UDP Proxy Layer (contd.) FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4|6} has all the attributes for FWPM_LAYER_ALE_BIND_REDIRECT_V{4|6} as well as: IP_REMOTE_ADDRESS (FWP_UINT32 or TWP_BYTE_ARRAY16_TYPE IPv4 or IPv6 address in host order IP_REMOTE_PORT Destination port in host order IP_DESTINATION_ADDRESS_TYPE

NDIS Filtering Layer 2 new WFP layers to filter against 802.3 frame headers FWPM_LAYER_INBOUND_MAC_FRAME_802_3 FWPM_LAYER_OUTBOUND_MAC_FRAME_802_3

NDIS Filtering Layer (contd.) Attributes for FWPM_LAYER_INBOUND_MAC_FRAME_802_3 and FWPM_LAYER_OUTBOUND_MAC_FRAME_802_3 ETHER_SRC_ADDRESS Source MAC address ETHER_DST_ADDRESS Destination MAC address ETHER_DST_ADDRESS_TYPE Scope of destination address—Unicast, multicast, or broadcast ETHER_ENCAP_METHOD Frame encoding—Ethernet v2/DIX, SNAP w/OUI=00.00.0, or SNAP with unrecognized OUI ETHER_TYPE Network protocol type value ETHER_SNAP_CONTROL If SNAP, the 3 bytes of DSAP, SSAP, and Control, padded to 32 bits ETHER_SNAP_OUI If SNAP, the 3 bytes of OUI, padded to 32 bits ETHER_VLAN_TAG VLAN (802.1q) user priority, CFI, and VLAN ID INTERFACE_LUID Synonym for IP_LOCAL_INTERFACE FLAGS Boolean indicating whether NIC is in promiscuous mode INTERFACE_TYPE

Replacing Windows Firewall Functionality New API to selectively replace Windows Firewall functionality Boot time Firewall and stealth Connection security Vendor firewalls need to hold a handle for the functionality that is replaced Existing Vista based functionality (non-stoppable) Windows Service Hardening Service Hardening New “Register” COM interface Supported by the HNetCfg.FwProducts COM object NET_FW_RULE_CATEGORY_BOOT NET_FW_RULE_CATEGORY_STEALTH NET_FW_RULE_CATEGORY_FIREWALL NET_FW_RULE_CATEGORY_CONSEC

Filter Count Reduction Policy authoring may affect filter count Reduce filter count to increase performance Policy optimization may dramatically reduce filter count Microsoft IT policy optimizations reduced filter count by half OR/NOT filtering options feature may reduce filter count With Vista Filter 1: Block TCP port 1234 Filter 2: Block UDP port 1234 With Windows 7 Filter 1: Block (TCP || UDP) port 1234

Call to Action Windows 7 extends WFP to make it a more comprehensive filtering platform solution Use of WFP strongly recommended Required for consumer host firewall driver certification Send us your feedback and WFP implementation stories wfp@microsoft.com

Resources Windows Filtering Platform on MSDN http://msdn.microsoft.com/en-us/library/aa366510(VS.85).aspx Windows Filtering Platform on the WHDC Web site http://www.microsoft.com/whdc/device/network/WFP.mspx Please visit the WFP forum on MSDN for Discussions, Questions, and Suggestions http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=1637&SiteID=1

Backup

How does WFP Work – Continued Filter Arbitration Layers are divided into sub-layers Within a sub-layer Filters are evaluated in weight order First match: execute action (permit/block/callout) Permit/block: the evaluation stops A callout returns “continue”: the next matching filter is evaluated Jump to the next sub-layer Traffic goes through each sub-layer A callout at the last sub-layer can still inspect blocked traffic

Arbitration Example ALE recv/accept Inbound Transport IIS.exe -> permit Permit * -> permit Permit * -> ids_callout Continue port80 -> block * -> permit Block Permit Continue * -> log_callout Resultant policy blocks inbound to port 80 block