Detect WWW access in NDIS IM driver?

Hi all,

I’m working on a private IPSec driver to encrypt the packets if it’s going
out of the LAN, I built this driver based on the DDK PassThrough sample, my
problem is, in the NDIS IM driver, how to decide the outgoing IP packet is
for WWW access or LAN access?

One way I’m thinking is, in the SendPacketsHandler, compare the Ethernet +
IP header with the current LAN settings (IP + mask, and gateway’s IP/MAC
address), is this doable? If it’s the way, how to get the LAN gateway’s
IP&MAC address in IM driver? (and the VPN packets will be treated as the WWW
access here?) Another question is, how can I know which adapter can access
the WWW network?

I wrote several NDIS & TDI drivers before, but never had a chance to dig it
deeper like this, anyone can shed some lights on it?

thanks a lot,

AFei

AFei wrote:

Hi all,

I’m working on a private IPSec driver to encrypt the packets if it’s going
out of the LAN, I built this driver based on the DDK PassThrough sample, my
problem is, in the NDIS IM driver, how to decide the outgoing IP packet is
for WWW access or LAN access?

It doesn’t make a lot of sense to encrypt all the traffic that is “not
in the LAN” (what you call WWW).
Normally, you want to encrypt some sensitive data that is sent to
particular targets. You wouldn’t want
to send that data in unencrypted form anyway. Even in your LAN.
What you should be looking for is to create a tunnel. Any data that is
directed to this tunnel should be encrypted.
And any data that comes out of this tunnel should be decrypted. The
tunnel itself links two hosts.

One way I’m thinking is, in the SendPacketsHandler, compare the Ethernet +
IP header with the current LAN settings (IP + mask, and gateway’s IP/MAC
address), is this doable?

What are you describing is your broadcast domain. Your LAN may be larger
than that. Note that you
may have multiple IP addresses per host and per net adapter. And
multiple gateways set.

If it’s the way, how to get the LAN gateway’s
IP&MAC address in IM driver? (and the VPN packets will be treated as the WWW
access here?) Another question is, how can I know which adapter can access
the WWW network?

I wrote several NDIS & TDI drivers before, but never had a chance to dig it
deeper like this, anyone can shed some lights on it?

thanks a lot,

AFei

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@bitdefender.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Ignorance more frequently begets confidence than does knowledge.
— Charles Darwin

–
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://www.bitdefender.com/

Well, maybe the WWW is misleading, the idea is to tightly control any
outside network accesses (non-broadcast-domain). Anyway, could you give me
some points on how to decide the particular NDIS_PACKET is for LAN or
outside? it also makes sense for the tunnel I think. Does medium ==
NdisMediumWan work?
Very appreciate your response

AFei.

The decision has to be based on the destination IP address. The driver has no good chance to decide which addresses are internal and external, it has to be configured from the outside. Similarly as firewall, there should be some user app which allows user to describe network configuration. The only exception is the router which has internal and external adapters. But driver also has to be informed about adapters purpose. Adapter configuration should be stored in the registry in per-adapter area. Your driver can have it, even automatically but I work on something like this about 7 years before and forgot details.

Forgot about NdisMediumWan, it has nothing to do with it. Maybe I haven’t comprehend what you wrote correctly but it seems you’d need to (re)read all related RFCs, especially for IP, TCP and IPSEC. You really shouldn’t encrypt all outgoing traffic. Instead, the driver should act as a firewall, encrypt only packets for known destinations (where the same driver is sitting) and refuse the rest. IPSEC tunnel is described in one of RFCs. Encrypting everything makes sense for LAN packets only where every computer has your driver installed. This is another mode decribed in other IPSEC RFC.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of AFei[SMTP:xxxxx@hotmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, June 02, 2005 5:31 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Detect WWW access in NDIS IM driver?

Well, maybe the WWW is misleading, the idea is to tightly control any
outside network accesses (non-broadcast-domain). Anyway, could you give me
some points on how to decide the particular NDIS_PACKET is for LAN or
outside? it also makes sense for the tunnel I think. Does medium ==
NdisMediumWan work?
Very appreciate your response

AFei.

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@upek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Michal, thanks for your reply. Actually I’m just using the IPSec concept
here, the purpose of this driver is to enforce the security for some network
servers, except all the internal endpoints, only the clients which installed
my driver should be able to use the services on these servers. There might
be some other ways to do this of course. I can achieve this by encrypting
the external packets. For the implementation point of view, there’s no
difference between encrypting a range of IPs and encrypting all the external
IPs. As you said, seems the NDIS driver sits too low to get some network
configurations, it might be better to let the user mode application detect.
Thanks a lot,

AFei

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
The decision has to be based on the destination IP address. The driver has
no good chance to decide which addresses are internal and external, it has
to be configured from the outside. Similarly as firewall, there should be
some user app which allows user to describe network configuration. The only
exception is the router which has internal and external adapters. But driver
also has to be informed about adapters purpose. Adapter configuration should
be stored in the registry in per-adapter area. Your driver can have it, even
automatically but I work on something like this about 7 years before and
forgot details.

Forgot about NdisMediumWan, it has nothing to do with it. Maybe I haven’t
comprehend what you wrote correctly but it seems you’d need to (re)read all
related RFCs, especially for IP, TCP and IPSEC. You really shouldn’t encrypt
all outgoing traffic. Instead, the driver should act as a firewall, encrypt
only packets for known destinations (where the same driver is sitting) and
refuse the rest. IPSEC tunnel is described in one of RFCs. Encrypting
everything makes sense for LAN packets only where every computer has your
driver installed. This is another mode decribed in other IPSEC RFC.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of AFei[SMTP:xxxxx@hotmail.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Thursday, June 02, 2005 5:31 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Detect WWW access in NDIS IM driver?
>
>
> Well, maybe the WWW is misleading, the idea is to tightly control any
> outside network accesses (non-broadcast-domain). Anyway, could you give me
> some points on how to decide the particular NDIS_PACKET is for LAN or
> outside? it also makes sense for the tunnel I think. Does medium ==
> NdisMediumWan work?
> Very appreciate your response
>
> AFei.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

AFei,

You used the phrase ‘enforce security’ but that might be a bit too vague.

It seems that you are trying to provide some kind of access control to a set
of services. The access control is based on having ‘your software’
installed on a host accessing those services.

It also seems that you are interested in privacy (and integrity) since you
seem to be planning to implement encryption of packets between the
endpoints. If simply possessing your IM driver is the only requirement to
enable communication with these services that might not meet your true
security requirements.

If you use encryption of some kind, you will need to address how to
distribute keys to the endpoints to use in the encryption. This is often a
much more difficult problem and more critical to the overall ‘security’ of
the system. IPSec systems typically use the IKE protocol to accomplish
this.

As for your question about how to control which packets to process (encrypt)
I encourage you to look at the policy database mechanisms that a typical
IPSec implementation includes. The SPD and SAD ‘databases’ provide the
mechanism to specify what endpoints, networks, etc. are allowed/required to
communicate with some level of security and to specify the acceptable
security mechanisms.

If you are implementing an IPSec encapsulation mechanism as an IM driver,
you might consider also implementing the IPSec policy and configuration
mechanism to control it. The mechanism is rich and expressive and
completely capable of specifying whatever sort of access policy your servers
(services, really) require.

If you need to trigger your security enforcement mechanism (the IM driver)
based on individual user applications (instead of just the network traffic),
you might consider using a WSock Layered Service Provider (LSP) to know when
the user application has started and attempted to communicate with the
network. The LSP could then ‘provision’ the security policy in the IM
driver appropriately.

Lastly I encourage you to look at the native IPSec implementation in
Windows. It may already be able to support your needs (unless your needs
are IPSec-like and not true IPSec).

Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of AFei
Sent: Thursday, June 02, 2005 6:05 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Detect WWW access in NDIS IM driver?

Hi Michal, thanks for your reply. Actually I’m just using the IPSec concept
here, the purpose of this driver is to enforce the security for some network

servers, except all the internal endpoints, only the clients which installed

my driver should be able to use the services on these servers. There might
be some other ways to do this of course. I can achieve this by encrypting
the external packets. For the implementation point of view, there’s no
difference between encrypting a range of IPs and encrypting all the external

IPs. As you said, seems the NDIS driver sits too low to get some network
configurations, it might be better to let the user mode application detect.
Thanks a lot,

AFei