Hi,
I intend to create a proxy based firewall (i.e it will be able to filter all traffic that’s comes through it). (note: using sockets is not an option since it must filter low level traffic and be able to handle relativity large amounts of data)
what kind of NDIS driver type do you think I should be looking at?
Ideally it should support all major windows os (xp onwards),
(this is very important as such i am willing to have two code bases to achieve this)
Thanks!!!
Take a look at Windows Filtering Platform in both the WDK and MSDN documentation.
Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
On Dec 23, 2011, at 10:07 AM, xxxxx@yahoo.com wrote:
Hi,
I intend to create a proxy based firewall (i.e it will be able to filter all traffic that’s comes through it). (note: using sockets is not an option since it must filter low level traffic and be able to handle relativity large amounts of data)
what kind of NDIS driver type do you think I should be looking at?
Ideally it should support all major windows os (xp onwards),
(this is very important as such i am willing to have two code bases to achieve this)Thanks!!!
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
What do you mean by “filter low-level traffic”?
How does the requirement to “handle relatively large amounts of data”
suggest that you must operate in the kernel? When handling large datagrams
user-mode applications using sockets will be difficult to improve upon.
You can build a proxy in the kernel if required, although it would be tough
to justify. See Winsock Kernel (WSK) on Vista and later platforms.
If you think a kernel-mode proxy would offer performance benefits over a
user-mode Winsock proxy, then be careful. I’m not sure you have a winning
approach here.
Thomas F. Divine
From:
Sent: Friday, December 23, 2011 11:07 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] NDIS, What kind of driver to develop dilemma
> Hi,
>
> I intend to create a proxy based firewall (i.e it will be able to filter
> all traffic that’s comes through it). (note: using sockets is not an
> option since it must filter low level traffic and be able to handle
> relativity large amounts of data)
>
> what kind of NDIS driver type do you think I should be looking at?
>
> Ideally it should support all major windows os (xp onwards),
> (this is very important as such i am willing to have two code bases to
> achieve this)
>
> Thanks!!!
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Thanks for your replies,
WFP won’t do beacuse i need to filter traffic from the data link up. (arps etc…)
@Thomas: imagine a network wtih 100 devices, all using the internet. the firewall must be to effectivly (as much as possible) filter the data.
P.S: Can’t i use something like an NDIS Intermdiete driver? (for pre-vista)
sorry for the late replay. its was christmas here 
If you must filter ARP, then you must use a NDIS 5 intermediate (IM) driver
(Windows XP) or a NDIS 6 lightweight filter (LWF) driver (Vista and later).
Good luck!
Thomas F. Divine
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, January 03, 2012 10:54 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] NDIS, What kind of driver to develop dilemma
Thanks for your replies,
WFP won’t do beacuse i need to filter traffic from the data link up. (arps
etc…)
@Thomas: imagine a network wtih 100 devices, all using the internet. the
firewall must be to effectivly (as much as possible) filter the data.
P.S: Can’t i use something like an NDIS Intermdiete driver? (for pre-vista)
sorry for the late replay. its was christmas here
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
You can refer Passthru sample for startup.
Thanks,
Cyril
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Tuesday, January 03, 2012 9:24 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] NDIS, What kind of driver to develop dilemma
Thanks for your replies,
WFP won’t do beacuse i need to filter traffic from the data link up. (arps
etc…)
@Thomas: imagine a network wtih 100 devices, all using the internet. the
firewall must be to effectivly (as much as possible) filter the data.
P.S: Can’t i use something like an NDIS Intermdiete driver? (for pre-vista)
sorry for the late replay. its was christmas here
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thanks, I have an other question if you do not mind
The idea is to have a plugin based system for each protocol (so you will have a TCP plugin that will disect and observe TCP packets and then instruct the firewall if it should block that packet or not) at first i was gonna implement this system at user mode through dlls (it should be easy to add new plugins) but then someone suggested that it will be ineffcient as such this descsion should be taken at kernel mode.
Is their a way, to implement a plugin based system in kernel? (simlair to the way dlls work)
Thanks again!!
Driver should be a driver not apps.
Thanks,
Cyril
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, January 04, 2012 5:19 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] NDIS, What kind of driver to develop dilemma
Thanks, I have an other question if you do not mind
The idea is to have a plugin based system for each protocol (so you will
have a TCP plugin that will disect and observe TCP packets and then instruct
the firewall if it should block that packet or not) at first i was gonna
implement this system at user mode through dlls (it should be easy to add
new plugins) but then someone suggested that it will be ineffcient as such
this descsion should be taken at kernel mode.
Is their a way, to implement a plugin based system in kernel? (simlair to
the way dlls work)
Thanks again!!
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
First of all, if you are implementing a firewall on TCP/UDP, then using the
Windows Filtering Platform (WFP) is absolutely the way to go. There
information like IP addresses are handed to you on a silver platter and you
have access to process ID’s, etc. that simply aren’t available at the NDIS
layers.
In addition, with WFP you can configure some filtering operations from the
comfort and safety of a user-mode application.
Use WFP in user-mode first and WFP in kernel-mode second, then implement
others (ARP, etc.) in a NDIS filter. You may end up with two drivers, but
will have a better more achievable solution.
In any case study how WFP implements adding and removing filters. The
methods used by Microsoft may help you design your own filter plug-in
scheme.
As far as kernel-mode “plug-ins” are concerned: These are usually a separate
driver per plug-in function.
These can be what is called an “export driver”, which is similar to a DLL
and is compiled/linked into your driver. The main advantage of an export
driver is modularity.
It is also possible to implement plug-in as a separate legacy driver or
“kernel service”. Here you have a problem of controlling communication
between drivers and when companion drivers are loaded. Here features like
the NDIS Network Module Registrar can be helpful.
I would suggest avoiding plug-ins if you are at the point of asking about
them. The concept will slow you down.
There is nothing wrong with doing some work at user mode if you understand
that doing so will effect throughput. In some cases (slower links) there may
be no measurable effect on performance.
Finally: Who needs another firewall? Unless this is an academic exercise it
is probably not worth much time.
Good luck!
Thomas F. Divine
http://www.pcausa.com
From:
Sent: Wednesday, January 04, 2012 6:49 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS, What kind of driver to develop dilemma
> Thanks, I have an other question if you do not mind
>
> The idea is to have a plugin based system for each protocol (so you will
> have a TCP plugin that will disect and observe TCP packets and then
> instruct the firewall if it should block that packet or not) at first i
> was gonna implement this system at user mode through dlls (it should be
> easy to add new plugins) but then someone suggested that it will be
> ineffcient as such this descsion should be taken at kernel mode.
>
> Is their a way, to implement a plugin based system in kernel? (simlair to
> the way dlls work)
>
> Thanks again!!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
The sole purpose of a driver is to support apps.
(Directly or indirectly…).
Thomas F. Divine
http://www.pcausa.com
From: “Sagaya Cyril”
Sent: Wednesday, January 04, 2012 9:15 AM
To: “Windows System Software Devs Interest List”
Subject: RE: [ntdev] NDIS, What kind of driver to develop dilemma
> Driver should be a driver not apps.
>
> Thanks,
> Cyril
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@yahoo.com
> Sent: Wednesday, January 04, 2012 5:19 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] NDIS, What kind of driver to develop dilemma
>
> Thanks, I have an other question if you do not mind
>
> The idea is to have a plugin based system for each protocol (so you will
> have a TCP plugin that will disect and observe TCP packets and then
> instruct
> the firewall if it should block that packet or not) at first i was gonna
> implement this system at user mode through dlls (it should be easy to add
> new plugins) but then someone suggested that it will be ineffcient as such
> this descsion should be taken at kernel mode.
>
> Is their a way, to implement a plugin based system in kernel? (simlair to
> the way dlls work)
>
> Thanks again!!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Thanks Thomas, this is an academic\hobbiest exercise
I developed an NDIS Protocol Driver a while back, where i disected the packets up to TCP (from which point i analyse the data and attempt to determine what application protocol it followed (http etc…)
I can do the same thing with an NDIS IM right?
Yes. Probably much of your NDIS 5 protocol parsing code can be used in NDIS
5 IM filter driver.
Somewhat easier even in NDIS 6 lightweight filter (LWF) thanks to
NdisGetDataBuffer.
You must need a job (like others I know…). You have too much time on your
hands if you have time to invest in this project.
Good luck!
Thomas F. Divine
http://www.pcausa.com
From:
Sent: Wednesday, January 04, 2012 10:27 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS, What kind of driver to develop dilemma
> Thanks Thomas, this is an academic\hobbiest exercise
>
> I developed an NDIS Protocol Driver a while back, where i disected the
> packets up to TCP (from which point i analyse the data and attempt to
> determine what application protocol it followed (http etc…)
>
> I can do the same thing with an NDIS IM right?
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
There was once a company named Deterministic Networks that created this very thing named the DNE (Deterministic Network Enhancer or some such). They got absorbed into Citrix. I have no idea if Citrix entertains new licenses for this toolkit. It was used by some widely deployed software packages, Cisco VPN being one of them. Beyond that one, I don’t know if any survive in the market above the level of a murmer.
Of course on NT6 this is called a ‘callout driver’ for the WFP.
From an architectural guidance stand-point, the WFP model is very informative. Your driver places inline to the datapath a set of ‘filters’ which test a set of conditions for true or false, the specific set of conditions being a property of the filter (rule). If the conditions evaluate to ‘true’, you call the ‘callout’ associated with the rule to ask it what it wants to do if it needs to further inspect the packet contents or you simply encode what to do into the filter (rule).
It is actually a very interesting excercise to implement a programable filter.
The pipeline is pretty straight forward:
As others have pointed out, you will of course be re-inventing something that has been built many times already but it is a great learning experience.
Good Luck,
Dave Cattley
Of Course you are right. I hope Because of my english,
I failed to convey message properly.
Having separate binaries in the kernel is unnecessary overhead.
Better to have single binary.
Thanks,
Cyril
Program Manager,
SamCys Technologies,
3rd Floor, BALI Towers,
#1 Abdul Razack Street,
Saidapet, Chennai - 600 015
India
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Wednesday, January 04, 2012 8:39 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NDIS, What kind of driver to develop dilemma
The sole purpose of a driver is to support apps.
(Directly or indirectly…).
Thomas F. Divine
http://www.pcausa.com
From: “Sagaya Cyril”
Sent: Wednesday, January 04, 2012 9:15 AM
To: “Windows System Software Devs Interest List”
Subject: RE: [ntdev] NDIS, What kind of driver to develop dilemma
> Driver should be a driver not apps.
>
> Thanks,
> Cyril
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@yahoo.com
> Sent: Wednesday, January 04, 2012 5:19 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] NDIS, What kind of driver to develop dilemma
>
> Thanks, I have an other question if you do not mind
>
> The idea is to have a plugin based system for each protocol (so you will
> have a TCP plugin that will disect and observe TCP packets and then
> instruct
> the firewall if it should block that packet or not) at first i was gonna
> implement this system at user mode through dlls (it should be easy to add
> new plugins) but then someone suggested that it will be ineffcient as such
> this descsion should be taken at kernel mode.
>
> Is their a way, to implement a plugin based system in kernel? (simlair to
> the way dlls work)
>
> Thanks again!!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer