What Is a Personal Firewall?
In the field of computer computing, a firewall (English: firewall) is a device that helps ensure information security. It allows or restricts the transmission of data in accordance with specific rules. A firewall is a piece of dedicated hardware or a set of software built on general hardware. Personal firewall is a technology that prevents the information in your computer from being attacked from the outside. It can monitor and prevent any unauthorized data from entering or sending to the Internet and other network systems in your system.
- Chinese name
- Personal firewall
- Foreign name
- Personal FireWall
- Attributes
- Network equipment
- In the field of computer computing, a firewall (English: firewall) is a device that helps ensure information security. It allows or restricts the transmission of data in accordance with specific rules. A firewall is a piece of dedicated hardware or a set of software built on general hardware. Personal firewall is a technology that prevents the information in your computer from being attacked from the outside. It can monitor and prevent any unauthorized data from entering or sending to the Internet and other network systems in your system.
Personal firewall introduction
- Personal firewall [1] (Personal FireWall) is a personal behavior prevention measure as its name implies. This kind of firewall does not require specific network equipment, as long as the software is installed on the PC used by the user. Because network administrators can set up and manage remotely, end users do not need to pay special attention to the existence of the firewall when they use it, which is very suitable for small businesses and individuals.
- The personal firewall separates the user's computer from the public network. It checks all data packets that arrive at both ends of the firewall, whether they are entering or sending out, and decides whether to intercept this packet or let it pass. It is a safe and effective way to protect the personal computer access to the Internet. Measures.
- Common personal firewalls include: Skynet Firewall Personal Edition, Rising Personal Firewall, 360 Trojan Horse Firewall, Fair Personal Firewall, Jiangmin Hacker Firewall, and Jinshan Net Logo.
- Personal firewall products such as Norton and Network Ice
- Personal firewall
Advantages and disadvantages of personal firewall
- Advantages: low cost, no need for additional hardware sources, and resistance to internal attacks.
- Disadvantages: The main disadvantage of personal firewalls is that there is only one physical interface to the public network, and personal firewalls themselves may be vulnerable to threats.
Personal firewall development background
- The emergence of the Internet and its rapid development have brought modern people's production and life
- Personal firewall
- As the earliest and most widely used network security product, firewall has been favored by users and many R & D institutions. The firewall has a very good protection effect on the network system. It monitors the network information flowing through it to achieve security protection. For example, the method of prohibiting specific ports from setting up external communications to prevent Trojans; or prohibiting access from special sites, thereby preventing all communications from intruders. From the application point of view, firewalls can be basically divided into network-level firewalls and personal firewalls. The needs of individual users for network security are constantly increasing, and the Windows operating system is the most widely used PC operating system, so how to develop a personal firewall under the Windows operating system becomes more and more important. A personal firewall is software that sits between a computer and the network to which it is connected. All communication between the computer and the network goes through this firewall. The well-known firewalls under the Windows operating system include ZoneAlarm, NortonPersonalFirewall, and SygatePersonalFirewall from abroad, and Skynet firewall from China. Personal firewall has many advantages: it can protect a single system in the public network; it does not require additional hardware resources to increase the protection of the system; it can resist external attacks, and it can also resist internal attacks; in addition , Its price is relatively cheap. Especially for a home user using a modem or ISDN / ADSL to access the Internet, a hardware firewall is too expensive or cumbersome (requires cumbersome configuration), and the use of a personal firewall is sufficient to conceal users' information exposed on the network. It provides adequate security protection.
Personal firewall type
- Personal firewall is usually software with packet filtering function on a computer, such as ZoneAlarm and the built-in firewall program after Windows XP SP2. A dedicated firewall is usually made into a network device or a computer with more than two network interfaces. Differentiated by the functioning TCP / IP stack, it is mainly divided into network layer firewall and application layer firewall, but some firewalls operate at the network layer and the application layer at the same time.
Personal firewall network layer firewall
- The network layer firewall can be regarded as an IP packet filter and operates on the underlying TCP / IP protocol stack. We can use enumeration to allow only packets that meet certain rules to pass, and the rest will not be allowed to pass through the firewall. These rules can usually be defined or modified by the administrator, although some firewall devices may only apply built-in rules.
- We can also formulate firewall rules from another looser angle, as long as the packets do not meet any of the "negative rules", they will be released. Most operating systems and network devices have built-in firewall functions.
- Newer firewalls can filter various attributes of packets, such as: source IP address, source port number, destination IP address or port number, and service type (such as WWW or FTP). You can also filter by attributes such as communication protocol, TTL value, source domain name or network segment ...
Personal firewall application layer firewall
- The application layer firewall operates on the "application layer" of the TCP / IP stack.
- Personal firewall
- The firewall can prevent the rapid spread of computer worms or Trojan horses by monitoring all packets and identifying irregular attributes. However, in terms of implementation, this method is tedious and complicated (due to the huge variety of software), so most firewalls will not consider designing this way.
- XML firewall is a new type of application layer firewall.
Personal firewall proxy service
- A proxy device (probably a piece of dedicated hardware or just a set of software on a normal computer) can also respond to incoming packets (such as connection requests) like applications, while blocking other packets, achieving a firewall-like Effect.
- A proxy will make it more difficult to tamper with an internal system from an external network, and as long as there are good settings for the proxy, even a problem with the internal system will not necessarily cause a security vulnerability. Conversely, intruders may hijack a publicly accessible system and use it as an agent for their own purposes; agents disguise as that system to other internal machines. As the use of internal address space strengthens security, saboteurs may still use methods such as IP spoofing to try to target the network through small packets.
- Firewalls often have Network Address Translation (NAT) capabilities, and hosts are protected behind firewalls and collectively use the so-called "private address space", as defined in RFC 1918
- Proper configuration of a firewall requires skill and intelligence. It requires administrators to have a deep understanding of network protocols and computer security. Small mistakes can make a firewall unusable as a security tool.
Personal firewall products
- Personal firewall products such as Norton of the well-known Symantec company, BlackIceDefender of NetworkIce company, Cisco of McAfee company and freeZoneAlarm of ZoneLab, etc. can help you monitor and manage your system and prevent Trojan horses, spy-ware and other virus programs from entering your network through the network Your computer, or spread outside without your knowledge.
Personal firewall theory background
- 3.1Windows2000 components
- In the Windows 2000 operating system environment, some components run in user mode
- Personal firewall
- 3.2 Types of drivers in Windows 2000
- 1) In the Windows 2000 operating system, there are two basic driver types.
- A. A user-mode driver (such as Win32VDD, which is a special device developed for MS-DOS applications) or another protected subsystem driver, and the user-mode driver is related to the subsystem details.
- B. Kernel-mode drivers for logical, virtual, or physical devices.
- These drivers run as part of the Windows NT executive: Windows NT is a basic, microkernel-based operating system that supports one or more protection subsystems. Some Windows 2000 kernel drivers are also WDM drivers, and they conform to the Windows Driver Model (WDM). All WDM drivers are PnP drivers and support power management.
- Kernel-mode driver types There are three basic types of kernel-mode drivers. Each has a slightly different structure and completely different functions.
- a. Top-level drivers, such as FAT, NTFS, and CDFS file system drivers (FSD) supported by the system. The top-level driver usually relies on lower-level driver support. Although specific file system drivers may receive support from one or more middle-tier drivers, each file system driver ultimately relies on the support of one or more lower-layer peripheral device drivers.
- b. Middle-tier drivers, such as virtual disks, images, or classes that specify device types
- Personal firewall
- c. The lowest level driver, such as the PnP hardware bus driver, controls an I / O bus, which is connected to some peripheral devices on it. The lowest-level driver does not depend on the lower-level driver, but controls the physical peripherals.
- 3.3 Network Structure of Kernel-Mode Drivers
- Microsoft's Windows 2000 supports three basic kernel-mode network drivers
- 1) Microport NIC driver. A microport driver directly controls a network interface card (NIC) and provides an interface to higher-level drivers.
- 2) Middle-tier driver. A middle-level protocol driver connects the upper-level protocols, such as the earlier transport driver and a microport. A common reason for developing a middle-level protocol driver is to use it to translate between earlier transport drivers and a microport. A microport controls a NIC, which is a new type of media unfamiliar to the transport driver.
- 3) Protocol driver. An upper-layer protocol driver provides services to network users. It implements a TDI interface, or perhaps an interface provided for another upper-layer special application. This driver provides a protocol interface at its lower boundary for sending and receiving data packets to the low-level driver.
Personal firewall main functions
- The main functions of a personal firewall are network packet processing, security rules, and logging.
Personal firewall network packet processing
- On the Internet, all information exchanged is divided into
- Personal firewall
- The packet header includes the IP source address, IP destination address, built-in protocol (TCP, UDP, ICMP, or IPTunnel), TCP / UDP destination port, ICMP message type, incoming and outgoing interfaces of the packet, and other information. The personal firewall checks the header information of all passing packets and filters the packets according to the security filtering rules set by the user. If a firewall sets an IP as dangerous, all information from this address will be blocked by the firewall. It can be seen that the core technology of personal firewall is to realize network data packet interception under Windows operating system.
Personal firewall security rule settings
- The security rules of the firewall are to set the internal protocols of the local area network and the Internet used by the computer, so that the network data packet processing module can process the network data packets according to the settings, thereby achieving the best security state of the system. There are two types of security rules for personal firewall software: one is a well-defined security rule. It is to define security rules into several schemes, which are generally divided into low, medium, and high. This way, users who do not understand network protocols can also flexibly set different security schemes according to their needs. Another is user-defined security rules. This requires the user to set a certain protocol separately according to his own security needs when he knows the network protocol.
Personal firewall log
- The log is an essential main function of every firewall software. It records all events that the firewall software listens to, such as the source of the intruder, the protocol, the port, the time, and so on. The implementation of the log is relatively simple, just write the event information that is monitored to a file.
Personal firewall data type
- User-mode and kernel-mode.
- 1) User-mode.
- There are three methods for intercepting network packets in user mode: WinsockLayeredServiceProvider (LSP), Windows2000 packet filtering interface, and replacing the WINSOCK dynamic link library that comes with the system. In user mode
- Personal firewall
- 2) Kernel-mode.
- a) TDI Filter Driver (TDIFilterDriver). When an application program wants to send or receive network data packets, it does so through the interface provided by the protocol driver. The protocol driver provides a set of system-predefined standard interfaces to interact with applications. Therefore, it is only necessary to develop a filter driver to intercept these interactive interfaces to achieve the interception of network data packets. Under Windows2000 / NT, ip, tcp, udp are implemented in a driver called tcp.sys. This driver creates 5 devices: DeviceRawIp, DeviceUdp, DeviceTcp, DeviceIp, DeviceMULTICAST. All network data operations of the application are performed through these devices. Therefore, we only need to develop a filter driver to intercept these interaction interfaces, and then we can intercept network packets. In addition, network data interception at the TDI layer can also obtain detailed information on the process of operating network data packets, which is also an important function of personal firewalls. However, the TDI transmission driver has a defect. TDIFilterdriver belongs to Upperdriver and is located above TcpIP.sys. This means that the data packets received and processed by TcpIP.sys will not be transmitted to the upper layer, and some of the received data packets cannot be filtered. , Such as ICMP packets. The ICMP response packet is directly generated and responded by TcpIP.sys, and the above filter driver is completely unknown. In addition, this method requires writing a driver at the core layer of the system, and the writer needs to be very familiar with the working mechanism of the core layer of Windows operation. At the same time, the driver requires very high code quality. A little carelessness will cause the system to crash.
- b) Win2kFilter-HookDriver. This is a driver provided by the system from Windows 2000. The driver mainly uses the functions provided by Ipfiltdrv.sys to intercept network packets. The structure of Filter-HookDriver is very simple and easy to implement. But because its structure is too simple and depends on Ipfiltdrv.sys, Microsoft does not recommend using Filter-HookDriver.
- c) NDISHookDriver. This method is non-public under Windows2000 / xp, so this method is relatively platform-dependent, and different operating system versions need to be judged in the program using different methods.
- d) NDIS Intermediate Driver. NDIS (NetworkDriverInterfaceSpecification) is the abbreviation of the network driver interface specification developed by Microsoft and 3Com. It supports the following three types of network drivers: microport drivers, intermediate drivers (IntermediateDriver), and protocol drivers. Among them, the middle-layer driver is between the protocol-layer driver and the small-port driver. It is very powerful and can provide multiple services. It can intercept all network data packets (Ethernet frames), filter the micro-port driver, and implement a specific protocol or Other functions such as packet encryption and authentication. In summary, the method of network packet interception in the NDIS middle layer has a standard structure and powerful functions. This technology is extremely suitable for personal firewalls.
- Internal Structure of the Middle Tier Driver (NDIS)
- NDIS supports three types of drivers: microport drivers, middle-layer drivers, and protocol drivers.
- Personal firewall
- 1) Microport driver. Is the network card driver, it is responsible for managing the network card, including communication
- Send and receive data through the network card, it also provides an interface for the upper-layer driver.
- 2) Middle-level driver. It is usually located between the microport driver and the transmission protocol driver. It is based on the driver between the link layer and the network layer. Because the middle layer driver is in the middle layer position in the driver layer, it must be connected to the upper layer protocol and the lower layer microports. Drive communication and derive functions for both protocols. Although the middle layer driver exports the MINIPORTXX function, it does not really manage the physical network card, but exports one or more virtual adapters, and the upper layer protocol can be bound to it. For the protocol driver, the virtual adapter exported by the middle layer looks like a physical network card. When it sends packets or requests to this virtual adapter, the middle layer driver propagates these packets and requests to the underlying microport driver. When the underlying microport driver When the driver indicates upward to receive a packet or status, the middle layer driver goes up to the protocol driver on the bound virtual adapter. The main function of the middle layer driver is to filter packets. Its advantage is that it can intercept all network data packets.
- 3) Protocol-driven, that is, network protocol. It is located at the highest layer of the NDIS system and is often used as the lowest driver among the transport drivers that implement the transport protocol stack. The transmission protocol driver applies for packets, copies the data from the sending application to the packets, and sends these packets to the underlying driver by calling the NDIS function. The protocol driver also provides a protocol interface to receive packets from lower-level drivers. The transport protocol driver passes the received packets to the corresponding client application. In the lower layer, the protocol driver interacts with the middle layer microport driver. The protocol driver calls the NDISXX function to send packets, reads and sets the information maintained by lower-level drivers, and uses operating system services. The protocol driver also needs to export a series of entry points. NDIS calls it to indicate the acceptance of the packet, the status of the underlying driver, or communication with other protocol drivers.
- Workflow inside the middle tier
- 1) The middle layer manages the data packets
- The middle-tier driver receives a packet descriptor from the high-level driver and sends it over the network, the packet descriptor being associated with one or more chained data buffers. The middle-tier driver can repackage the data and use the new packet descriptor for data transmission. It can also directly pass the data packet to the lower-level driver. If the lower boundary of the driver is connectionless, you can call the NdisSend or NdisSendPackets function. Complete this function. If the lower boundary of the driver is connection-oriented, you can call the NdisCoSendPackets function to complete this function. The middle layer driver can also perform some operations to change the contents of the chain buffer, or adjust the sending order or sending timing of the incoming data packets relative to other sending tasks. However, even if the middle-tier driver just passes the datagrams introduced by the upper layer to the lower layer, for example, it just counts the data packets, it must allocate new packet descriptors and manage part or all of the new packet structure.
- Each middle-tier driver must allocate its own packet descriptor instead of a high-level packet descriptor. If the middle-tier driver is to convert a packet from one format to another, it must also allocate a buffer descriptor to map the buffer used to copy the transferred data, which is allocated by the middle-tier driver. If there are OOB data related to the copied package descriptor, then these data can be copied to a new OOB data block related to the package descriptor (as allocated by the middle-tier driver). The process is, first, to obtain OOB using the NDIS_OOB_DATA_FROM_PACKET macro Pointer to the data area, and then call disMoveMemory to move its contents into the OOB data area associated with the new packet descriptor. The driver can also use the NDIS_GET_PACKET_XXX or NDIS_SET_PACKET_XXX macro to read the relevant content from the OOB data area related to the old packet descriptor and write to the OOB data area related to the new packet descriptor.
- The packet descriptor is allocated by calling the following NDIS function
- a) Call NdisAllocatePacketPool or NdisAllocatePacketPoolEx to allocate and initialize a set of non-pageable pools for fixed-size packet descriptors (specified by the caller).
- b) Call the NdisAllocatePacket function to allocate a packet descriptor from the pool that has been allocated by NdisAllocatePacketPool (Ex). Depending on the purpose of the middle-tier driver, the driver can repack the buffers introduced by the packet descriptor connection. For example, the middle-tier driver can allocate packet buffer pools and repack the incoming packet data in the following cases. If the middle-layer driver receives data buffers from the higher-level protocol driver, it can send a single buffer than the lower-layer media can send. The larger the area, the middle-tier driver must split the incoming data buffer into smaller data buffers that meet the lower-level sending requirements. The middle-tier driver can change the length of the incoming data packet by compressing or encrypting the data before transferring the sending task to the lower-level driver. Call the following NDIS function to allocate the buffer required above:
- NdisAllocateBufferPool gets a handle to allocate a buffer descriptor;
- NdisAllocateMemory or NdisAllocateMemoryWithTag allocates buffers;
- c) Call NdisAllocateBuffer to allocate and set the buffer descriptor, map the buffer allocated by NdisAllocateMemory (WithTag), and link to the packet descriptor allocated by NdisAllocatePacket. The driver can link the buffer descriptor and the packet descriptor by calling the NdisChainBufferAtBack or NdisChainBufferAtFront function. The virtual address and buffer length returned by calling NdisAllocateMemory (WithTag) will be passed to the NdisAllocateBuffer function to initialize its mapped buffer descriptor. Package descriptors that meet typical requirements can be allocated according to requirements when the driver is initialized, or they can be implemented by calling the ProtocolBindAdapter function. If necessary or for performance reasons, the middle-tier driver developer can allocate a certain number of packet descriptors and buffers mapped by the buffer descriptor during the initialization phase, so that the incoming data is copied for ProtocolReceive (the Indicate to the high-level driver) that resources are pre-allocated, and available descriptors and buffers are also prepared for MiniportSend or MiniportSendPackets to transfer incoming transmission packets to the adjacent low-level driver. If the middle layer driver copies the received / transmitted data to one or more buffers, the actual data length of the last buffer is smaller than the length of the buffer, then the middle layer driver will call NdisAdjustBufferLength to describe the buffer Character to the actual length of the data. When the package returns to the middle-tier driver, the function should be called again to adjust its length to the actual size of the full buffer.
- 2) Workflow of the lower boundary facing the connectionless middle-tier driver
- The ProtocolReceivePacket function receives the incoming data from the low-level NIC driver in the form of a complete packet, which is specified by a packet descriptor of the NDIS_PACKET type. It can also indicate the incoming data to the ProtocolReceive function and copy the data to the middle layer In the package provided by the driver. The lower boundary connection-oriented middle layer driver always uses the ProtocolCoReceivePacket function to receive data from the lower layer NIC driver as a complete data packet.
- Under the following circumstances, the middle-tier driver can maintain ownership of the received data packet: When the lower boundary-oriented connection-free middle-tier driver indicates the complete packet to the ProtocolReceivePacket function, the lower-bound connection-oriented middle-layer driver indicates the ProtocolCoReceivePacket function When a packet is received, the Status member of DIS_PACKET_OOB_DATA is set to any value other than NDIS_STATUS_RESOURCES. In these cases, the middle-tier driver can retain ownership of the packet descriptor and its described resources until the received data is processed and call the NdisReturnPackets function to return these resources to the lower-level driver. If the ProtocolReceivePacket passes the resources it receives to the higher-level driver, then at least the incoming packet descriptor should be replaced by the packet descriptor that the middle-level driver has allocated. Depending on the purpose of the middle-tier driver, there are several different package management strategies when it receives complete packets from the lower-level driver. For example, here are several possible package management strategies: copy the buffer contents into a buffer allocated by the middle-tier driver, which is mapped and linked to a new package descriptor, and return the input packet to the lower-level driver Descriptor, which can then indicate a new packet to the higher-level driver; create a new packet descriptor, link the buffer (associated with the indicated packet descriptor) to the new packet descriptor, and then link the new packet descriptor Instruct to high-level driver. When the high-level driver returns the packet descriptor, the middle-level driver must remove the link between the buffer and the packet descriptor, link these buffers to the packet descriptor originally received from the low-level driver, and finally to the low-level driver Returns the original packet descriptor and the resources it describes. Even if the lower-bound connection-oriented middle-tier driver supports the ProtocolReceivePacket function, it also provides the ProtocolReceive function. When the low-level driver does not release the ownership of the resource indicated by the packet descriptor, NDIS will call the ProtocolReceive function. When this happens, the middle-level driver must copy the received data into its own buffer. For the lower boundary connection-oriented middle-layer driver, when the lower-layer driver does not release the ownership of the resources indicated by the packet descriptor, the Status member of the data packet's NDIS_PACKET_OOB_DATA is set to NDIS_STATUS_RESOURCES, and then the ProtocolCoReceivePacket function of the driver must receive the Data is copied into its own buffer
- 5) The principle of the middle layer driving filtering packets
- The NDIS middle-layer driver plays an interface function in NDIS to forward the data packets sent by the upper-level driver and send them to the lower-level driver. When the middle-tier driver receives a data packet from the lower-level driver, it either calls the NdisMXxxIndicateReceive function or calls the NdisMindicateReceivePacket function to indicate to the upper layer that the packet middle-layer driver opens and establishes a call to the lower-level NIC driver or NDIS by calling NDIS. Layer driver binding. The middle-tier driver provides MiniportSetInformation and MiniportQueryInformation functions to handle the settings and query requests of the high-level driver. In some cases, these requests may also be passed to the lower-level NDIS driver. If its lower boundary is connectionless, it can be passed. Call NidsRequest to achieve this function, if its lower boundary is connection-oriented, then call NidsCoRequest to achieve this function. The middle layer driver sends data packets to the network lower layer NDIS driver by calling the functions provided by NDIS. For example, the lower boundary connection-oriented middle-tier driver must call NdisSend or NdisSendPackets to send data packets or packet arrays, while the lower boundary connection-oriented case must call NdisCoSendPackets to send packet array data packets. If the middle-tier driver is based on a non-NDISNIC driver, the sending interface will be opaque to NDIS after the MiniportSend or Miniport (Co) SendPackets function of the middle-tier driver is called. NDIS provides a set of NdisXxx functions and macros that hide low-level operating system details. For example, the middle-tier driver can call NdisMInitializeTimer to create a synchronized clock, and it can call NdisInitializeListHead to create a linked list. The middle-tier driver uses NDIS-compliant functions to improve its portability on Microsoft operating systems that support the Win32 interface.
- In the design of a firewall, the core part should be the filtering of data packets.
- Other functions are based on packet filtering. For example, intrusion detection and email detection are based on packet filtering. The packet filtering is mainly the analysis of the IP header. For example, in Ethernet, the obtained datagram is roughly the following structure. The Ethernet frame header is 14 bytes and is placed in the 0th element to the 13th element of the PUCHAR structure array. Among them, the first six bytes are the destination MAC address, then the six bytes are the source MAC address, and then the two bytes are the protocol type. The usual protocol types are 0x080x00-> IP, 0x080x06-> ARP, 0x080x35-> RARP Therefore, the protocol type can be determined by the 12th and 13th elements of the array. Filter rules are established on this basis. If you want to filter a specific protocol, you only need to read the data in the corresponding bytes to determine whether it meets the rules to be filtered. Of course, the actual filtering rules are much more complicated, such as filtering the specified IP of the specified port.
Personal firewall development focus
- (1) Need to fully understand the operating principle of WINDOWS, which includes the kernel part and the user part.
- (2) Need to be familiar with using DDK and fully understand the operation mechanism of network drive.
- (3) Need to understand the working principle of the firewall.
Personal firewall supplement
- The so-called personal firewall should have a universal concept, and ordinary users cannot understand the operating principle of WINDOWS.
- Therefore, the popularity and ease of use of personal firewalls should be highlighted.
- The emphasis and difficulty are only suitable for developers.