Understanding the Windows Filtering Platform

The Windows Filtering Platform (WFP) is an architectural feature of Windows Vista and later versions that allows access to Transmission Control Protocol/Internet Protocol (TCP/ IP) packets as they are being processed by the TCP/IP networking stack. WFP is the engine that implements packet-filtering logic, and it is accessible through a collection of public APIs which provide hooks into the networking stack and the underlying filtering logic upon which Windows Firewall is built. Independent Software Vendors (ISVs) can also use WFP to develop third-party firewalls, network diagnostic software, antivirus software, and other types of network applications . Using these APIs, a WFP-aware filtering application can access a packet anywhere in the processing path to view or modify its contents. Third-party vendors and network application developers should utilize the WFP APIs only for filtering applications or security applications

As shown in Figure 26-1, the main features of the WFP are as follows:

■ Base Filter Engine The Base Filter Engine (BFE) runs in user mode and receives filtering requests made by Windows Firewall, third-party applications, and the legacy IPsec policy service. The BFE then plumbs the filters created by these requests into the Kernel Mode Generic Filter Engine. The BFE (Bfe. dll) runs within a generic SvcHost. exe process .

■ Generic Filter Engine The GFE receives the filters plumbed from the BFE and stores them so that the different layers of the TCP/IP stack can access them . As the stack processes a packet, each layer the packet encounters calls the GFE to determine whether the packet should be passed or dropped. The GFE also calls the various callout modules (defined next) to determine whether the packet should be passed or dropped (Some callouts may perform an identical function, especially if multiple third-party firewalls are running concurrently.) The GFE (Wfp.lib) is part of the Kernel Mode Next Generation TCP/IP Stack (NetioTcpip . sys) first introduced in Windows Vista. The GFE is actually the Kernel Mode enforcement engine portion of the BFE and is not a separate feature.

■ Callout modules These features are used for performing deep inspection or data modification of packets being processed by the pack. Callout modules store additional filtering criteria that the GFE uses to determine whether a packet should be passed or dropped

Windows Firewall

ISV Appa

Legacy IPsec Policy Service

User mode Kernel mode

Steam Layer (HTTP/Sockets)

Transport Layer (TCP/UDP)

Network

Layer (IPv4/v6)

IPsec Framer

Windows Firewall

ISV Appa

Legacy IPsec Policy Service

Local Policy and Settings Store

User mode Kernel mode

TLI Layer

Was this article helpful?

0 0

Post a comment