Filseclab Personal Firewall
Kernel Technology Introduction
It adopted two technologies of packets filter
- Application layer packets filter, adopt Winsock 2 SPI technology.
- Kernel Layer packets filter, adopt NDIS-HOOK technology.
Winsock 2 SPI technical characteristics
Winsock 2 SPI is working under the API and over Drivers. It belongs to Application layer. Utilize this
technology be able to capture and intercept network packets that based
on Socket communication. For example: Most application programs, such as
Internet Explorer, Outlook etc, are all to use Socket to carry on
communication. Its technological characteristics are:
The Windows Open System Architecture (WOSA)-compliant Windows Sockets 2 architecture is illustrated as
- Working on Application layer, it is a DLL, programming and debugging is very convenient.
- Good compatibility, needn't modify, it can be applied to multi Windows
platform directly, it supports Windows 95/98/ME/NT/2000/XP/2003, Windows
95 must be installed Winsock 2 for 95.
- High efficiency, because it is working on Application layer, the CPU occupancy is low.
- The network packets is very intact, because it has not been cut into slices according to the lower
protocol yet, this is very fit to do contents filter.
- Make the anti-porn software, it is unnecessary that differentiates programming according to the
different Web Browser, simple and safe.
- The network communication which does not use Socket is unable to intercept, for example:
The network neighborhood of used NetBios, and Ping of used ICMP
protocol, these network packets cannot be intercept.
- If installation order make mistakes is very easy to cause network paralyse.
If several software which use SPI technology are installed at the same time, and use the non-standard
installation way, there maybe have some SPI programs will be overleaped.
The XFILTER.DLL is a Transport Service Provider
Protocol Chains Architecture is illustrated as follows:
The XFILTER.DLL is a Base protocol
NDIS-HOOK technical characteristics:
NDIS is Network Driver Interface Specification, Windows uses the NDIS library to realize network
interface. All of the network communication must be passed through the NDIS interface finally.
The OSI reference model as following figure:
NDIS is working on Transport layer, Network layer and Data-link layer, it is a very lower interface layer.
The structure of NDIS as following figure:
NDIS supports the following types of programming interface of network drivers:
TDI filter drivers and protocol drivers usually be used to capture and filter network packets.
They are commonly used technology of firewall and VPN software. But
they all have some defects:
- TDI filter drivers
- Protocol drivers
- Intermediate drivers (IM drivers)
- Miniport drivers
TDI filter drivers belongs to Upper drivers, it works above of Tcpip.sys,
it means that Tcpip.sys
directly respondent packets cannot be captured by TDI filter drivers,
so it cannot filter some incoming packets as well. For example,
ICMP packets, when Tcpip.sys received a ICMP's request packet, it will
make a response packet itself and directly reply it, but the TDI filter
drivers above is entirely ignorant of.
Intermediate drivers function is stronger, but the programming interface has little intricacy
and the auto-installation is very complicated.
NDIS-HOOK has no the defect
above. The work principle of NDIS-HOOK is replacing the function address
of NDIS library with our function directly. so the request of NDIS will
be passed through our function at first, it is very simple like this,
our function dealt with and transmit for aboriginal NDIS function to be
NDIS-HOOK technology has the following characteristics:
Figure of before NDIS-HOOK is installed:
- Programming is convenient, the interface is simple, the train of thought is clear, performance is steady.
- More flexible, can only hook that one's own demand, does not need redundant code.
- Powerful, can hook all of NDIS and TDI function, and to finish all
function of them. Certainly it is much more powerful than the standard
way, and can also extend to hook all system function with this technology.
- The security is high, intercept and capture the network packets in
very low layer like this, that is difficult to be pierced through.
- Installation is very simple.
Figure of after NDIS-HOOK is installed:
Copyright © 2001-2004 FILSECLAB