The general concept
This section describes the general concept of a personal firewall for Windows. It is not necessary for the implementation of the firewall in the same way to ensure this. Common personal firewall is implemented as three or four separate components.
The kernel driver
The first part is the kernel driver. It has two main functions, so sometimes it is implemented in two components, rather than one. The first function is to filter packets. Usually the level of NDIS, TDI or both the driver checks every packet that comes from the network or from the network. He is also known as protection for both inbound and outbound connections. There are some personal firewalls that do not implement the protection of incoming and outgoing connections. However, these products also have a kernel driver for their tasks. The second function is called a sandbox. The most common method of execution sandbox SSDT SSDT GDI hooks and hangers. The driver of the firewall to replace some functions of the system with its own code, which checks the request and denied the right to call and passes the action or the execution of machine code. This method allows the firewall to monitor all possible tasks for applications such as malicious attempts to open the file, processes, registry entries, change the firewall settings to automatically answer your questions, etc.
There are no user-specific mode, called the core service. This process has a specific function and behavior. They operate under a system of user privileges and not under a common user account. This allows services to be performed regardless of the user, and works even when no user is logged in. the role of services in the personal firewall is to ensure communication between the main components. The service receives messages from the GUI and the kernel driver and forward this message to others. For example, if the firewall in training mode, the driver code, depending on the hooked SSDT can not decide whether to allow or block the action because there are rules for action in the database. In this case the user wants to solve. To do this, send a message to open the GUI and get answers from him. Communication is usually carried out by the service component. Firewall service is sometimes used to ensure that the GUI is always available to users.
Graphical user interface
The graphical user interface (GUI) is a firewall user. It implements a common administration firewall TrayIcon. Another important function of a graphical interface to query the user to decide when the firewall in training mode.
This is not the rule. 1 for all security products, not only for the personal firewall. Regardless of the perfection of other functions, if the firewall can not guarantee itself does not make sense. If a malicious activity can be stopped, disable or destroy the personal firewall is equivalent to not have a personal firewall at all. All firewalls must be protected even processes, files, registry entries, drivers, services, and other system resources and facilities.
Verification component is very close to self-defense as mentioned above. Firewall programs are usually complex and often used in more than one module or component. In this case, there are some core modules are executed in the operating system. When you start running or in the middle of the module loads another module of the firewall. We say that the modules are loaded dynamically. You need to check the integrity of all modules are loaded dynamically. This suggests that the integrity test should be carried out in one of the main module.
Protect incoming and outgoing
A good personal firewall provides protection against both inbound and outbound traffic. Input protection means that packets sent over the Internet or locally on your computer, which is filtered and the ports that you just want to open is available. This protection is standard and is very good and reliable in almost all firewalls. On the other hand, a problem that causes the output protection for all vendors today. Outgoing protection means that only applications that are allowed access to the Internet or LAN. It’s not as easy as it seems. Imagine that you want to surf the Internet with an Internet browser and other applications that do not want to do it. The problem here is that not enough just to see what application sent the packet on the Internet because modern operating system allows programs to communicate. Applications do not have access to the Internet, you can launch a browser and use to communicate. Your personal firewall to protect all privileged applications to abuse by malicious programs. This should limit their access. But that’s not enough. Personal firewall is to protect yourself. Malicious applications should not be able to turn it off or change the rules. This means that it must also protect the system resources, etc. There are many problems in this regard, and we’re still only talking about features – outbound protection.
Each special process must be protected against various malicious actions. Firstly, there is no malicious application can complete the process. Second, it must be possible to change the code or data. Third, it should be possible to run any code in the context of privileges for each process. It also includes DLL injection.
Files and protection components
Protecting files is very close to protect the process. If the malicious code can replace the file with the use of preferential flow is equivalent to change their code at runtime. There are two ways to implement security file. The first method (active protection) is to prevent write and delete access to files owned by privileged applications. Because it can be difficult to implement firewalls, many programmers who choose the second option – checking the integrity of the module (component protection). In this case, the firewall allows malicious code to undermine or replace the file on the application is preferred. If this application is about to launch its modules are checked and execution halted or reported to the user. File Protection is also required for all file systems.
Windows, drivers, operating system, to trust her. This means that any code that is running the drivers that are reliable and, therefore, authorized to carry out the instructions of the processor are properly protected and potential access to all system resources. It is therefore necessary to establish a piece of software security as a personal firewall, such as system drivers. Nevertheless, it is also why it is necessary to control the downloading new drivers and to protect the existing driver. Malware can not install drivers or edit driver is already loaded.
As part of a firewall is usually implemented as a system of protection services system is also required. But not only the firewall component that must be protected. To install the new service is an easy way to survive as malware in the system because the system services can be configured to run every time you boot your system. In addition, a malicious service can also be dangerous, because you work, even if the user is not logged. Creation, elimination and control of system services that need to be protected action.
Windows, the registry contains a lot of important information. The location of system components can be changed using the registry. Incorrectly editing the registry of multiple objects can easily lead to system instability or fail to boot. There are many registry keys and values that must be protected from malicious application changes.
Protection of other system resources
There are also several objects and system resources in operating systems. Some of them may be dangerous if they are under the control of malicious programs. One of the objects is the famous «DevicePhysicalMemory”, which can be used to gain control over the system, if not protected. Firewalls must protect objects that can be abused by malicious programs.
Parent process control
We already know that it is necessary to protect the privileged process. Perhaps the easiest way to implement the protection of this process is to control the opening process and thread. However, if the process of implementing security is thus also important for the control of the parent process. Each process in the system created by some other process – its parent. Parents are always awarded two new handle to create a child process. This object handles and processes for managing its flow. The process handle full access, then the parent can monitor your child completely. That is why the firewall should limit the exercise of special processes. In addition, control of the parent process must be applied even if the firewall does not protect the safety of the design process through an aperture control processes and threads. Some special processes can be used to perform an action if they are executed with the privileges of certain command line arguments. Many firewalls do not distinguish between the implementation of specific processes and the underprivileged. Limiting the creation, so that only applications that have been selected first in the state to create a child process as a whole.
Manage programs that start automatically
Firewalls must protect the places in the operating system, which can be used by malicious programs to maintain the system after a reboot. If we allow users to run new applications that are not known, there is no way to protect against the execution of malicious applications. And users often download and install or run new applications. Firewalls can limit the actions of malicious applications, because they can not damage your system. However, if a malicious application can cause damage to the remains in the system later, when the security bug is found. That is why the firewall should monitor the applications that run automatically, for example, after every system startup or user logon.
Spyware like keyloggers and packet sniffers are applications that are dangerous because they are made to steal sensitive user data can be – your password. But not only passwords purpose of this application. Document personal information, personal correspondence or business-sensitive information should also be protected. Firewall to protect sensitive data, not only when they are complete in the form of files, but also when they are created or transfer. Keyloggers can get all the user keys back, and then gather all the information, letter by letter. Sniffers are waiting for messages to be transmitted using multiple network interfaces and to make copies of sent messages. There are many ways to carry out spying program to collect sensitive data, and they must all be protected by a firewall.
Protection of system resources
Each system has limited resources. For Windows workstations can overcome some of the thousands of objects. This amount is enough for any normal user operation. However, if a malicious program to create thousands of threads in the system becomes unusable, and this action causes a denial of service (DoS). The firewall should limit unprivileged applications cause DoS. There should be a limit on the number of threads, open files, memory and other system resources used by applications without a license.
There are no hooks Ring3
Ring3 (or user mode) connection is a method that can be used to implement a personal firewall or its parts. Nevertheless, Ring3 hooks may be used only for special functions for security and is never critical. Protection by Ring3 hooks can easily be circumvented, malicious applications. Ring3 hooks should not be used to constrain the behavior of unknown applications. They can be used very rarely change or control the behavior of privileged applications are not guaranteed to reduce Ring3 hooks.Tags: etc system, kernel driver, outbound connections, outgoing connections, personal firewalls