Development history of project


Estimated development hours = 500, actual development hours = 7, actual start date 7/26/2004, estimated completion 12/31/2005, actual completion date ??/??/????, suspended date 8/4/2004



PcServ Net Security

7/26/2004 Initiated project from thought into development phase. Reason #1 is I'm not very happy with my firewall being too generic about intrusions, reason #2 Microsoft has not submitted the detail regarding blocking pop-up adds through IE.
 


GENERAL HIGHLIGHTS OF PRODUCT
*  One stop security program
*  Cookie monitor
*  For simple internet connection (residential)
*  Pop up add blocking
*  Monitor disk activity initiated from the net especially modification to files
*  Monitor possible damaging internet download files, review content
*  Monitor internet requests (firewall) and deny those without local security access
*  Supports Windows XP only
*  Free 2 month trial period to analyze software functionality, small purchase cost
*  Easy to use and understand


7/26/2004 Progress/periodic updates (hoping weekly once this project gets on a roll) to be updated here on this page.

7/29/2004 Up'd hours from 200 to 500 estimated hours, extended estimated completion date to 12/31/2005. The complexities of building a firewall are great with very little information available on the internet. No simple search uncovers open source of a functional firewall for Windows XP. Even browsing access to thousands of current technical book writings find no helpful beginning. This project will be quite a challenge. Expecting to learn MS security, UDP, TCP inside and out. My biggest roadblock seems to be how do I intercept incoming/outgoing traffic before the traffic hits the XP operating system? There are always answers as with anything else but this one might find me digging and struggling for some time.

7/29/2004 Course "Security with VB.NET"

7/30/2004 Finally got material downloaded this evening

8/1/2004 Completed Security with VB.NET

8/1/2004 Course .NET Framework

8/1/2004 Course ASP.NET Introduction

8/3/2004 Not sure how to begin this - maybe an interface would be a good start

8/4/2004 Researching developer work/logic located at http://www.codeproject.com/internet/drvfltip.asp Developer recommends this is not the best method to build a firewall. Search of Microsoft website for Filter Hook (technology used in codeproject) reveals the following:

Network Devices and Protocols: Windows DDK 

Filter Hook Example
The filter hook in this example is a simple filter hook that makes 
forward and drop decisions, based on certain packet properties. 
This example shows how the filter hook drops Transmission Control 
Protocol (TCP) packets and forwards packets from all other protocols. 

If packets with specific IP addresses or TCP/UDP port numbers must be 
filtered, consider creating a user-mode application that uses the Packet 
Filtering API instead. The Packet Filtering API optimizes the system-supplied 
IP filter driver to process packets without the overhead that is associated 
with a filter-hook driver. For more information about the Packet Filtering 
API, see the Microsoft Windows Platform SDK documentation. 

#define PROT_TCP   6

typedef struct IPHeader {
  UCHAR  iph_verlen;  // Version and length 
  UCHAR  iph_tos;  // Type of service 
  USHORT  iph_length;  // Total datagram length 
  USHORT  iph_id;  // Identification 
  USHORT  iph_offset;  // Flags, fragment offset 
  UCHAR  iph_ttl;  // Time to live 
  UCHAR  iph_protocol;  // Protocol 
  USHORT  iph_xsum;  // Header checksum 
  ULONG  iph_src;  // Source address 
  ULONG  iph_dest;  // Destination address 
} IPHeader; 

// Drop all TCP packets

PF_FORWARD_ACTION 
DropTcpPackets(
        unsigned char   *PacketHeader,
        unsigned char   *Packet,
        unsigned int    PacketLength,
        unsigned int    RecvInterfaceIndex,
        unsigned int    SendInterfaceIndex,
        IPAddr          RecvLinkNextHop,
        IPAddr          SendLinkNextHop
        )
{
    if (((IPHeader *)PacketHeader)->iph_protocol == PROT_TCP)
    {
        return PF_DROP;
    }
    return PF_FORWARD;
}


Built on Monday, June 14, 2004

8/4/2004 Of particular interest to me and this project are the two following sentences from the above Microsoft article:
If packets with specific IP addresses or TCP/UDP port numbers must be filtered, consider creating a user-mode application that uses the Packet Filtering API instead. The Packet Filtering API optimizes the system-supplied IP filter driver to process packets without the overhead that is associated with a filter-hook driver.

8/4/2004 Network devices and protocols: Windows DDK

8/4/2004 Don't mind this, these are my notes - NDIS Intermediate drivers
Windows security page
8/4/2004 I may terminate this project. Microsoft "IS" activating its ICF firewall in service pack 2. I will move this project to "Old projects page" and will now be a "Low priority". Upon release of updated ICF SP2 I will utilize the firewall and evaluate functionality. I suspect Microsoft will be sued by the firewall companies now because the software is pre-loaded in XP. I don't have much confidence with MS and security - look at the mess they have created today with needing anti-virus, pop up blockers, cookie blocks, firewalls!?!?!?!

8/29/2004 I have to say that Microsoft has impressed me with service pack 2, I'm certainly enjoying the pop up blocker. I'm not using and have not tried the Microsoft provided firewall - "GREAT JOB MS!"

Unless I get totally bored I won't be looking to start this project up again.

Internet Connection Firewall in SP2
ICF for SP2 will include a host of new features. This paper will discuss five 
of them that will have some impact on existing applications: 

On by default. Prior to SP2, Windows XP shipped with ICF disabled by default; 
users either needed to run a wizard or navigate through the Network 
Connections folder to enable ICF. By enabling ICF by default, the computer 
will be protected from many network based attacks. For example, if ICF had 
been enabled by default the recent Blaster attack would have been greatly 
reduced in impact, regardless of whether users were up to date with patches. 
This may have an impact on existing applications if the application does not 
work with stateful filtering by default. 

Boot time security. In earlier versions of Windows there is a window of time 
between when the network stack started and when ICF provided protection. 
Consequently, a packet could have been received and delivered to a service 
without ICF filtering it, potentially exposing the computer to 
vulnerabilities. In SP2, the firewall driver has a static rule called a boot-
time policy to perform stateful filtering. This will allow the computer to 
perform basic networking tasks such as DNS and DHCP and communicate with a 
Domain Controller to obtain policy. Once the firewall service is running, it 
will load and apply the run-time ICF policy and remove the boot-time filters. 
This change should increase system security without affecting applications. 

Application white list. Prior to SP2, applications needed to call the ICF APIs 
to enable the necessary listening ports to be open to send and receive 
messages. This proved difficult in peer-to-peer situations when the port was 
not known in advance. Further, it was up to the application to close the hole 
in the firewall, which could lead to unnecessary openings in the firewall 
should the application terminate unexpectedly. Additionally, these holes could 
only be opened by applications running in the security context of a local 
administrator. In SP2, an application that needs to listen to the network can 
be added to the Application White List. An application on the white list will 
have the necessary listening hole created automatically. By having an 
application on the white list, only necessary ports are opened, and they are 
only opened for the duration that the application is listening on it. This 
prevents an application from opening up a port it's not using and either 
deliberately or inadvertently exposing another application or service to 
network traffic from that port. Further, this also allows applications 
listening to the network to run as a regular user. Applications that work with 
stateful filtering do not need to be placed on the white list. Only 
administrators can add an application to the white list. 

RPC support. In earlier versions of Windows, ICF blocked RPC communication, 
causing functions such as file and print sharing and remote administration to 
fail. This was because the RPC process image filename was the same for many 
RPC servers (svchost.exe). SP2 enables granular control of which RPC services 
have the ability to traverse ICF. When opening a port, a caller may claim that 
the port is to be used for RPC. ICF will only accept this claim if the caller 
is running in the Local System, Network Service, or Local Service security 
contexts. ICF supports a profile level flag that enables RPC ports to be 
opened even if the caller is not on the Application White List: 
PrivilegedRpcServerPermission. By having granularity, administrators can 
control which RPC services are exposed to the network, limiting communication 
to only those who need it. 

"Shielded" mode. In the event a malicious application that finds and exploits 
a vulnerability in one of the listening Windows services is threatening users, 
SP2 introduces a setting to ICF, code-named "shielded" mode. This mode enables 
users to easily protect themselves by switching ICF to prevent all unsolicited 
inbound traffic until a patch is available, without having to reconfigure the 
firewall. When in this operation mode, the computer cannot listen for requests 
that originate from the network. Outgoing connections are the only connections 
that succeed. Any API call to open up a static hole will be allowed and the 
configuration stored, but it will not be applied until the ICF operational 
mode switches back to normal operation.

8/4/2004 I think that I've somehow stumbled across something that I probably should not have using 'packet filtering api' in Microsoft search. Visit WFP for more details. I believe the web page is for 3rd party vendors and the next generation of firewalls.
8/5/2004 I've started a Payroll application, this firewall project may or may not be started back up. As you can see in my above dialog this subject is very involved though I feel that my best efforts will be started when Microsoft releases WINFX.




Logic foundation


Thread all incoming and outgoing traffic through one security driver program. Test incoming rules and outgoing rules and determine access deny or permit. Log all traffic routed through the security driver. No traffic must travel outside the firewall application to ensure the safety of the protected computer.




A few personal thoughts


Documention within my own thoughts is best on a hard drive/local computer (not shared on the internet). This is something a little bit different in that I'd like to share this projects history on the internet... through all its difficulties (quite a few of them!) and successes (hoping there will be plenty). Feedback or helpful hints would be welcome. As I learn, I'm sure I'll post detail on another page dedicated to development of XP security. There is so little out there and its no wonder security through Windows is the way it is today - a mess.


Return to top of this page


To contact me (Author of this website and software), please E-mail me at:
jep1965@gmail.com

This page last updated July 6 2008








Hosted by www.Geocities.ws

1