WFP high level overview

NDIS is a kernel driver that is used to perform TCP/IP filtering and inspection, it works on packets and stream level and is able to modify, inject and drop packets.

WFP was built by Microsoft to replace all existing network control technology.

When to use WFP?

WFP can be used from Vista SP2 and above, and it’s the only redirection method available on Windows8 and Windows2012 to intercept Modern UI app (formerly known as Metro).

When not to use WFP?

NDIS is driver based so it’s an advantage and a disadvantage, it depends on the needs of your software and your programming capabilities.

Komodia’s solution

In Komodia’s Redirector can save you time if you plan to develop an interception component for workstations, save you atleast one year of development time.

WFP detailed information

What is WFP?

WFP is an acronym for Windows Filtering Platform which is a new architecture available in Microsoft Windows Vista and Windows Server 2008. The purpose of Windows Filtering Platform is to enable different ISVs or Independent Software Vendors to modify or filter TCI/IP packets. Moreover, it also enables them to filter RPCs or Remote Procedure Calls, IPsec (Internet Protocol Security) protected traffic and network connections. WFP or windows filtering protocol also allows these softwares to monitor the above mentioned activities as well. The advantage of modifying, monitoring and filtering TCP/IP packets is that it provides an opportunity to have a unprecedented access to the processing path of the TCI/IP packet. In this way, it is possible to modify or examine all incoming and outgoing packets well before any type of processing occurs. This gives a security advantage as it gives the access to the TCP/IP processing paths during different layers. Moreover, it also becomes possible to create better firewalls, diagnostic services or antivirus applications.

Windows Filtering Platform also provides APIs with allows participation in various windows filtering decisions that may occur at different layers of the TCP/IP protocol suite/stack. WFP also gives support to the next-generation firewalls features, like dynamic firewall configuration or windows authenticated communication. Such features make use of the Windows Socket API.

One point to remember here is that WFP should not be confused with a firewall; it isn’t. In technical terms, WFP is a set of various windows system services APIs (user mode and kernel mode) that provides an opportunity to build firewalls or other network connection monitoring softwares; giving them better performance and less development complexities.. A working example is the Windows Firewall that you use in Microsoft Windows Vista; it uses WFP; same is the case with the windows firewall in Windows Server 2008.

Benefits of WFP

There are various benefits being offered by Windows Filtering Platform. Some of them are mentioned above in the introductory part and some more are mentioned below:

  • Windows Filtering Platform or WFP minimizes the risk of your software components getting affected because of any future SP (service pack) release.
  • Windows Filtering Platform allows packet processing after the Internet Protocol Security (IPSec) decryption. Without WFP, it is not possible to do packet processing after the IPSec decryption; hence it adds a level of security.
  • If you want your component to examine and monitor the TCP/IP traffic at any level or layer of the TCP/IP stack, then you must consider using Windows Filtering Platform.
  • WFP makes it very easy to implement a packet filtering solution or a firewall application because WFP injects the filtering logic into various TCP/IP stack layers.
  • As mentioned earlier, one of the great benefits of WFP or Windows Filtering Platform is that it gives a good level of control over the processing path of TCP/IP packets. These controls were not there in Windows XP or Windows Server 2003. The filtering methods in Windows XP or Windows Server 2003 offered very limited access to the processing path of the TCP/IP packets.
  • With the help of WFP, it becomes easier to develop various filtering applications or solutions and it allows these solutions to co-exist with already installed filtering solutions (based on WFP); this is because all of the WFP based filtering solutions strictly follows WFP arbitration rules.
  • If you are developing a component, WFP allows you to move it from the kernel mode into the user-mode (depending upon the processing or the filtering needs). This gives two advantages; first, it makes the development easier and second, if a crash occurs in user-mode component, it won’t affect the whole system.

WFP architecture

the WFP architecture consists of:

  • Win32 API: It is one of the most important components of the WFP components. Win32 API contains Windows Filtering Platform APIs. The WFP filtering APIs allows the 3rd Party firewalls or other solutions to use it in order to develop their own filters within the BFE (Base Filtering Engine). These 3rd party filters can a complete set of filtering conditions, which are pre-defined, at any layer within the main KERNEL MODE filtering engine. Examples of WFP applications include IPsec Policy Agent service; it is available in Windows Vista as well as in Windows Server 2008. .
  • BFE (Base Filtering Engine): One of the features and an advantage of using TDI is that it offers flexible addressing scheme. Unlike NetBIOS, TDI has a special and extensible mechanism which can be used to order to support, use and identify various addressing formats. TDI doesn’t require any particular format for addressing. NetBIOS has a mandatory addressing requirement; for instance the 16-character NetBIOS name.
  • Kernel Mode Filtering Engine: This is a kernel-mode component and its major purpose is to store all those filters that are created by various filtering applications using the BFE or the Base Filtering Engine. These filters interact with various filtering layers of the TCP/IP stack. Moreover, these filters also interact with the callout drivers as well. Whenever any packet is being processed through TCP/IP stack, every layer of the TCP/IP stack access the Kernel Mode Filtering Engine. As a result, the Kernel-Mode Filtering Engine then checks or scans all the configured filters in order to determine whether the packet, in process, should be dropped, permitted or should be handed over to the callout drivers for further packet inspection or alteration.
  • Callout Drivers: The callout drivers are used when initial filtering of the packets is not enough to determine whether they should be dropped, permitted or modified. The initial filtering or simple packet filtering is done by checking packets against a defined set of WFP filtering conditions. Callout drivers are used for further deeper inspection of the packets because callout inspects the packets beyond the already defined WFP conditions. Deeper inspection can be done through antivirus software which checks the data at the application layer to ensure that there are no viruses, Trojans or worms in the data. Based upon the results of the inspection, data can be modified like in case of NAT or the network address translation where the router makes changes in the fields of an IPv4 packet. Both Windows Vista and Windows Server 2008 includes Callout Drivers.