Common approach
This section describes common concept of personal firewall for Windows. It is not necessary to have put the firewall in a similar way to fix it. Common personal firewall is implemented as three or four separate components.
Kernel Driver
The first part is the kernel driver. Its two main functions, and then sometimes it is implemented in two components, rather than in one. The first function is a packet filter. As a general rule, on the NDIS, TDI, or bothThe levels of this driver checks every packet that arrives from the network or go to the network. This is also known as the protection of incoming and outgoing connection known. There are some personal firewalls do not implement the protection is not incoming or outgoing connection. However, these products are also the kernel driver for his second feature. The second function is called a sandbox. The most common methods of implementation are sandbox SSDT SSDT GDI hooks and hangers. The driver of thereplacing the firewall system functions with its own code that controls the rights to call and demand action or deny the transfer of execution to the original code. These methods may be the firewall, etc. all potentially dangerous applications such as open rehearsals, files, processes, control the keys to the registry, change the firewall settings, automatically to your requests
System Service
There are the specific user mode processes called system services. TheseProcesses have specific functions and behavior of the system. Performed with a user with system privileges, rather than as part of the joint account. This fact makes it possible to run independently of services to users, and they run when no user is logged in. The role of services in the personal firewall is submitted, is to ensure communications between the main components. The service receives messages from the GUI and the kernel driver and sends these messages to each other. For example, if the firewall learningMode allows the driver code for the SSDT connection does not work in a position to decide whether to allow or deny the action because there is no similar provision for the action in the database. In this case the user wants to decide. This requires you to send a message to GUI to show the dialog and get the answer from him. This notification is usually implemented by the service component. The firewall service is sometimes used to ensure that the GUI is always available forUsers.
Graphical User Interface
The graphical user interface (GUI) that the user is part of the firewall. Often described as a tray icon, which is the management of firewalls available. Another important function of the GUI is the user for the decision of the actions needed if the firewall in learning mode.
Self protection
This is not a rule. 1 for all security products, not only for personal firewalls. Regardless of the perfection of other functions, if the firewallable to save themselves, it is useless. If an activity is harmful able to turn off, disable or destroy the personal firewall is not equivalent to having a personal firewall. All parts of the firewall should be protected and processes, files, registry entries, drivers, services and other system resources and objects.
Revision of the single components
The review of the single components is close to him above the guard. Firewalls are typicallycomplex programs and are often implemented in more than one module or component. In this case, there are some essential modules that are executed by the operating system. During startup or in the middle of loading other modules, these modules run the firewall. We say that the modules that are loaded dynamically. E 'must verify the integrity of all modules loaded dynamically. This means that the integrity check of one of the most important forms must be implemented.
Into andOutput Protection
A good personal firewall offers protection in and out. The protection of entry means that packets sent from the Internet or local network computers are filtered and only the doors that are open and accessible. This protection is standard and is very good and reliable in almost all personal firewalls. On the other hand, outbound protection, the problems that lead all manufacturers today. The protection means that only outboundApplications that have the right to access to the Internet or local network. This is not as easy as it seems. Imagine the situation that you surf the Internet using your Internet browser, and do not want to do other applications. The problem here is that it is sufficient to consider only the application that the packet to the Internet, because modern operating systems allow programs to communicate wants to send. Can access an application which is not allowed, Internetrestart the browser and use it for communication. Your personal firewall is all to protect the misuse of privileged applications against malware. You must limit their access. But this is not enough. Personal firewall features to protect themselves. Malware applications should not be able to disable or modify its rules. This means that on system resources, etc. There are many problems in this and we're still only talking about one aspect – the outbound securitySecurity.
Process monitoring
Each process will be privileged against several dangerous actions protected. First, no application may terminate the malicious process. Secondly, there needs to be able to change its code or data. Thirdly, it does not need to be able to execute arbitrary code in the context of a privileged process. This issue also includes the injection DLL.
File and protection of components
File protection is very close to the process of protection. If a malicious codecan be replaced by the preferred applications, files, modify the flow of the code is equivalent to, if they are running. There are two ways to perform the file protection. The first mode (active protection) is to write and delete access to files that prevent the preferred applications. Since this is difficult to implement firewalls coders select the second option – that the modules (component protection) controlled. In this case, the firewall allows malicious code or damageReplace the file privileged applications. If such application is in the process and its modules are checked out and the execution is stopped, or reported to the user. The file is also protection for all system files are necessary.
Protection of the driver
Confidence of its Windows operating system drivers. This means that any code that is executed by the driver is reliable, then it is permissible to execute a protected instruction processor and has the ability to access all system resources. For this reason, itImplementation are necessary for the protection of personal firewall software, such as system driver. However, it is also why it is necessary to control the loading of new drivers and to protect the existing driver. Malicious programs may not be able to install drivers, or to change the drivers already loaded.
Protection Service
As part of the firewall is usually implemented as a system service, protection of system services is also necessary. But it is not just the firewall component, which hasbe protected. To install a new service that is easy for malware, as we continue in the system, because system services can be run at every system startup. In addition, a service of "evil" can be dangerous, because it runs even when no user is logged on Create, Delete, and control of system services must be protected action.
Registry protection
Windows registry contains lots of important system information. The settings of the system components can be modified using theRegistration. An incorrect change in the registry, some objects can easily cause the system unstable or do not start with the situation. There are many registry keys and values that protect it from alteration by malicious applications.
Protection of other system resources
There are also system resources and various objects in Windows operating systems. Some of them can be dangerous if they are controlled by the malware. One of these objects is a well-known section"Memory of the physical device ', which can be used to gain control of the system if they are protected. The firewall should protect the items that can be exploited by malware.
Parent Process Control
We already know that it is necessary to protect the privileged process. Probably the easiest way is to implement the protective treatment for the initiation of processes and threads of control. If, however, implement security processes in this way, it is also important for parents to implementControl process. Be prepared by each process in the system by another process – the parent company. The parent is always given if two handles, the new-created child process. These act to stop the process of object, and treat their main thread. The process whose handle is opened with full access and process so that parents can monitor their child completely. Therefore, the firewall is to restrict the execution of privileged processes. The global system of control of the process should be implementedeven if the project does not protect security firewall control of the process of opening processes and threads. Some privileged process can be used to perform the preferred stock when they are done with certain command arguments. Many firewalls do not distinguish between the execution of privileged and unprivileged processes. They limit the creation of processes, in general, so that only those applications that were selected before they are able to create child processes.
Checkautomatically launched applications
The firewall should protect these places in the operating system, which is used by malware to remain in the system, even after a restart is possible. If we are looking for new unknown applications and then run, there is no way to protect your system to run malicious applications. And often users download and install or run new applications. The firewall is able to limit the actions of malicious applications, so that they are not able to damage the system.But if the demand is for the system to malware that could damage later, when a new vulnerability is discovered. Therefore, firewall applications that run automatically, for example, after each time the system or the control of user access should be.
Sniffing Protection
Spyware like keyloggers or sniffer applications are dangerous because they are made in order to steal sensitive data to users – to have their password. But not only the passwords are goals thatApplications. Documents of personal data, personal correspondence and business are also sensitive information must be protected. The firewall for sensitive data not only when they are fully protected in the form of files, but even if they are in writing, or being transferred. Keyloggers can be received all users typing, and then the information assembled letter by letter. Sniffers are waiting to be transferred to the news with a certain network interface and makeCopies of sent messages. There are many ways to implement programs such as spyware, to gather sensitive data and they all need to be protected by the firewall.
Protection of system resources
Each system has limited resources. Windows workstations are able to deal with a few thousand objects. This number is sufficient for any work of ordinary users. However, if a malicious program, thousands of threads the system unusable, and such action Denial of Service(DoS). The firewall should limit demand privileges to conduct DoS. You should set a time limit for the number of threads, open files, use much memory and other system resources to applications without privileges.
No hooks Ring3
The Ring3 (or user mode), Monte is a technique that will be used to implement a personal firewall or its parts. However, hooks Ring3 can never be for the special features and used for critical safety functions. A defense can be implemented by Ring3 Hookseasily circumvented by malicious applications. Ring3 hooks should not be used to restrict the behavior of unknown applications. You can edit very rarely used, or to evade the control of the behavior of privileged programs that are guaranteed not to connect Ring3.