Scripting a firewall in windows

jank

like the title says how hard/easy it is to script a firewall in windows and what language would i use (java)

i found some stuff on the web but mostly linux based so what the deal with doing it in windows and is it hard to add a data base to the script (mysql?) so that i can read updates on what ip address, protocols, port num etc to block,

is it easy or would ye advise to stay the hell away from it

snort will be the source of all the info in the database so the at least that area is coverde ..well to an extent!

Capt'n Midnight

Do you mean something that looks like a firewall or do you mean something that blocks up all the holes in windows ?

Not too sure on the basics but to be totally effective you would need to prevent windows getting at the NIC !

jank

something that blocks harmfull incomming traffic

Dizz

Bleah - java ain't gonna work here and so too scripting. If you wanted to you java to write a firewall of types you'd be relying heavily on JNI and even then your code would be a mix of Java, C and if you wanted C++. To write a firewall I presume you either have to write a dedicated system driver using windows DDK or a NDIS type driver all of which would be written in C/C++. There could be the possibility of interfaces exposed by the inbuilt winXP firewall where you could add new rules to its config but from a quick look in MSDN I haven't seen any.

mostly linux based so what the deal with doing it in windows

Two different beasts, thankfully!

Dizz (procrastinating per usual)

GUI

To write a firewall I presume you either have to write a dedicated system driver using windows DDK or a NDIS type driver all of which would be written in C/C++."

dead on ..

c++, with windows api using the ip filter driver,

or the win2k/xp ddk

network packet filter driver is another alternative

low level coding,
so its tricky stuff

Capt'n Midnight

It has to be low level - because since so much of windows is undocumented and not designed with security in mind - let's face it the MsBlaster hole may have been there since NT3.51 or earlier..

You can buy networks cards with built in firewalls - no idea how effective it is - but at least the packets are being filtered before windows.

The problem with windows NT is as someone pointed out to me nearly a decade ago - you flood random ports with random data, sooner or later it'll fall over - if you have a buffer of 256 bytes long you can use the AND instruction ( I doubt that this even takes an extra clock cycle on a CPU with more than one ALU ?) to keep all the data in the buffer.

[to finish later with links]

GUI

midnight

that post is completely irrelevant and has nothing to do with programming.
???

what was the point of it

and it does not have to be low level..

the ip filter is an easy layer 3 programming api implemented since window 2000

Capt'n Midnight

Originally posted by GUI
the ip filter is an easy layer 3 programming api implemented since window 2000

- reminder post is still not finished yet
- By all means use the API for NORMAL network traffic.

BUT there is no point in writing a Firewall that sits on top of an API that is full of holes eg: trivial DOS attacks (remember the ping of death ?) are revealed every 3-6 months. I'll say it again - some holes in Windows have taken 7-8 years to fix.

Some cynics would say there could still be exploitable flaws - but if you can show me that there has NEVER been a patch or vunerability for any part of the API involved in Networking then I shall stand corrected. (By "any part" I have to include the API in NT3.x, NT4, W2K and XP since they reuse the code)


Remember testing by proving something works is valid ONLY in the prototyping stage - after that testing means proving something STILL works (or fails gracefully and predictiably and recoverably at the worst) no matter what the input conditions. Security is similar - you don't trust any component that is likely to be compromised - weakest link etc.

Will try to dig up links to CIPE (open source) for virtual NIC's
Still have to include link to NIC firewall.

GUI

man ..
have u ever actually done any network programming in windows ???

you sound like u havent,
your talking from a technicans vantage point.

the only way to talk to windows is through the api or winsock
or a 3rd party library that encapsulates the calls to the api.

Capt'n Midnight

Links to CIPE - virtual network card - ie. you route all IP traffic via it, and insert your own filters.
http://sites.inka.de/~bigred/devel/cipe.html
http://cipe-win32.sourceforge.net/ (Windows version)

Re: Java Firewalls - http://www.netsys.com/firewalls/firewalls-2001-04/msg00031.html
Agree that a local proxy is not a firewall - it might stop stuff going out - it would not stop "incoming".

I still think that the 2000 year old advice about not building your house on sand applies when putting a firewall on top of windows. On a PC at home with ZoneAlarm I get 10 ping replies between when the NIC driver loads and ZoneAlarm kicks in.

http://www.jaguarcompsys.ie/support/networkprod.htm
at bottom
32 Bit PCI; Full-Duplex, 10/100Mpbs Auto-Negotation, WOL, Flow Control, DMI & WfM, Etherguard Personal Firewall & WinETool personal sniffer
€19.00 - the bundled Etherguard SW only works on this particular SMC card - I can't confirm if it actually inspects packets at the API level or on the NIC itself.

Capt'n Midnight

Just got chucked out of openoffice - "An API call exited abnormally."
I've also seen ZoneAlarm crash.

Point is a Firewall should be failsafe - if it crashes then no IP traffic should flow, instead the NIC drivers are about the last thing to go on windows, I've been able to ping and route through blue screened 98 and NT boxes... (real pain when you are trying to remote manage them.)

Capt'n Midnight

Originally posted by GUI
man ..
have u ever actually done any network programming in windows ???

you sound like u havent,
your talking from a technicans vantage point.

the only way to talk to windows is through the api or winsock
or a 3rd party library that encapsulates the calls to the api.

No I havn't done any network programming in widows
- and yes agreed that you need to talk to the OS.

But I still don't think you can trust the windows OS to keep you safe from incoming DOS / Buffer Overuns / Malformed packets etc.

Still think the best Firewall would be one based on an ethernet bridge - since no packets can be targeted against the device itself.
=====================================================
Since there are many free personal use firewalls for windows, and XP has a firewall (Lite) built in and you can get external hardware firewalls, or make one your self for minimal cost. (at home I am using a 486 with two NIC's and floppy disk, web managed - no monitor HDD / CDD. It's worth € -7.50 (disposal cost.) )

So overall if you want security DIY windows firewall is not the way to go.

If you want to do it as programming exercise then the experiance is usefull for all firewalls. Also even NT4 SP6A has a built in "Firewall" (TCP/IP Properties - Advanced - you can block some ports)

If you are doing it for Win95/Win98/ME one option is to use DOS Network drivers - so you have IP functionality before windows starts and modify one of those files (not easy but you don't have to worry about undocument API calls bypassing your filters.)

GUI

But I still don't think you can trust the windows OS to keep you safe from incoming DOS / Buffer Overuns / Malformed packets etc.

man ur outta ur league here..

we as programmers have a thing called encapsulation..
we dont care about stuff that has nothing to do with that.
Those Api's the OS uses are not documented and beyound our control.

We can also build a little thing called middle ware in our applications.

we can do crc checks, block certain ports etc..

DOS / Buffer Overuns / Malformed packets etc.

ur argument is so stupid..

so ur saying ur browser right now shouldnt exist as the developers should be afraid of low-level issues that have NO AFFECT on the application.. (which uses only certain types of ports bare this in mind)

when the problems

their operating system issues.

dont come back with something completely irrelevant useless facts like u do in ur 9.99 posts a day..

as most of us are sick of them at this stage.

we are ONLY responsible for api's that the application will use and
we can build in error checking validation and handling classes..

example out of bound tcp ip packets, proper error checking will make sure..
they never hit programs at the application level

Capt'n Midnight

An article about developing Firewalls for Windows 2000/XP. http://www.codeproject.com/internet/drvfltip.asp?print=true
with source code

If you want a production firewall in addition to learning about them, then because it is a security application you also have to take into account the environment it runs under.

This is one way of doing a windows firewalls - http://www.microsoft.com/isaserver/

Originally posted by GUI Those Api's the OS uses are not documented and beyound our control...

My point exactly - a firewall that sits on windows could possibly be compromised by flaws in the OS.

we are ONLY responsible for api's that the application will use and
we can build in error checking validation and handling classes..

example out of bound tcp ip packets, proper error checking will make sure..
they never hit programs at the application level

Agree Developers should be doing good bounds checks before accepting input data. And of course they can't be expected to fix flaws in the OS itself.

so ur saying ur browser right now shouldnt exist as the developers should be afraid of low-level issues that have NO AFFECT on the application.. (which uses only certain types of ports bare this in mind..

I'm talking just about firewalls, not the applications secure or otherwise that sit behind them..

RE: DOS / Buffer Overuns / Malformed packets etc. - the point was that these could cause a windows based firewall to be knocked out by exploiting vunerabilities in the OS.

If you get a firewall up and running you could post on the security forum for info on packet flooders / probes etc. to test it.

*Dang - still can't find that link to an open source Java Firewall I found a few months back.

jank

cheers for all yer replies

dont know what im trying to say here
Snort is a packet sniffer with rules, configureation and that stuff built into it so in an effect im trying to make something that blocks on what snort says or finds

at the start the firewall will enable all traffic through ie. ip any any

then whatever snort finds to be "interesting traffic" it can be logged into a database

periodically my firewall will be checking for updates in the same database therefore the only work the firewall does is block on information already recieved.

presume ill have to develop/find a driver so that my script/program will work with a network card

cheers for the link too

am i on the right track here in theory or am i way off?

Capt'n Midnight

Links:
Java Web filtering http://muffin.doit.org/
web proxy Malware filter http://sourceforge.net/projects/ijbswa/

Are you sure you aren't building a Honeypot ? - this bit about adding traffic to the list afterwards. You could develop some bayesian (SP) filter on it. You'd have to feed it lots of Good packets - maybe infect a local machine (unpatched windows connected to BB for a while) to get it to learn Bad traffic. Then you could use bandwith shaping (throtling) when it picks up suspect packets, until you can manually classify them as good or bad. [note: for security the golden rule is "that which is not expressly permitted is denied]

look up windump - raw packets - there should be source code for it as well