Windows Filtering Platform. Why it is so exciting? Read below:
WFP enables inspection and modification of stream and packet data coming in. A stream can be paused and later resumed; parts of the stream can be permitted, blocked or replaced with different data. There can be multiple stream modifiers performing stream modification. The stream can be pended if more data is needed to make a filtering decision on the stream. A typical use of this would be an application that needed to screen the stream for unwanted words.
Packet modification is also supported by different re-injection APIs. In this case, the packet is cloned, modified and re-injected either in the send, receive or forward path. Packet modification can involve header modification (e.g. port, source, destination addresses for NAT scenarios) or payload modification (both content and size can change). Packets can also be pended and then injected at a later time or discarded at a later time depending on the filtering policies. [Anupama Vasanth, WFP Automation Developer/Tester]
Yes, it provides rich filtering interface but at the same time it also exposes a new set of socket-level security APIs that enable Windows Sockets applications to leverage with IPsec for securing traffic.
Traditionally, IPsec has been used to protect network traffic via central administrative configuration using local or Active Directory group policy. The Secure Sockets API is an extension to the Windows Sockets API that allows socket applications to directly control security of their traffic over a network. The API extension allows applications to provide security policy and requirements for their traffic, and query the security settings applied on their traffic. For instance, applications can use this API to query a remote peer’s security token and use it to perform application-level access checks, or client applications can simply specify the Server Principal Name (SPN) of the server to prevent any man-in-the-middle attacks. Today, applications can already secure their traffic by using SSL, etc. But in comparison, the Winsock extension has been designed to make it very easy for a network application to secure its traffic, with minimal additional code, while letting Windows Sockets abstract away the complexity. [Kartik Murthy, IPsec Developer]
Windows Filtering Platform (WFP) is available on Windows Vista and Windows Server 2008. With WFP we can examine or modify outgoing and incoming packets before additional processing occurs. By accessing the TCP/IP processing path at different layers in the protocol stack, we can more easily create firewalls, antivirus software, diagnostic software, and other types of applications and services. Figure below showed the extensibility of WFP that will be useful for third party ISV:
Below is collection of sample codes that will guide you how to use WFP with C++.
- Windows Filtering Platform Sample
- Firewall using Vista's Windows Filtering Platform APIs
- Windows Filtering Platform Stream Edit Sample
- Windows Filtering Platform MSN Messenger Monitor Sample
- Windows Filtering Platform Packet Modification Sample
- Windows Filtering Platform Traffic Inspection Sample
WFP will be more safe comparing to LSP. Enjoy the C++ samples :)
Hope this helps – RAM