ISA Server 2006 Firewall Core
Published: June 2006
For the latest information, please see http://www.microsoft.com/isaserver/
Table of Contents
ISA Server 2006 Firewall Core 1
Introduction to the ISA Server 2006 Firewall Core 3
NDIS and the Windows Networking Stack 3
Firewall Engine (Firewall Packet Engine) 4
Firewall Service 4
Application Filter API 4
Web Filter API 4
Policy Engine 5
Details of the ISA Server 2006 Firewall Core Components 6
Firewall Engine (Firewall Packet Engine) 7
Connection Rules, Connection Elements, and Creation Elements 8
Eliminating Common Intrusion Attempts 11
Kernel-Mode Policy 14
Rules Engine (Policy Engine) 16
Firewall Service 17
Lockdown Monitor 18
Connectivity Monitoring 18
Server Publishing 19
Firewall Client Listener 20
DNS Cache 21
Statistics Provider 21
Firewall Chaining 22
Introduction to the ISA Server 2006 Firewall Core
Microsoft® Internet Security and Acceleration (ISA) Server 2006 is an integrated firewall, remote access virtual private network (VPN), site-to-site VPN, Web proxy, and caching server solution. ISA Server 2006 can be configured to act in all of these roles or any subset of them. This enables ISA Server to provide a flexible network security solution for businesses of all sizes.
The ISA Server 2006 security model is built around the firewall core. The ISA Server 2006 firewall core features provide an anchor to all ISA Server roles as a network security device. The discussions in this white paper are limited to the ISA Server 2006 firewall core. Other ISA Server components such as Web Proxy Filter, specific applications filters, or the ISA Server 2006 VPN extensions are not discussed except as they relate to the ISA Server 2006 firewall core services.
The ISA Server firewall core depends on the following components and their interactions:
Network Driver Interface Specification (NDIS) and the Microsoft Windows® Networking Stack
ISA Server Firewall Engine (also known as the Firewall Packet Engine)
Microsoft Firewall service
Figure 1 provides a conceptual view of the ISA Server 2006 kernel and user-mode components and displays the relationships between the components. The Firewall Engine and Windows networking components are in kernel mode, and components of the Policy Engine are accessible in kernel mode by the Firewall Engine. The remainder of the ISA Server 2006 architecture runs in user mode.
Figure 1 ISA Server 2006 components
At the lowest layers of Figure 1, you see the NDIS and the TCP/IP protocol stack. Both these components of the Windows operating system run in kernel mode. Enhancements to the Windows networking stack enable developers to hook into the networking stack at a very low level to access packets for filtering and other services before they are fully processed by the operating system. ISA Server 2006 takes full advantage of those programming interfaces to improve packet and application-layer filtering and firewall performance.
Two specific hooks used by ISA Server 2006 include the packet filter hook and firewall hook. These are located at the bottom and top of the Windows networking stack, respectively. While NDIS and the TCP/IP protocol stack are parts of the operating system, the remaining blocks in the diagram represent ISA Server 2006 components.
Firewall Engine (Firewall Packet Engine)
The Firewall Engine (also known as Firewall Packet Engine or fweng) and the Firewall service are the two components of the ISA Server 2006 firewall core. These components utilize the Windows networking stack programming hooks described earlier. At the bottom of the protocol stack, the kernel-mode Firewall Engine receives packets via the firewall TCP/IP hook. The packets are associated with a connection rule (which will be discussed later), and then packets are inspected. If the packets are authorized at this low layer, firewall policy is applied.
Handling these operations in kernel mode improves both performance and security. If the Firewall service has already authorized the packets, the Firewall Engine can create a kernel-mode data pump. This white paper examines an example of this type of processing as it relates to File Transfer Protocol (FTP) operations. After the Firewall Engine completes operations, packets continue moving through the Windows networking stack, where normal processing such as packet reassembly and routing occur.
The Firewall service runs in user mode, at the top of the TCP/IP protocol stack, and it employs a hybrid architecture combining elements of both proxy and stateful inspection firewall behavior. The Firewall service performs additional packet inspection after clearance by the Firewall Engine. The Firewall service has the ability to manage traffic across multiple connections and perform associated processing, such as application filtering.
The Firewall service creates and manages connections. For each connection, there are two endpoints: one for the source and one for the destination. The Firewall service pumps data between the endpoints. The Firewall service also handles communications and connections made by the Firewall Client, which will be discussed later in this white paper.
The Application Filter API is located above the Firewall service. This API provides extensibility for developers by enabling the inclusion of additional application filters written to operate on specific application-layer protocols. This enables ISA Server 2006 to adapt to new applications and application protocols that appear in the marketplace or as a result of Windows operating system updates and enhancements.
Note the Web Proxy Filter in Figure 1. In ISA Server 2006, Web Proxy Filter is an application filter and not an independent service as it was in ISA Server 2000. This change unifies the firewall architecture, which enables the Web proxy components to benefit from the security services of the Firewall service. The integration of the Web proxy services into the architecture of the Firewall service and Firewall Engine streamlines processing leading to performance benefits.
Web Filter API
Located above the Web Proxy Filter is the Web Filter API. This API is at a higher level than the Application Filter API. While the Application Filter API is focused primarily on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sessions, connections, and sockets, the Web Filter API specifically manages Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS) communications and provides processing notifications as well as other Web protocol targeted tasks.
Not depicted in Figure 1, but related to Web Proxy Filter, is the Web cache. The Web cache is written and read directly by the Web Filter API.
The Policy Engine communicates with all the components of the ISA Server firewall core, both with the kernel-mode Firewall Engine and the user-mode Firewall service. In addition, the Policy Engine communicates with both layers of application and Web filters. One benefit of this arrangement is improved performance and stability, because policy is processed in kernel mode.
An overarching goal of the ISA Server 2006 core firewall architecture is to allow the firewall components to gain access to packets very early and to inspect and apply policy to the packets in the faster and more secure kernel mode. ISA Server 2006 uses a layered architecture to enable the enhanced security and performance provided by kernel-mode processing. Policy-based decisions can be made by kernel-mode components early in packet processing, and this is done without the overhead of distributing packets to another layer for policy to be read and applied.