Brad baker cs591 spring 2007 term project
This presentation is the property of its rightful owner.
Sponsored Links
1 / 11

Modification of Pktfilter tool PowerPoint PPT Presentation


  • 52 Views
  • Uploaded on
  • Presentation posted in: General

Brad Baker CS591 Spring 2007 Term project. Modification of Pktfilter tool. The Pktfilter tool. Open source project listed on sourceforge ( http://sourceforge.net/projects/pktfilter/ ) Developed by Jean- Baptiste Marchand , project inactive since February 2003

Download Presentation

Modification of Pktfilter tool

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Brad baker cs591 spring 2007 term project

Brad Baker

CS591 Spring 2007

Term project

Modification of Pktfilter tool

Pktfilter modification - Brad Baker


The pktfilter tool

The Pktfilter tool

  • Open source project listed on sourceforge (http://sourceforge.net/projects/pktfilter/)

  • Developed by Jean-BaptisteMarchand, project inactive since February 2003

  • Uses the Win32 filtering API (Windows 2000 packet filtering)

  • Runs as a service, configures filtering API on start

  • Provides command line utility

Pktfilter modification - Brad Baker


Pktfilter basics

Pktfilter basics

  • Filtering is controlled through a rules file

  • Rules define a default action, then exceptions

    • For example, block everything then pass each allowed connection

    • Rule mixing isn't allowed, you can't block a connection after you have created a pass exception

  • Example of rule setup:

    • block in on eth0 all

    • block out on eth0 all

    • pass out on eth0 proto tcp from any to 128.198.1.212 port = 80

    • pass in on eth0 proto tcp from 128.198.1.212 port = 80 to 192.168.1.100

  • Rules require numeric IP addresses

  • Rules can specify ports and ranges, protocols, and use the “any” keyword.

Pktfilter modification - Brad Baker


Pktfiler usage

Pktfiler Usage

  • Installation is a manual process

  • Copy the Pktfilter folder to program files or the desired directory

  • From command prompt, run “pktfltsrv.exe -i” followed by the path to three files

    • Rules file, log file, DNS log file

    • This command installs as service

  • Configure service to run automatically

  • Configure the rules file as desired

    • Restrict access to the rules file

Pktfilter modification - Brad Baker


My project goals

My project goals

  • In order of priority:

    • Research why the tool doesn't work on Windows Vista and Windows XP x64 version

    • Research and include rule mixing

      • For example, after creating an exception for HTTP we would like to block a specific website

    • Research and fix the logging problem

    • Research and implement performing DNS IP resolution from the rules file

    • Research and implement localhost IP resolution

Pktfilter modification - Brad Baker


Goal 1 windows vista x64

Goal #1 – Windows Vista & x64

  • Windows Vista doesn't include this API

  • The “Windows Filtering Platform” replaces the packet filtering API

  • WFP is a much more robust filtering solution

  • WFP allows application based filtering, boot time filtering, and packet inspection

  • Moving Pktfilter to x64 just requires building with the correct platform

  • Conclusion: Save WFP for future, x64 was success

Pktfilter modification - Brad Baker


Goals 2 3 mixing logging

Goals #2/#3 – Mixing & Logging

  • Mixing is not possible based on the design of the underlying API

  • The filtering engine is specifically designed to provide only the default and exception actions

  • Logging works with a fresh Windows XP installation

  • Changes to iphlpapi.dll in Service Pack 1 broke the logging function

  • Conclusion: Mixing and logging aren't possible due to larger system issues

Pktfilter modification - Brad Baker


Goals 4 5 ip resolution

Goals #4/#5 – IP resolution

Modified program to use brackets for DNS lookup “[www.uccs.edu]”

Modified program to use “me” keyword for localhost lookup

Looked at several DNS query methods

First used: DnsQuery_A() in <Windns.h>

Then used: gethostbyname() in <winsock2.h>

Finally:getaddrinfo() in <winsock2.h>

Tool Produces a log file to document translation

Pktfilter modification - Brad Baker


Example of ip resolution

Example of IP resolution

Log file output:

-----------------------------------------------------

Begin rule file parsing, GMT: 2007-05-06 04:43:25

> local 'me' symbol resolved : ( 192.168.1.100 : artos )

> Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org )

> Remote DNS lookup resolved : ( 66.35.250.150 : slashdot.org )

> Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com )

> Remote DNS lookup resolved : ( 209.131.36.158 : www.yahoo.com )

> Remote DNS lookup FAILED : ( - : test.my.blah )

> Remote DNS lookup FAILED : ( - : test.my.blah )

> Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo)

> Remote DNS lookup FAILED : ( - : http://www.crh.noaa.gov/fo)

> Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu )

> Remote DNS lookup resolved : ( 128.198.1.212 : www.uccs.edu )

> Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com )

> Remote DNS lookup resolved : ( 72.14.253.147 : www.google.com )

END, GMT: 2007-05-06 04:43:30

Corresponding input configuration:

# input rules

rule 1: pass in on eth0proto udp from any port = 53 to any

rule 2: pass in on eth0proto tcp from 66.35.250.150 port = 80 to 192.168.1.100

rule 3: pass in on eth0proto tcp from 209.131.36.158 port = 80 to 192.168.1.100

rule 4: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100

rule 5: pass in on eth0proto tcp from 127.0.0.1 port = 80 to 192.168.1.100

rule 6: pass in on eth0proto tcp from 128.198.1.212 port = 80 to 192.168.1.100

rule 7: pass in on eth0proto tcp from 72.14.253.104 port = 80 to 192.168.1.100

rule 8: pass in on eth0proto udp from any port = 67 to any port = 68

Pktfilter modification - Brad Baker


Summary

Summary

  • The tool will remain effective until Windows Vista is a common platform

  • Several goals were not met, however the IP resolution will provide a benefit

  • Protected the application from long URLs and blank URLs

    • The rules file won't compromise the filtering configuration

  • Future enhancements can involve port information, fixing DNS timeout, etc

  • Security concerns with relying on DNS query

    • For example, the current Windows DNS server bug

Pktfilter modification - Brad Baker


References

References

  • Original Pktfilter project source

    • http://sourceforge.net/projects/pktfilter/

  • Information about filtering API

    • http://www.ndis.com/papers/winpktfilter.htm

    • http://www.library.uow.edu.au/adt-NWU/uploads/approved/adt-NWU20041108.142435/public/02Whole.pdf

  • WFP summaries

    • http://www.microsoft.com/whdc/device/network/WFP.mspx

    • http://msdn2.microsoft.com/en-us/library/aa363967.aspx

  • DNS lookup information

    • http://msdn2.microsoft.com/en-us/library/ms738524.aspx

    • http://msdn2.microsoft.com/en-us/library/ms738520.aspx

  • PfCreateInterface, references other filtering API functions

    • http://msdn2.microsoft.com/en-gb/library/aa376646.aspx

Pktfilter modification - Brad Baker


  • Login