Windows Filtering Platform Explained
Windows Filtering Platform (WFP) is a set of system services in Windows Vista and later that allows Windows software to process and filter network traffic. Microsoft intended WFP for use by firewalls, antimalware software, and parental controls apps. Additionally, WFP is used to implement NAT and to store IPSec policy configuration.
WFP relies on Windows Vista's Next Generation TCP/IP stack. It provides features such as integrated communication and per-application processing logic. Since Windows 8 and Windows Server 2012, WFP allows filtering at the second layer of TCP/IP suite.
Components
The filtering platform includes the following components:
- Shims, which expose the internal structure of a packet as properties. Different shims exist for protocols at different layers. WFP comes with a set of shims; users can register shims for other protocols using the API. The in-built set of shims includes:
- Filtering engine, which spans both kernel-mode and user-mode, providing basic filtering capabilities. It matches the data within a packetas exposed by the shimsagainst filtering rules, and either blocks or permits the packet. A callout (see below) may implement any other action as required. The filters operate on a per-application basis. To mitigate conflicts between filters, they are given weights (priorities) and grouped into sublayers, which also have weights. Filters and callouts may be associated to providers which may be given a name and description and are essentially associated to a particular application or service.
- Base filtering engine, the module that manages the filtering engine. It accepts filtering rules and enforces the security model of the application. It also maintains statistics for the WFP and logs its state.
- Callout, a callback function exposed by a filtering driver. The filtering drivers provide filtering capabilities other than the default block/allow. Administrators specify a callout function during registration of a filter rule. When the filter matches, the system invokes the callout, which handles a specified action.
Diagnostics
Starting with Windows 7, the netsh command can diagnose of the internal state of WFP.
Hotfix
Microsoft released three out-of-band hotfixes for WFP in Windows Vista and Windows 7 to address issues that could cause a memory leak, loss of connectivity during a Remote Desktop Connection session, or a blue screen of death. Later, these hotfixes were rolled up into one package.[1]
External links
Notes and References
- Web site: 12 April 2010. A Windows Filtering Platform (WFP) driver hotfix rollup package is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Windows support. Microsoft.