NDIS vs TDI

TheMSsForum.com: The Microsoft Software Forum

Hi ,

I want to write a personal firewall like thing to prevent
certain files going out and coming into the system. Say
all word files. i want to allow the file to move out/in
after some modifications on the file.

What is the best way of doing it.

From what i learnt from you guys and the net i found that
TDI and NDIS filters are the way .

Can anybody suggest me which one is the best?

Will both the filters can be wriiten in USer mode?

Which mode i should write for ur info i want my
application to interat with the firewall.

Can somebody suggest me any material providing a starting
point
Thanks
Top

Re: NDIS vs TDI by Maxim

Maxim
Tue Jan 13 18:20:26 CST 2004

You cannot. If the information is _that_ confidential - encryption is the
only chance.
You have NTFS access rights on files also.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com


"Hari" <anonymous@discussions.microsoft.com> wrote in message
news:066701c3d98f$c24aab50$a401280a@phx.gbl...
> Hi ,
>
> I want to write a personal firewall like thing to prevent
> certain files going out and coming into the system. Say
> all word files. i want to allow the file to move out/in
> after some modifications on the file.
>
> What is the best way of doing it.
>
> From what i learnt from you guys and the net i found that
> TDI and NDIS filters are the way .
>
> Can anybody suggest me which one is the best?
>
> Will both the filters can be wriiten in USer mode?
>
> Which mode i should write for ur info i want my
> application to interat with the firewall.
>
> Can somebody suggest me any material providing a starting
> point
> Thanks


Top

Re: NDIS vs TDI by Bogdan

Bogdan
Sat Jan 17 18:40:57 CST 2004

NDIS
Pro: More secure
Con: No documented way to "hook" it, more low level, you will need to
implement a TCP/IP stack

TDI
Pro: More documented filtering modes, works on connection and streams so you
won't have to deal with individual packets
Con: Can be bypassed by sending packets directly to NDIS miniports




"Hari" <anonymous@discussions.microsoft.com> wrote in message
news:066701c3d98f$c24aab50$a401280a@phx.gbl...
> Hi ,
>
> I want to write a personal firewall like thing to prevent
> certain files going out and coming into the system. Say
> all word files. i want to allow the file to move out/in
> after some modifications on the file.
>
> What is the best way of doing it.
>
> From what i learnt from you guys and the net i found that
> TDI and NDIS filters are the way .
>
> Can anybody suggest me which one is the best?
>
> Will both the filters can be wriiten in USer mode?
>
> Which mode i should write for ur info i want my
> application to interat with the firewall.
>
> Can somebody suggest me any material providing a starting
> point
> Thanks


Top

Re: NDIS vs TDI by Maxim

Maxim
Sat Jan 17 22:19:32 CST 2004

> NDIS
> Pro: More secure
> Con: No documented way to "hook" it, more low level, you will need to
> implement a TCP/IP stack
>
> TDI
> Pro: More documented filtering modes, works on connection and streams so you
> won't have to deal with individual packets
> Con: Can be bypassed by sending packets directly to NDIS miniports

Wrong. The reality is:

NDIS:
- more documented, there are MS's samples for NDIS IM filters. The native OS's
support of filtering here.
- easily portable to Windows CE.
- no need in implementing the TCP/IP stack - just parse the headers of incoming
packets and match them to the set of rules.

TDI:
- NO documented filtering at all, and due to some interesting undocumented
nitpicks TDI filter which filter the receive path can be a PITA.

Personally I would never write a TDI filter. I would write a combo of NDIS IM
and the filter on top of AFD.SYS - parsing the undocumented AFD's IOCTLs is by
far simpler then hooking into the TDI receive and accept pipelines - just look
at disassembly in MSAFD.DLL, very easy. I would never trust a TDI filter.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com


Top

Re: NDIS vs TDI by Bogdan

Bogdan
Sun Jan 18 19:41:55 CST 2004


"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:%23LmzloX3DHA.3468@TK2MSFTNGP11.phx.gbl...
> > NDIS
> > Pro: More secure
> > Con: No documented way to "hook" it, more low level, you will need to
> > implement a TCP/IP stack
> >
> > TDI
> > Pro: More documented filtering modes, works on connection and streams so
you
> > won't have to deal with individual packets
> > Con: Can be bypassed by sending packets directly to NDIS miniports
>
> Wrong. The reality is:
>
> NDIS:
> - more documented, there are MS's samples for NDIS IM filters. The native
OS's
> support of filtering here.
> - easily portable to Windows CE.
> - no need in implementing the TCP/IP stack - just parse the headers of
incoming
> packets and match them to the set of rules.

I ment "NDIS hooking" not "NDIS IM".
Don't NDIS IM appear as virtual adaptors? I don't find this verry atractive.

> TDI:
> - NO documented filtering at all, and due to some interesting undocumented
> nitpicks TDI filter which filter the receive path can be a PITA.
>
> Personally I would never write a TDI filter. I would write a combo of NDIS
IM
> and the filter on top of AFD.SYS - parsing the undocumented AFD's IOCTLs
is by
> far simpler then hooking into the TDI receive and accept pipelines - just
look
> at disassembly in MSAFD.DLL, very easy. I would never trust a TDI filter.

Most of today firewalls are TDI based, i think.

> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
>


Top

Re: NDIS vs TDI by Bogdan

Bogdan
Sun Jan 18 19:43:46 CST 2004

This is an everview of the diffrent network firltering metods:
http://www.ndis.com/papers/winpktfilter.htm

"Hari" <anonymous@discussions.microsoft.com> wrote in message
news:066701c3d98f$c24aab50$a401280a@phx.gbl...
> Hi ,
>
> I want to write a personal firewall like thing to prevent
> certain files going out and coming into the system. Say
> all word files. i want to allow the file to move out/in
> after some modifications on the file.
>
> What is the best way of doing it.
>
> From what i learnt from you guys and the net i found that
> TDI and NDIS filters are the way .
>
> Can anybody suggest me which one is the best?
>
> Will both the filters can be wriiten in USer mode?
>
> Which mode i should write for ur info i want my
> application to interat with the firewall.
>
> Can somebody suggest me any material providing a starting
> point
> Thanks


Top

Re: NDIS vs TDI by Thomas

Thomas
Mon Jan 19 11:23:01 CST 2004


"Bogdan Bejan" <na@na.na> wrote in message
news:ejKTv2i3DHA.3196@TK2MSFTNGP11.phx.gbl...
> This is an everview of the diffrent network firltering metods:
> http://www.ndis.com/papers/winpktfilter.htm
>

Yes, that is a page that I maintain. (And I need to add Max's approach of
filtering over AFD.SYS...)

Max is correct, however, in that NDIS is documented much better then other
filtering methods. On Windows 2000 and higher NDIS IM drivers are the best
choice for filtering.Consider other alternatives only if per-packet
filtering cannot fit your needs.

Thomas F. Divine
www.pcausa.com


> "Hari" <anonymous@discussions.microsoft.com> wrote in message
> news:066701c3d98f$c24aab50$a401280a@phx.gbl...
> > Hi ,
> >
> > I want to write a personal firewall like thing to prevent
> > certain files going out and coming into the system. Say
> > all word files. i want to allow the file to move out/in
> > after some modifications on the file.
> >
> > What is the best way of doing it.
> >
> > From what i learnt from you guys and the net i found that
> > TDI and NDIS filters are the way .
> >
> > Can anybody suggest me which one is the best?
> >
> > Will both the filters can be wriiten in USer mode?
> >
> > Which mode i should write for ur info i want my
> > application to interat with the firewall.
> >
> > Can somebody suggest me any material providing a starting
> > point
> > Thanks
>
>


Top

Re: NDIS vs TDI by Maxim

Maxim
Mon Jan 19 11:59:01 CST 2004

> I ment "NDIS hooking" not "NDIS IM".
> Don't NDIS IM appear as virtual adaptors? I don't find this verry atractive.

Filter IMs does not. Mux IMs do.

Firewalls are filter IMs, they do not apply in the UI at all.

I can harldy imagine why you will ever need NDIS hooking in w2k or XP.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com


Top

Re: NDIS vs TDI by Maxim

Maxim
Mon Jan 19 12:00:53 CST 2004

> Yes, that is a page that I maintain. (And I need to add Max's approach of
> filtering over AFD.SYS...)

At it is much simpler then the TDI filter, and gives the same functionality.
The only drawback is that RDR, WEBDAV and SRV are out of picture since they do
not use AFD.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com


Top

Re: NDIS vs TDI by Bogdan

Bogdan
Mon Jan 19 21:35:09 CST 2004


"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:%23%23ekJXr3DHA.1428@TK2MSFTNGP12.phx.gbl...
> > I ment "NDIS hooking" not "NDIS IM".
> > Don't NDIS IM appear as virtual adaptors? I don't find this verry
atractive.
>
> Filter IMs does not. Mux IMs do.
>
> Firewalls are filter IMs, they do not apply in the UI at all.
>
> I can harldy imagine why you will ever need NDIS hooking in w2k or XP.

Stealth, security, i'm shure by-pass-ing a IM is easyer then a HOOK driver.

> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
>


Top

Re: NDIS vs TDI by Bogdan

Bogdan
Mon Jan 19 21:37:33 CST 2004


"Thomas F. Divine [DDK MVP]" <tdivine@NOpcausaSPAM.com> wrote in message
news:OCQpuDr3DHA.1672@TK2MSFTNGP12.phx.gbl...
>
> "Bogdan Bejan" <na@na.na> wrote in message
> news:ejKTv2i3DHA.3196@TK2MSFTNGP11.phx.gbl...
> > This is an everview of the diffrent network firltering metods:
> > http://www.ndis.com/papers/winpktfilter.htm
> >
>
> Yes, that is a page that I maintain. (And I need to add Max's approach of
> filtering over AFD.SYS...)
>
> Max is correct, however, in that NDIS is documented much better then other
> filtering methods. On Windows 2000 and higher NDIS IM drivers are the best
> choice for filtering.Consider other alternatives only if per-packet
> filtering cannot fit your needs.

Doing almost any content filtering at packet level i guess it will be a
pain, since you will probably need to reimplement a TCP/IP stack (ingnoring
that there are more stream oriented protocols then just TCP/IP), right?


> Thomas F. Divine
> www.pcausa.com
>
>
> > "Hari" <anonymous@discussions.microsoft.com> wrote in message
> > news:066701c3d98f$c24aab50$a401280a@phx.gbl...
> > > Hi ,
> > >
> > > I want to write a personal firewall like thing to prevent
> > > certain files going out and coming into the system. Say
> > > all word files. i want to allow the file to move out/in
> > > after some modifications on the file.
> > >
> > > What is the best way of doing it.
> > >
> > > From what i learnt from you guys and the net i found that
> > > TDI and NDIS filters are the way .
> > >
> > > Can anybody suggest me which one is the best?
> > >
> > > Will both the filters can be wriiten in USer mode?
> > >
> > > Which mode i should write for ur info i want my
> > > application to interat with the firewall.
> > >
> > > Can somebody suggest me any material providing a starting
> > > point
> > > Thanks
> >
> >
>
>


Top

Re: NDIS vs TDI by Maxim

Maxim
Tue Jan 20 00:06:00 CST 2004

> Doing almost any content filtering at packet level i guess it will be a
> pain, since you will probably need to reimplement a TCP/IP stack (ingnoring
> that there are more stream oriented protocols then just TCP/IP), right?

Yes, content filtering is hard anyway, with TDI too.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com


Top