- Article
Windows Filtering Platform (WFP) is the underlying platform for Windows Firewall with Advanced Security. WFP is used to configure network filtering rules, which include rules that govern securing network traffic with IPsec. Application developers may configure IPsec directly using the WFP API, in order to take advantage of a more granular network traffic filtering model than the model exposed through the Microsoft Management Console (MMC) snap-in for Windows Firewall with Advanced Security.
What is IPsec
Internet Protocol Security (IPsec) is a set of security protocols used to transfer IP packets confidentially across the Internet. IPsec was formerly mandatory for all IPv6 implementations (but see IPv6 Node Requirements; and optional for IPv4.
Secured IP traffic has two optional IPsec headers, which identify the types of cryptographic protection applied to the IP packet and include information for decoding the protected packet.
The Encapsulating Security Payload (ESP) header is used for privacy and protection against malicious modification by performing authentication and optional encryption. It can be used for traffic that traverses Network Address Translation (NAT) routers.
The Authentication Header (AH) is used only for protection against malicious modification by performing authentication. It cannot be used for traffic that traverses NAT routers.
For more information on IPsec, see also:
What is IKE
Internet Key Exchange (IKE) is a key exchange protocol that is part of the IPsec protocol set. IKE is used while setting up a secure connection and accomplishes the safe exchange of secret keys and other protection-related parameters without the intervention of the user.
For more information on IKE, see also:
What is AuthIP
Authenticated Internet Protocol (AuthIP) is a new key exchange protocol that expands IKE as follows.
- While IKE only supports computer authentication credentials, AuthIP also supports:
- User credentials: NTLM, Kerberos, certificates.
- Network Access Protection (NAP) health certificates.
- Anonymous credential, used for optional authentication.
- Combination of credentials; for example, a combination of machine and user Kerberos credentials.
- Per-socket authentication and encryption. See WSASetSocketSecurity for more information.
- Client impersonation. (IPsec impersonates the security context under which the socket is created.)
- Inbound and outbound peer name validation. See WSASetSocketPeerTargetName for more information.
AuthIP has an authentication-retry mechanism that verifies all configured authentication methods before failing the connection.
AuthIP can be used with secure sockets to implement application-based IPsec secured traffic. It provides:
What is an IPsec Policy
An IPsec policy is a set of rules that determine which type of IP traffic needs to be secured using IPsec and how to secure that traffic. Only one IPsec policy is active on a computer at one time.
To learn more about implementing IPsec policies, open the Local Security Policy MMC snap-in (secpol.msc), press F1 to display the Help, and then select Creating and Using IPsec Policies from the table of contents.
For more information on IPsec policies, see also:
How to Use WFP to Configure IPsec Policies
The Microsoft implementation of IPsec uses Windows Filtering Platform to setup IPsec policies. IPsec policies are implemented by adding filters at various WFP layers as follows.
At the FWPM_LAYER_IKEEXT_V{4|6} layers add filters that specify the negotiation policies used by the keying modules (IKE/AuthIP) during Main Mode (MM) exchanges. Authentication methods and cryptographic algorithms are specified at these layers.
At the FWPM_LAYER_IPSEC_V{4|6} layers add filters that specify the negotiation policies used by the keying modules during Quick Mode (QM) and Extended Mode (EM) exchanges. IPsec headers (AH/ESP) and cryptographic algorithms are specified at these layers.
A negotiation policy is specified as a policy provider context associated with the filter. The keying module enumerates the policy provider contexts based on the traffic characteristics and obtains the policy to use for the security negotiation.
Note
The WFP API can be used to specify the Security Associations (SAs) directly and therefore to ignore the keying module negotiation policy.
At the FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} and FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} layers add filters that invoke callouts and determine which traffic flow should be secured.
At the FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} layers add filters that implement identity filtering and per-application policy.
The following diagram illustrates the interaction of the various WFP components, with respect to IPsec operation.
Once IPsec is configured, it integrates with WFP and extends the WFP filtering capabilities by providing information to be used as filtering conditions at the Application Layer Enforcement (ALE) authorization layers. For example, IPsec provides the remote user and remote machine identity, which WFP exposes at the ALE connect and accept authorization layers. This information can be used for fine-grained remote identity authorization by a WFP-based firewall implementation.
Below is a sample isolation policy that may be implemented using IPsec:
- FWPM_LAYER_IKEEXT_V{4|6} layers – Kerberos authentication.
- FWPM_LAYER_IPSEC_V{4|6} layers – AH/SHA-1.
- FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} and FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} layers - negotiation discovery for all network traffic.
- FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} layers - IPsec required for all network traffic.
WFP Layers
IPsec Policy Scenarios Implemented using WFP API:
IPsec Solutions:
As an expert in network security and Windows Filtering Platform (WFP), I have hands-on experience and an in-depth understanding of the concepts mentioned in the article regarding Windows Firewall with Advanced Security and its underlying technology, the Windows Filtering Platform (WFP). My expertise extends to IPsec (Internet Protocol Security), IKE (Internet Key Exchange), AuthIP (Authenticated Internet Protocol), and the configuration of IPsec policies using WFP.
IPsec is a vital set of security protocols used for secure data transfer across the Internet. It employs the Encapsulating Security Payload (ESP) header for encryption and the Authentication Header (AH) for authentication. Understanding the differences between these headers and their applicability in various network scenarios, including NAT traversal, is essential for implementing secure communication.
IKE, a part of the IPsec protocol suite, facilitates secure key exchange, ensuring secure connections without user intervention. It's crucial for setting up secure connections and exchanging keys and related parameters securely.
AuthIP, an extension of IKE, broadens authentication capabilities beyond computer credentials to include user credentials, NAP health certificates, anonymous credentials, and combinations of credentials. It offers enhanced authentication mechanisms and is compatible with secure sockets, allowing per-socket authentication, encryption, and inbound/outbound peer name validation.
IPsec policies, which determine the types of IP traffic to be secured and how to secure it, are created and managed using the Local Security Policy MMC snap-in or programmatically through the WFP API. These policies consist of rules dictating the security measures to be applied to various network traffic types.
The integration of IPsec with WFP enhances filtering capabilities by providing additional information at the Application Layer Enforcement (ALE) authorization layers. This integration enables fine-grained remote identity authorization and allows for the implementation of isolation policies to secure network traffic at different layers using WFP API filters.
The WFP API is utilized to configure IPsec policies by adding filters at different WFP layers, such as FWPM_LAYER_IKEEXT, FWPM_LAYER_IPSEC, FWPM_LAYER_INBOUND_TRANSPORT, FWPM_LAYER_OUTBOUND_TRANSPORT, and FWPM_LAYER_ALE_AUTH_RECV_ACCEPT. These filters define negotiation policies, traffic flow, identity filtering, and per-application policies, crucial for enforcing security measures at various network levels.
In summary, the integration of IPsec with WFP via the mentioned layers and APIs allows for comprehensive security measures, including encryption, authentication, isolation policies, and fine-grained authorization, thereby ensuring robust protection for network traffic in various scenarios, such as server and domain isolation.
