Any firewall worth it's salt won't be running the native NT stack
unmodified. How for example would you plumb something like stateful
inspection onto an NT box without kernel changes? There are several methods
of modifying the stack to harden it against attack or change the way it
operates. The first would be to shim the stack ie putting a driver between
the Ethernet card drivers and the stack itself. NT has built in support for
this. Just read the DDK documentation. NT 4.0 has even better support then
3.51 since Msoft has added calls that let you dynamically hook into the
NDIS stuff. This is in fact that's how RAS is implemented (NDISWAN).
Another option of course is to replace the TCP stack all together. Centri
from Global Internet does that. Check out their web page. They completely
bypass the microsoft stack by building their own proprietory stack which
intercepts all packets coming to the firewall. They optionally will pass
packets to the Msoft stack depending on how your rules are configured.
Packet filter firewalls don't even need a TCP stack. Just hooks into the
NDIS routines that handle the reception and distribution of packets.
Probably could do this with another SHIM.
All of this is documented by Microsoft, The source code for sample drivers
are available as part of the DDK. While there are no sample SHIM drivers, a
buddy and I created one for NT3.51 in about a month. It was really a matter
of combining an existing ethernet driver with an existing protocol driver
and making them talk to each other.
NT even has source level debugging at the kernel layer. Name some UNIX
boxes that support that (not to suggest that one is better then the other,
just that NT kernel work is easier. Streams are pretty damn elegant).
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
