Sophos Client Firewall and 3G NDIS

Hello ricdgr,

What is the meaning of [...] Sophos Client Firewall does not support the “mobile broadband” driver

your quote is not quite correct :smileyhappy:, the exact text is (emphasis mine): Sophos Client Firewall does not support the “mobile broadband” driver model in Windows version 7

Well, IIRC correctly this is somewhat arcane. There are some twists with regard to 3G modems, how the devices present themselves to the system and the consequences. I don't know the details of the defect - if I am correct (but it is just a deduction from a problem with a 3G modem and Device Control) then the issue is "just" that the device appears as a LAN connection and thus it "only" applies if you use Local network (detected automatically) as address specification in the LAN settings or a (global or application) rule.

Sophos correct me if I'm wrong ...

Christian

Hi,

Windows 7 Driver Model is, as far as I see, the now most commonly available driver.

I don't know about others, but in my Company we never install those "utilities" that ship with 3G network cards (normally they are consumer based apps, requiring RW permissions for All Users under Program Files, and some other stupid things like that). We rely on the Windows 7 and the new driver model (NDIS) functionality to support things like "disable when roaming", or SCCM 2012 "don't download updates when using broadband", AnyConnect "disable 3G when WIFI is available", etc.

I find it a huge shortcomming that a driver model released >3y ago is still not supported.

But the most important thing is really the the meaning of "does not support". Will it stop the firewall altogether ("allow all IN/OUTfrom broadband"), or only some features are not supported?

Hope someone from SOPHOS can clear this out for me.

Thanks.

I will answer my own question:

- When a user has a 3G card with the Windows 7 Driver model (that was published before 2009), the rules set for the firewall will not apply. So, all inbound and outbound traffic will be allowed.

SOPHOS does not install any NDIS filter driver under the 3G network interface, so it is clear that the firewall is doing nothing, letting the clients unprotected.

I wonder if this will ever be fixed... This is unacceptable behaviour.

And there is nothing "arcane" about the NDIS and the Windows 7 3G Driver Model. This driver model was created exactly to standardize the way Windows would deal with 3G cards, and end with all those different ways manufacturers where using to present a 3G modem to a PC. This is why, when you use a NDIS Driver, you do not need any special software, and you can see the 3G networks under the Network icon in the bottom right corner.

We are aware of this and are investigating, it would be useful if anyone reading this thread could specify the make and model of 3G card/mobile broadband that they are using.

Thanks.

Is there any movement on this issue?  I find it deeply concerning that this driver model is not supported.  

We are working on addressing this issue, it is however, more difficult than anticipated.

Hi Darren,

I do not know the details of your implementation, but it looks like the problem is that the Firewall driver was not changed to support the "new" NDIS 6.20 driver model.

Microsoft provides clear guidelines on what to change to make it work (of course I don't know the extension of the changes required on your code):

According to Microsoft [1]:
"Network applications that were written for NDIS 6.0 or earlier and perform packet capture, filtering, or injection at the media access control (MAC) layer—such as firewalls, antivirus filters, and virtual private network (VPN) clients— might require updates to work with mobile broadband devices. "

[1] Mobile Broadband Changes for Windows 7, http://msdn.microsoft.com/en-s/library/windows/hardware/gg454521.aspx

The document seems to describe the changes that must be done to the SOPHOS Firewall Filter Driver:
 
Changes in the mobile broadband driver stack can affect applications that use the WFP, NDIS LWF, and NDIS 6.x IM MUX drivers in the following ways:
·         Binding to the mobile broadband device.
NDIS LWF or NDIS6.x IM MUX drivers require changes to their INF files so that they can bind to mobile broadband devices.
The LowerRange and MediaType that are specified in the network miniport driver’’’’s INF file are important changes for an NDIS LWF driver. To bind to a Windows 7 mobile broadband driver, the filter driver must add “ppip” in the FilterMediaTypes section of the filter driver’’’’s INF file. The filter driver should also accept miniport drivers that specify NdisMediumWirelessWan in the FilterAttach function. 
For NDIS 6.x IM MUX drivers, the protocol edge of the driver must specify “flpp4” or “flpp6” in the LowerRange in the driver’’’’s INF file to bind to the mobile broadband driver.
WFP-based solutions do not require these changes because they do not bind to a specific network medium.

·         Parsing network packets.
Applications that are based on NDIS6.x IM MUX, NDIS LWF, or WFP might require changes to parsing functions.
If the application parses network frames that are passed between NDIS and the miniport driver, the parsing function must expect raw IP frames instead of Ethernet frames for mobile broadband adapters.

Because the frames are raw Layer 3 IP (vs L2 MAC + L3 IP), the SOPHOS Firewall NDIS Filter Driver will probably need to be changed to start processing the IP header information at a different offset
 
Regards

Thank you for the reply, the engineering team have looked at your post and can confirm that what you have said is correct, however, this is not a simple change and wil ltake some time to implement and test fully. We are working on this and will release as soon as we are able to.