A major component of Host IPS is the host-firewall. Like all modern host-based firewalls, Host IPS 7.x and Host IPS 8.x uses an NDIS intermediate driver to perform network filtering operations at packet level.
Some customers have commented on the fact that when Host IPS is installed, the insertion of the firewall’s NDIS driver causes Microsoft Windows to tear down and rebuild the IP stacks on connected interfaces. This behavior causes some applications to generate error messages or lose connection during the temporary loss of connectivity.
Previous versions of Host IPS used firewall-hook drivers, which did not cause this temporary disruption. However, Microsoft actively discourages use of the older technique in its developer guidance, as described in the following excerpt from http://msdn.microsoft.com/en-us/library/aa504964.aspx:
“It is not recommended to implement a firewall-hook driver (or firewall driver) for Microsoft Windows XP and later versions of the operating system.
… To provide firewall functionality on Windows XP and later, you should create an NDIS intermediate miniport driver to manage packets sent and received across a firewall.”
With NDIS 5.0, supported on XP and prior Windows versions, whenever an NDIS intermediate driver is installed and/or uninstalled, the bindings in the driver stack are torn down and subsequently re-built, which leads to loss of network connectivity across all the network interface cards.
NDIS 6.0, supported on Windows Vista and 2008, provides several enhancements over 5.0 including the following:
“NDIS 6.0 filter drivers can be dynamically inserted into or removed from a driver stack during run time without tearing down bindings.”
NOTE: The quoted text was obtained from: http://msdn.microsoft.com/en-us/library/ms795218.aspx.
NDIS support for Host IPS 7. x and 8.x:
- Host IPS 7.x uses NDIS 5.0 on all supported Windows operating platforms.
- Host IPS 8.x uses NDIS 5.0 on Windows XP and Windows Server 2003 (and older) platforms.
- Host IPS 8.x uses NDIS 6.0 on Windows Vista and Windows Server 2008 platforms.
- Host IPS 8.x uses Windows Filter Platform (WFP) on Windows 7 and Windows Server 2008 R2 (and later) platforms.
