Skip to main content

Design of an Ideal Personal Firewall

Popular Idea

This article explains widely used definition of personal Windows firewalls. The firewall doesn’t need to be applied in a similar way to keep it safe. Standard personal firewall is implemented as separate components of three to four. Learn more about barrier consctruction.

Runner kernel

Kernel driver is the first component. Its has two key functions and this is why it is often implemented in two rather than one component. First function is a filter for the packets. This driver normally checks any packet that comes in from the network or goes out to the network at the NDIS, TDI or both rates. This is also regarded as the defense against inbound and outbound connections. There are several personal firewalls which do not enforce protection against inbound or outbound connections. However, because of their second feature, those products also have kernel drivers. The second function is called sandbox. SSDT Hooks and SSDT GDI Hooks are the most common methods for implementing the sandbox. The firewall driver replaces some device functions with its own code which verifies the calling application ‘s rights and either rejects the action or transfers the execution to original code. These methods allow the firewall to monitor all potential hazardous applications operation, such as attempts to open files, processes, registry keys, alteration of firewall settings, automatic response to their queries etc.

Device Delivery

There are different processes in the user mode, called device services. These systems have machine unique roles and behaviour. They run under privileged user of the program rather than a common user account. It reality allows programs to run independently of the user and if no user is logged in, they still run. In the personal firewall, the function of service is to secure communication between the key components. The software receives messages from both the GUI and the kernel driver and transfers these messages one to another. For example, if the firewall is in learning mode, the driver code in the hooked SSDT feature may not be able to determine whether to enable or reject the action because the action in the database does not have the corresponding rule. It wants the user to decide in such a case. This involves sending a message to Interface to show the dialog and receive a reply from it. Normally, this communication is implemented through the part service. The firewall service is often used to ensure the user still has the Interface at his fingertips.

User interface graphics

The software part of the firewall is the graphical user interface ( GUI). It also implements a trayicon that provides the firewall administration from. Another essential feature of the GUI is to ask the user when the firewall is in learning mode to determine what actions.


Of all security devices, this is rule no. 1 and not just for personal firewalls. No matter the excellence of other functions, it’s pointless if the firewall cannot protect itself. If a malicious operation can turn off, deactivate or disable the personal firewall it is equivalent to not having any personal firewall. All aspects of the firewall including processes, files, registry entries, drivers, utilities, and other device resources and artifacts must be secured.