App Based Firewall/Routing on Windows - Now or in the future?

Future of security on Windows might look a bit different for the big/small enterprise.

Starting, already. New products involve more granular App Based Firewalls on Windows giving way to staged & future features in the areas of Zero Trust, Conditional Access, FIDO2/WebAuthn. To name a few of the companies offering services for more precise control, management and insights are Microsoft & Zscaler, possibly CISCO's Secure Network Analytics just for a start, and certaintly more are and/or will be out there. One major project providing tools to make this possible is open and published by Microsoft on GitHub under ebpf-for-windows project?.

The most recent steps in this movement, surround a technology that has been on Linux for more than a few years, eBPF. eBPF for Windows was revealed by Microsoft in 2021 and in the bit of research I have done on Zscaler I have observed hints from 2022-24 that suggest eBPF based products are now appearing at the Enterprise Level - However, you will not be developing products using eBPF on Production Machines at this time ado to some development barriers. In theory & practice, deployment to production machines is possible if your a company, ready and wanting to make that move. The eBPF "policies/builds" can be pushed to your Production Windows Clients, but as I read it, cannot be customized dynamically on the client. You build and compile it on a windows machine with unsigned "Development Kernel", then deploy it to production systems.

Microsoft Announced ebpf-for-windows-project in 2021 as an open sourced project on GitHub. It is amazing to know that a open source product is being built into these applications, a quick chatGPT interaction suggests companies like Cilium,Windows SysMon, NPCAP/Wireshark, Tailscale for Windows, Fortinet, Crowdstrike and Okta have built ebpf-for-windows into thier products, with current trends in Edge Computing and eBPF-Based AI/ML. It is amazing the potential software base and implementation surface area this one open source project has, and that though everything has a name and a service that goes with it often there are core libraries and projects like this one that make it possible under the hood.

I am not saying this is here fully yet though, from what I am reading, the tone sounds like some are still looking for it to land. I can only imagine that it is at least part way there and/or the major security service providers are ready to provide eBPF based routing if not full app based packet handling. It is important to note that eBPF alone is not the only tool playing a part, but is one of the core tools. A lot of assumptions can be made on overall how Microsoft Management and latest deep insight types of features work, pointing to eBPF at least being used to help in telemetry used for Conditional Access and Zero Trust, and draws the question, if you are using Microsoft, are the other companies providing overlapping features? I guess it will all depend on how it is configured and managed, having more places to create policies might draw people back to Microsoft for a full service suite, yet I think that is unlikely, all the companies I have worked for have had a multi-tier security, often Symantec/CISCO and others will play a huge role, and the current legacy or on premesis technology makes a huge difference. I do think new insights into your network and app usage are definitely here and part of main stream offerings and the potential features are great, especailly since we have more telemetry to build AI models with.

To give more weight to App Based Firewall/Routing being mainstream, when I reviewed Zscaler's how to articles I found the dashboard has mechanism inside of thier cloud service managment for App Level Granularity, User-Mode Protected Services on Windows is fully available and working and the ebpf-for-windows-project is open source. This is all strongly suggesting eBPF Compiled BitCode applications are already bundled in the modern clients from companies like Zscaler, as for the Open Source world, I have not yet found an OpenSnitch or a RethinkDNS ported to Windows yet.

From what I have seen in recent reviews of Linkedin Profiles I have completed, one consultant confirmed migration to ZeroTrust around 2022-2024 at US Bank, and I can only believe that app level firewall/routing is here or is posed to be here soon, as technology like ZeroTrus points this direction. I support this thought because, ZeroTrust works great with web API, and without app based network routing using eBPF, IP Based Split Tunnel and IP Based Secure Proxy are used, and can be slow and expensive - On the contrast, by adding the ability to route based on process id and ip at the client level you get better and more precise control, with the added benefit of knowing the app details via client reporting, all network use can be reviewed once the client synchronizes up regardless of network they are on w/ more detail than network monitoring alone.

https://lnkd.in/gdsnPjPX - Microsoft Announcment

https://lnkd.in/gRHr4yMW - ebpf-for-windows-project source

https://lnkd.in/gxu4nv8N - theNewStack_io - eBPF Is Coming for Windows

I am writing openly, please follow the Creative Commons - Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0) - Of course your certaintly free to write your own reveiw of the materials.

This is my own observation, and reflects only my own observation, opinions, and beliefs. Explicity does not reflect the views or opinions of employers, I speak on behalf of myself.