Filter
Top Products
70
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Firewall Policies
Overview
5
Stateful packet filtering
Stateful packet filtering is the stateful tracking of TCP/UDP/ICMP protocol information
at Transport Layer 4 and lower of the OSI network stack. Each packet is examined and
if the inspected packet matches an existing firewall rule, the packet is allowed and an
entry is made in a state table. The state table dynamically tracks connections previously
matched against a static rule set, and reflects the current connection state of the
TCP/UDP/ICMP protocols. If an inspected packet matches an existing entry in the state
table, the packet is allowed without further scrutiny. When a connection is closed or
times out, the corresponding entry is removed from the state table.
Stateful packet inspection
Stateful packet inspection is the process of stateful packet filtering and tracking
commands at Application Layer 7 of the network stack. This combination offers a
strong definition of the computer’s connection state. Access to the application level
commands provides error-free inspection and securing of FTP, DHCP, and DNS
protocols.
State table
A feature of a stateful firewall is a state table that dynamically stores information about
active connections created by allow rules. Each entry in the table defines a connection
based on:
Protocol: The predefined way one service talks with another; includes TCP, UDP and
ICMP protocols.
Local and remote computer IP addresses: Each computer is assigned a unique IP
address, which is a 32-bit number expressed as four octets in a dotted decimal
number, such as 192.168.1.100.
Local and remote computer port numbers: A computer sends and receives services
using numbered ports. For example, HTTP service typically is available on port 80,
and FTP services on port 21. Port numbers range from 0 to 65535.
Process ID (PID): A unique identifier for the process associated with a connection’s
traffic.
Timestamp: The time of the last incoming or outgoing packet associated with the
connection.
Timeout: The time limit (in seconds), set with the Firewall Options policy, after
which the entry is removed from the table if no packet matching the connection is
received. The timeout for TCP connections is enforced only when the connection is
not established.
Direction: The direction (incoming or outgoing) of the traffic that triggered the entry.
After a connection is established, bidirectional traffic is allowed even with
unidirectional rules, provided the entry matches the connection’s parameters in the
state table.
Note
Host Intrusion Prevention 6.0 clients use only the static firewall, even if working in a
mixed environment with Host Intrusion Prevention 6.1 server and clients. To use the
stateful firewall you must upgrade the client from version 6.0 to version 6.1. To help in
the upgrade, you can convert existing static rules to stateful rules with the firewall rules
migrator. See Migrating custom 6.0 firewall rules to 6.1 rules on page 78.