Filter
Top Products
73
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Firewall Policies
Overview
5
How stateful packet inspection works
Stateful packet inspection combines stateful filtering with access to application-level
commands, securing protocols such as FTP, DHCP, and DNS.
FTP involves two connections: control for commands and data for the information.
When a client connects to an FTP server, the control channel is established, arriving on
FTP destination port 21, and an entry is made in the state table. When the firewall
encounters a connection opened on port 21, it knows to perform stateful packet
inspection on the packets coming through the FTP control channel, if the option for FTP
inspection has been set with the Firewall Options policy.
With the control channel open, the client communicates with the FTP server. The
firewall parses the PORT command in the packet sent over the connection and creates
a second entry in the state table to allow the data connection.
When the FTP server is in active mode, the server opens the data connection; in
passive mode, the client initiates the connection. When the server receives the first
data transfer command (LIST), it opens the data connection toward the client and
transfers the data. The data channel is closed after the transmission is completed.
The combination of the control connection and one or more data connections is called
a session, and FTP dynamic rules are sometimes referred to as session rules. The
session remains established until its control channel entry is deleted from the state
table. During the periodic cleanup of the table, if a session’s control channel has been
deleted, all data connections are subsequently deleted.
Stateful protocol tracking
The following is a summary of the types of connections monitored by the stateful
firewall and how they are handled.
Protocol Description of handling
UDP A UDP connection is added to the state table when a matching static rule is
found and the action from the rule is Allow. Generic UDP connections, which
carry Application-Level protocols unknown to the firewall, remain in the state
table as long as the connection is not idle longer than the specified timeout
period.
ICMP Only ICMP Echo Request and Echo Reply message types are tracked. Other
ICMP connections are managed like generic UDP connections.
Note: In contrast to the reliable, connection-oriented TCP protocol, UDP and
ICMP are less reliable, connectionless protocols. To secure these protocols, the
firewall considers generic UDP and ICMP connections to be virtual connections,
held only as long as the connection is not idle longer than the timeout period
specified for the connection. The timeout for virtual connections is set with the
Firewall Options policy.