Filter
Top Products
74
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Firewall Policies
Overview
5
Firewall rule groups and connection-aware groups
You can group rules for easier management. Normal rule groups do not affect the way
Host Intrusion Prevention handles the rules within them; they are still processed from
top to bottom.
Host Intrusion Prevention also supports a type of rule group that does affect how rules
are handled. These groups are called connection-aware groups. Rules within
connection-aware groups are processed only when certain criteria are met.
TCP TCP protocol works on the “3-way handshake.” When a client computer
initiates a new connection, it sends a packet to its target with a SYN bit that is
set, indicating a new connection. The target responds by sending a packet to
the client with a SYN-ACK bit set. The client responds then by sending a packet
with an ACK bit set and the stateful connection is established. All outgoing
packets are allowed, but only incoming packets that are part of the established
connection are allowed. An exception is when the firewall first queries the TCP
protocol and adds all pre-existing connections that match the static rules.
Pre-existing connections without a matching static rule are blocked.
The TCP connection timeout, which is set with the Firewall Options policy, is
enforced only when the connection is not established.
A second or forced TCP timeout applies to established TCP connections only.
This timeout is controlled by a registry setting and has a default value of one
hour. Every four minutes the firewall queries the TCP stack and discards
connections that are not reported by TCP.
DNS There is query/response matching to ensure DNS responses are only allowed to
the local port that originated the query and only from a remote IP address that
has been queried within the UDP Virtual Connection Timeout interval. Incoming
DNS responses are allowed if:
The connection in the state table has not expired.
The response comes from the same remote IP address and port where the
request was sent.
DHCP There is query/response matching to ensure that return packets are allowed
only for legitimate queries, Thus incoming DHCP responses are allowed if:
The connection in the state table has not expired.
The response transaction ID matches the one from the request.
FTP
The firewall performs stateful packet inspection on TCP connections opened
on port 21. Inspection occurs only on the control channel, the first
connection opened on this port.
FTP inspection is performed only on the packets that carry new information.
Retransmitted packets are ignored.
Dynamic rules are created depending on direction (client/server) and mode
(active/passive):
-- Client FTP Active Mode: the firewall creates a dynamic incoming rule after
parsing the incoming port command, provided the port command RFC 959
compliant. The rule is deleted when the server initiates the data connection
or the rule expires.
-- Server FTP Active Mode: the firewall creates a dynamic outgoing rule after
parsing the incoming port command.
-- Client FTP Passive Mode: the firewall creates a dynamic outgoing rule
when it reads the PASV command response sent by the FTP server,
provided it has previously seen the PASV command from the FTP client and
the PASV command is RFC 959 compliant. The rule is deleted when the
client initiates the data connection or the rule expires.
-- Server FTP Passive Mode: the firewall creates a dynamic incoming rule.
Protocol Description of handling