Filter
Top Products
76
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Firewall Policies
Overview
5
If Check Primary WINS Server List is selected, the adapter primary WINS server IP
address must match at least one of the list entries.
If Check Secondary WINS Server List is selected, the adapter secondary WINS server
IP address must match at least one of the list entries.
Firewall Learn and Adaptive modes
When you enable the firewall feature, Host Intrusion Prevention continually monitors
the network traffic that a computer sends and receives. It allows or blocks traffic based
on the Firewall Rules policy. If the traffic cannot be matched against an existing rule, it
is automatically blocked unless the firewall’s Learn mode or Adaptive mode is enabled.
You can enable Learn mode for incoming communication only, for outgoing
communication only, or both.
In Learn mode, Host Intrusion Prevention displays a Learn mode alert when it
intercepts unknown network traffic. This alert dialog box prompts the user to Allow or
Block any traffic that does not match an existing rule, and automatically creates
corresponding dynamic rules for the non-matching traffic.
In Adaptive mode, Host Intrusion Prevention automatically creates a Permit rule to
allow all traffic that does not match any existing Block rule, and automatically creates
dynamic Allow rules for non-matching traffic.
For security reasons, however, in both the Learn mode and Adaptive mode, incoming
pings are blocked unless an explicit Permit rule is created for incoming ICMP traffic. In
addition, incoming traffic to a port that is not open on the host will be blocked unless
an explicit Permit rule is created for the traffic. For example, if the host has not started
telnet service, incoming TCP traffic to port 23 (telnet) will be blocked even when there
is no explicit rule to block this traffic. You can create an explicit Permit rule for any
desired traffic.
Host Intrusion Prevention displays all the rules created on clients through Learn Mode
or Adaptive Mode and allows these rules to be saved and migrated to administrative
rules.
Stateful filtering
If Adaptive or Learn mode is applied with the stateful firewall, the filtering process
changes slightly to allow the adaptive creation of a new rule to handle the incoming
packet. This filtering process proceeds as follows:
1 The firewall compares an incoming packet against entries in the state table and finds
no match, then examines the static rule list and finds no match.
2 No entry is made in the state table, but if this is a TCP packet it is put in a pending
list. If not, the packet is discarded.
3 If new rules are permitted, a unidirectional static allow rule is created. If this is s a
TCP packet, an entry is made in the state table.
4 If a new rule is not permitted, the packet is dropped.