McAfee® Host Intrusion Prevention 6.1 Product Guide | Firewall Policies |
| Overview |
5
Stateful packet filtering
Stateful packet filtering is the stateful tracking of TCP/UDP/ICMP protocol information at Transport Layer 4 and lower of the OSI network stack. Each packet is examined and if the inspected packet matches an existing firewall rule, the packet is allowed and an entry is made in a state table. The state table dynamically tracks connections previously matched against a static rule set, and reflects the current connection state of the TCP/UDP/ICMP protocols. If an inspected packet matches an existing entry in the state table, the packet is allowed without further scrutiny. When a connection is closed or times out, the corresponding entry is removed from the state table.
Stateful packet inspection
Stateful packet inspection is the process of stateful packet filtering and tracking commands at Application Layer 7 of the network stack. This combination offers a strong definition of the computer’s connection state. Access to the application level commands provides
Host Intrusion Prevention 6.0 clients use only the static firewall, even if working in a mixed environment with Host Intrusion Prevention 6.1 server and clients. To use the stateful firewall you must upgrade the client from version 6.0 to version 6.1. To help in the upgrade, you can convert existing static rules to stateful rules with the firewall rules migrator. See Migrating custom 6.0 firewall rules to 6.1 rules on page 78.
State table
A feature of a stateful firewall is a state table that dynamically stores information about active connections created by allow rules. Each entry in the table defines a connection based on:
Protocol: The predefined way one service talks with another; includes TCP, UDP and ICMP protocols.
Local and remote computer IP addresses: Each computer is assigned a unique IP address, which is a
Local and remote computer port numbers: A computer sends and receives services using numbered ports. For example, HTTP service typically is available on port 80, and FTP services on port 21. Port numbers range from 0 to 65535.
Process ID (PID): A unique identifier for the process associated with a connection’s traffic.
Timestamp: The time of the last incoming or outgoing packet associated with the connection.
Timeout: The time limit (in seconds), set with the Firewall Options policy, after which the entry is removed from the table if no packet matching the connection is received. The timeout for TCP connections is enforced only when the connection is not established.
Direction: The direction (incoming or outgoing) of the traffic that triggered the entry. After a connection is established, bidirectional traffic is allowed even with unidirectional rules, provided the entry matches the connection’s parameters in the state table.
70
