McAfee® Host Intrusion Prevention 6.1 Product Guide

Firewall Policies

 

Overview

State table functionality

„If firewall rule sets change, all active connections are checked against the new rule set. If no matching rule is found, the connection entry is discarded from the state table.

„If an adapter obtains a new IP address, the firewall recognizes the new IP configuration and drops all entries in the state table with an invalid local IP address.

„All entries in the state table associated with a process are deleted when the process ends.

5

How firewall rules work

Firewall rules determine how to handle network traffic. Each rule provides a set of conditions that traffic has to meet and has an action associated with it: either permit or block traffic. When Host Intrusion Prevention finds traffic that matches a rule’s conditions, it performs the associated action.

Host Intrusion Prevention uses precedence to apply rules: the rule at the top of the firewall rules list is applied first.

Host Intrusion Prevention handles precedence differently for domain-based rules and wireless rules. If a rule specifies a remote address as a domain name or a wireless 802.11 connection, it is applied first regardless of its position in the list of rules.

If the traffic meets this rule’s conditions, Host Intrusion Prevention allows or blocks the traffic. It does not try to apply any other rules in its rule list.

If, however, the traffic does not meet the first rule’s conditions, Host Intrusion Prevention looks at the next rule in its list. It works its way down through the firewall rule list until it finds a rule that the traffic matches. If no rule matches, the firewall automatically blocks the traffic. If Learn mode is activated, it prompts for an action to be taken; if Adaptive mode is activated, it creates a permit rule for the traffic.

Sometimes the intercepted traffic matches more than one rule in the list. In this case, precedence means that Host Intrusion Prevention applies only the first matching rule in the list.

Ordering the firewall rule list

When you create or customize a firewall rules policy, place the most specific rules at the top of the list, and more general rules at the bottom. This ensures that Host Intrusion Prevention filters traffic appropriately and does not miss rules based on exceptions to other, more general rules.

For example, to block all HTTP requests except those from IP address 10.10.10.1, you need to create two rules:

„Permit Rule: Allow HTTP traffic from IP address 10.10.10.1. This rule is the most specific.

„Block Rule: Block all traffic using the HTTP service. This rule is more general.

You must place the more specific Permit Rule higher in the firewall rule list than the more general Block Rule. This ensures that when the firewall intercepts an HTTP request from address 10.10.10.1, the first matching rule it finds is the one that allows this traffic through the firewall.

71

Page 71
Image 71
McAfee 6.1 manual How firewall rules work, Ordering the firewall rule list