McAfee 6.1 manual How stateful packet inspection works, Stateful protocol tracking

How stateful packet inspection works

Stateful packet inspection combines stateful filtering with access to application-level commands, securing protocols such as FTP, DHCP, and DNS.

FTP involves two connections: control for commands and data for the information. When a client connects to an FTP server, the control channel is established, arriving on FTP destination port 21, and an entry is made in the state table. When the firewall encounters a connection opened on port 21, it knows to perform stateful packet inspection on the packets coming through the FTP control channel, if the option for FTP inspection has been set with the Firewall Options policy.

With the control channel open, the client communicates with the FTP server. The firewall parses the PORT command in the packet sent over the connection and creates a second entry in the state table to allow the data connection.

When the FTP server is in active mode, the server opens the data connection; in passive mode, the client initiates the connection. When the server receives the first data transfer command (LIST), it opens the data connection toward the client and transfers the data. The data channel is closed after the transmission is completed.

The combination of the control connection and one or more data connections is called a session, and FTP dynamic rules are sometimes referred to as session rules. The session remains established until its control channel entry is deleted from the state table. During the periodic cleanup of the table, if a session’s control channel has been deleted, all data connections are subsequently deleted.

Stateful protocol tracking

The following is a summary of the types of connections monitored by the stateful firewall and how they are handled.

73