McAfee® Host Intrusion Prevention 6.1 Product Guide

Firewall Policies

 

Overview

5

Protocol

Description of handling

 

 

TCP

TCP protocol works on the “3-way handshake.” When a client computer

 

initiates a new connection, it sends a packet to its target with a SYN bit that is

 

set, indicating a new connection. The target responds by sending a packet to

 

the client with a SYN-ACK bit set. The client responds then by sending a packet

 

with an ACK bit set and the stateful connection is established. All outgoing

 

packets are allowed, but only incoming packets that are part of the established

 

connection are allowed. An exception is when the firewall first queries the TCP

 

protocol and adds all pre-existing connections that match the static rules.

 

Pre-existing connections without a matching static rule are blocked.

 

The TCP connection timeout, which is set with the Firewall Options policy, is

 

enforced only when the connection is not established.

 

A second or forced TCP timeout applies to established TCP connections only.

 

This timeout is controlled by a registry setting and has a default value of one

 

hour. Every four minutes the firewall queries the TCP stack and discards

 

connections that are not reported by TCP.

 

 

DNS

There is query/response matching to ensure DNS responses are only allowed to

 

the local port that originated the query and only from a remote IP address that

 

has been queried within the UDP Virtual Connection Timeout interval. Incoming

 

DNS responses are allowed if:

 

„ The connection in the state table has not expired.

 

„ The response comes from the same remote IP address and port where the

 

request was sent.

 

 

DHCP

There is query/response matching to ensure that return packets are allowed

 

only for legitimate queries, Thus incoming DHCP responses are allowed if:

 

„ The connection in the state table has not expired.

 

„ The response transaction ID matches the one from the request.

 

 

FTP

„ The firewall performs stateful packet inspection on TCP connections opened

 

on port 21. Inspection occurs only on the control channel, the first

 

connection opened on this port.

 

„ FTP inspection is performed only on the packets that carry new information.

 

Retransmitted packets are ignored.

 

„ Dynamic rules are created depending on direction (client/server) and mode

 

(active/passive):

 

-- Client FTP Active Mode: the firewall creates a dynamic incoming rule after

 

parsing the incoming port command, provided the port command RFC 959

 

compliant. The rule is deleted when the server initiates the data connection

 

or the rule expires.

 

-- Server FTP Active Mode: the firewall creates a dynamic outgoing rule after

 

parsing the incoming port command.

 

-- Client FTP Passive Mode: the firewall creates a dynamic outgoing rule

 

when it reads the PASV command response sent by the FTP server,

 

provided it has previously seen the PASV command from the FTP client and

 

the PASV command is RFC 959 compliant. The rule is deleted when the

 

client initiates the data connection or the rule expires.

 

-- Server FTP Passive Mode: the firewall creates a dynamic incoming rule.

 

 

Firewall rule groups and connection-aware groups

You can group rules for easier management. Normal rule groups do not affect the way Host Intrusion Prevention handles the rules within them; they are still processed from top to bottom.

Host Intrusion Prevention also supports a type of rule group that does affect how rules are handled. These groups are called connection-awaregroups. Rules within connection-aware groups are processed only when certain criteria are met.

74

Page 73 Page 75
Page 74
Image 74
McAfee 6.1 manual Firewall rule groups and connection-aware groups, Tcp
Page 73 Page 75
Top Page Image Contents