McAfee® Host Intrusion Prevention 6.1 Product Guide

Firewall Policies

 

Overview

5

„If Check Primary WINS Server List is selected, the adapter primary WINS server IP address must match at least one of the list entries.

„If Check Secondary WINS Server List is selected, the adapter secondary WINS server IP address must match at least one of the list entries.

Firewall Learn and Adaptive modes

When you enable the firewall feature, Host Intrusion Prevention continually monitors the network traffic that a computer sends and receives. It allows or blocks traffic based on the Firewall Rules policy. If the traffic cannot be matched against an existing rule, it is automatically blocked unless the firewall’s Learn mode or Adaptive mode is enabled.

You can enable Learn mode for incoming communication only, for outgoing communication only, or both.

In Learn mode, Host Intrusion Prevention displays a Learn mode alert when it intercepts unknown network traffic. This alert dialog box prompts the user to Allow or Block any traffic that does not match an existing rule, and automatically creates corresponding dynamic rules for the non-matching traffic.

In Adaptive mode, Host Intrusion Prevention automatically creates a Permit rule to allow all traffic that does not match any existing Block rule, and automatically creates dynamic Allow rules for non-matching traffic.

For security reasons, however, in both the Learn mode and Adaptive mode, incoming pings are blocked unless an explicit Permit rule is created for incoming ICMP traffic. In addition, incoming traffic to a port that is not open on the host will be blocked unless an explicit Permit rule is created for the traffic. For example, if the host has not started telnet service, incoming TCP traffic to port 23 (telnet) will be blocked even when there is no explicit rule to block this traffic. You can create an explicit Permit rule for any desired traffic.

Host Intrusion Prevention displays all the rules created on clients through Learn Mode or Adaptive Mode and allows these rules to be saved and migrated to administrative rules.

Stateful filtering

If Adaptive or Learn mode is applied with the stateful firewall, the filtering process changes slightly to allow the adaptive creation of a new rule to handle the incoming packet. This filtering process proceeds as follows:

1The firewall compares an incoming packet against entries in the state table and finds no match, then examines the static rule list and finds no match.

2No entry is made in the state table, but if this is a TCP packet it is put in a pending list. If not, the packet is discarded.

3If new rules are permitted, a unidirectional static allow rule is created. If this is s a TCP packet, an entry is made in the state table.

4If a new rule is not permitted, the packet is dropped.

76

Page 76
Image 76
McAfee 6.1 manual Firewall Learn and Adaptive modes, Stateful filtering