McAfee HISCDE-AB-IA Product Guide - Page 60

Firewall state table, How stateful filtering works, Protocol, Local and remote computer IP addresses

Get McAfee HISCDE-AB-IA - Host Intrusion Prevention PDF manuals and user guides View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals

Page 60 highlights

Configuring Firewall Policies Overview of Firewall policies Stateful packet inspection is the process of stateful packet filtering and tracking commands at Application Layer 7 of the network stack. This combination offers a strong definition of the computer's connection state. Access to the application level commands provides error-free inspection and securing of the FTP protocol. Firewall state table A stateful firewall includes a state table that dynamically stores information about active connections created by allow rules. Each entry in the table defines a connection based on: • Protocol - The predefined way one service talks with another; includes TCP, UDP and ICMP protocols. • Local and remote computer IP addresses - Each computer is assigned a unique IP address. IPv4, the current standard for IP addresses permits addresses 32 bits long, whereas IPv6, a newer standard, permits addresses 128 bits long. IPv6 is already supported by some operating systems, such as Windows Vista and several Linux distributions. Host Intrusion Prevention supports both standards. • Local and remote computer port numbers - A computer sends and receives services using numbered ports. For example, HTTP service typically is available on port 80, and FTP services on port 21. Port numbers range from 0 to 65535. • Process ID (PID) - A unique identifier for the process associated with a connection's traffic. • Timestamp - The time of the last incoming or outgoing packet associated with the connection. • Timeout - The time limit (in seconds), set with the Firewall Options policy, after which the entry is removed from the table if no packet matching the connection is received. The timeout for TCP connections is enforced only when the connection is not established. • Direction - The direction (incoming or outgoing) of the traffic that triggered the entry. After a connection is established, bidirectional traffic is allowed even with unidirectional rules, provided the entry matches the connection's parameters in the state table. Note the following about the state table: • If firewall rule sets change, all active connections are checked against the new rule set. If no matching rule is found, the connection entry is discarded from the state table. • If an adapter obtains a new IP address, the firewall recognizes the new IP configuration and drops all entries in the state table with an invalid local IP address. • When the process ends all entries in the state table associated with a process are deleted. How stateful filtering works Stateful filtering involves processing a packet against two rule sets, a configurable firewall rule set and a dynamic firewall rule set or state table. The configurable rules have two possible actions: • Allow - The packet is permitted and an entry is made in the state table. • Block - The packet is blocked and no entry is made in the state table. The state table entries result from network activity and reflect the state of the network stack. Each rule in the state table has only one action, Allow, so that any packet matched to a rule in the state table is automatically permitted. 60 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
Stateful packet inspection is the process of stateful packet filtering and tracking commands at
Application Layer 7 of the network stack. This combination offers a strong definition of the
computer’s connection state. Access to the application level commands provides error-free
inspection and securing of the FTP protocol.
Firewall state table
A stateful firewall includes a state table that dynamically stores information about active
connections created by allow rules.
Each entry in the table defines a connection based on:
Protocol
— The predefined way one service talks with another; includes TCP, UDP and
ICMP protocols.
Local and remote computer IP addresses
— Each computer is assigned a unique IP
address. IPv4, the current standard for IP addresses permits addresses 32 bits long, whereas
IPv6, a newer standard, permits addresses 128 bits long. IPv6 is already supported by some
operating systems, such as Windows Vista and several Linux distributions. Host Intrusion
Prevention supports both standards.
Local and remote computer port numbers
— A computer sends and receives services
using numbered ports. For example, HTTP service typically is available on port 80, and FTP
services on port 21. Port numbers range from 0 to 65535.
Process ID (PID)
— A unique identifier for the process associated with a connection’s
traffic.
Timestamp
— The time of the last incoming or outgoing packet associated with the
connection.
Timeout
— The time limit (in seconds), set with the Firewall Options policy, after which
the entry is removed from the table if no packet matching the connection is received. The
timeout for TCP connections is enforced only when the connection is not established.
Direction
— The direction (incoming or outgoing) of the traffic that triggered the entry.
After a connection is established, bidirectional traffic is allowed even with unidirectional
rules, provided the entry matches the connection’s parameters in the state table.
Note the following about the state table:
If firewall rule sets change, all active connections are checked against the new rule set. If
no matching rule is found, the connection entry is discarded from the state table.
If an adapter obtains a new IP address, the firewall recognizes the new IP configuration and
drops all entries in the state table with an invalid local IP address.
When the process ends all entries in the state table associated with a process are deleted.
How stateful filtering works
Stateful filtering involves processing a packet against two rule sets, a configurable firewall rule
set and a dynamic firewall rule set or state table.
The configurable rules have two possible actions:
Allow
— The packet is permitted and an entry is made in the state table.
Block
— The packet is blocked and no entry is made in the state table.
The state table entries result from network activity and reflect the state of the network stack.
Each rule in the state table has only one action,
Allow
, so that any packet matched to a rule
in the state table is automatically permitted.
Configuring Firewall Policies
Overview of Firewall policies
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
60