McAfee HISCDE-AB-IA Product Guide - Page 63
How learn and adaptive modes affect the firewall, FAQ - Adaptive mode, Managing Your Protection
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 63 highlights
Configuring Firewall Policies Overview of Firewall policies Protocol FTP Description of handling • The firewall performs stateful packet inspection on TCP connections opened on port 21. Inspection occurs only on the control channel, the first connection opened on this port. • FTP inspection is performed only on the packets that carry new information. Retransmitted packets are ignored. • Dynamic rules are created depending on direction (client/server) and mode (active/passive): • Client FTP Active Mode: the firewall creates a dynamic incoming rule after parsing the incoming port command, provided the port command RFC 959 compliant. The rule is deleted when the server initiates the data connection or the rule expires. • Server FTP Active Mode: the firewall creates a dynamic outgoing rule after parsing the incoming port command. • Client FTP Passive Mode: the firewall creates a dynamic outgoing rule when it reads the PASV command response sent by the FTP server, provided it has previously seen the PASV command from the FTP client and the PASV command is RFC 959 compliant. The rule is deleted when the client initiates the data connection or the rule expires. • Server FTP Passive Mode: the firewall creates a dynamic incoming rule. How learn and adaptive modes affect the firewall When you enable the firewall, Host Intrusion Prevention continually monitors the network traffic that a computer sends and receives. It allows or blocks traffic based on the Firewall Rules policy. If the traffic cannot be matched against an existing rule, it is automatically blocked unless the firewall is operating in learn mode or adaptive mode. In learn mode, Host Intrusion Prevention displays a learn mode alert when it intercepts unknown network traffic. This alert prompts the user to allow or block any traffic that does not match an existing rule, and automatically creates corresponding dynamic rules for the non-matching traffic. You can enable learn mode for incoming communication only, for outgoing communication only, or both. In adaptive mode, Host Intrusion Preventionn automatically creates an allow rule to allow all traffic that does not match any existing block rule, and automatically creates dynamic allow rules for non-matching traffic. For more information on using the adaptive mode with the firewall, see FAQ - Adaptive mode under Managing Your Protection. For security reasons, when the learn mode or adaptive mode is applied, incoming pings are blocked unless an explicit allow rule is created for incoming ICMP traffic. In addition, incoming traffic to a port that is not open on the host is blocked unless an explicit allow rule is created for the traffic. For example, if the host has not started telnet service, incoming TCP traffic to port 23 (telnet) is blocked even when there is no explicit rule to block this traffic. You can create an explicit allow rule for any desired traffic. Host Intrusion Prevention displays all the rules created on clients through learn mode or adaptive mode, and allows these rules to be saved and migrated to administrative rules. Stateful filtering When adaptive or learn mode is applied with the stateful firewall, the filtering process creates a new rule to handle the incoming packet. This is the filtering process: 1 The firewall compares an incoming packet against entries in the state table and finds no match, then examines the static rule list and finds no match. 2 No entry is made in the state table, but if this is a TCP packet, it is put in a pending list. If not, the packet is dropped. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 63