Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring Firewall Policies<br />
Overview of Firewall policies<br />
4 If the packet does not match any configurable rule, it is blocked.<br />
Figure 17: Stateful filtering process<br />
How stateful packet inspection works<br />
Stateful packet inspection combines stateful filtering with access to application-level commands,<br />
which secures protocols such as FTP.<br />
FTP involves two connections: control <strong>for</strong> commands and data <strong>for</strong> the in<strong>for</strong>mation. When a<br />
client connects to an FTP server, the control channel is established, arriving on FTP destination<br />
port 21, and an entry is made in the state table. If the option <strong>for</strong> FTP inspection has been set<br />
with the Firewall Options policy, when the firewall encounters a connection opened on port 21,<br />
it knows to per<strong>for</strong>m stateful packet inspection on the packets coming through the FTP control<br />
channel.<br />
With the control channel open, the client communicates with the FTP server. The firewall parses<br />
the PORT command in the packet and creates a second entry in the state table to allow the<br />
data connection.<br />
When the FTP server is in active mode, it opens the data connection; in passive mode, the<br />
client initiates the connection. When the FTP server receives the first data transfer command<br />
(LIST), it opens the data connection toward the client and transfers the data. The data channel<br />
is closed after the transmission is completed.<br />
The combination of the control connection and one or more data connections is called a session,<br />
and FTP dynamic rules are sometimes referred to as session rules. The session remains<br />
established until its control channel entry is deleted from the state table. During the periodic<br />
cleanup of the table, if a session’s control channel has been deleted, all data connections are<br />
subsequently deleted.<br />
Stateful protocol tracking<br />
The following is a summary of the types of connections monitored by the stateful firewall and<br />
how they are handled.<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
49