Table of Contents
Advertisement
Configuring Firewall Policies
Overview of Firewall policies
Protocol
FTP
How learn and adaptive modes affect the firewall
When you enable the firewall, Host Intrusion Prevention continually monitors the network traffic
that a computer sends and receives. It allows or blocks traffic based on the Firewall Rules policy.
If the traffic cannot be matched against an existing rule, it is automatically blocked unless the
firewall is operating in learn mode or adaptive mode.
In learn mode, Host Intrusion Prevention displays a learn mode alert when it intercepts unknown
network traffic. This alert prompts the user to allow or block any traffic that does not match an
existing rule, and automatically creates corresponding dynamic rules for the non-matching
traffic. You can enable learn mode for incoming communication only, for outgoing communication
only, or both.
In adaptive mode, Host Intrusion Preventionn automatically creates an allow rule to allow all
traffic that does not match any existing block rule, and automatically creates dynamic allow
rules for non-matching traffic. For more information on using the adaptive mode with the firewall,
see FAQ — Adaptive mode under Managing Your Protection .
For security reasons, when the learn mode or adaptive mode is applied, incoming pings are
blocked unless an explicit allow rule is created for incoming ICMP traffic. In addition, incoming
traffic to a port that is not open on the host is blocked unless an explicit allow rule is created
for the traffic. For example, if the host has not started telnet service, incoming TCP traffic to
port 23 (telnet) is blocked even when there is no explicit rule to block this traffic. You can create
an explicit allow rule for any desired traffic.
Host Intrusion Prevention displays all the rules created on clients through learn mode or adaptive
mode, and allows these rules to be saved and migrated to administrative rules.
Stateful filtering
When adaptive or learn mode is applied with the stateful firewall, the filtering process creates
a new rule to handle the incoming packet. This is the filtering process:
1
The firewall compares an incoming packet against entries in the state table and finds no
match, then examines the static rule list and finds no match.
2
No entry is made in the state table, but if this is a TCP packet, it is put in a pending list. If
not, the packet is dropped.
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Description of handling
•
The firewall performs stateful packet inspection on TCP connections opened on port 21.
Inspection occurs only on the control channel, the first connection opened on this port.
•
FTP inspection is performed only on the packets that carry new information. Retransmitted
packets are ignored.
•
Dynamic rules are created depending on direction (client/server) and mode (active/passive):
•
Client FTP Active Mode: the firewall creates a dynamic incoming rule after parsing the
incoming port command, provided the port command RFC 959 compliant. The rule is deleted
when the server initiates the data connection or the rule expires.
•
Server FTP Active Mode: the firewall creates a dynamic outgoing rule after parsing the
incoming port command.
•
Client FTP Passive Mode: the firewall creates a dynamic outgoing rule when it reads the
PASV command response sent by the FTP server, provided it has previously seen the PASV
command from the FTP client and the PASV command is RFC 959 compliant. The rule is
deleted when the client initiates the data connection or the rule expires.
•
Server FTP Passive Mode: the firewall creates a dynamic incoming rule.
63
Advertisement
Table of Contents
Troubleshooting
