Contents
Network Threat Protection
The Network Threat Protection component allows you to scan inbound network traffic for activity that is typical for network attacks.
Kaspersky Embedded Systems Security receives TCP port numbers from the current application databases and scans incoming traffic for these ports.
To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.
Current connections for intercepted TCP ports are reset when Network Threat Protection is enabled.
If Network Threat Protection is enabled, upon detecting an attempted network attack on a protected device, the application blocks network activity from the attacking device and creates the Network attack detected event. The event contains information about the attacking device.
By default, network traffic from the attacking device is blocked for one hour. Once the blocking time has expired, the application unblocks the device.
Network Threat Protection is enabled by default if the Network Threat Protection settings on the device are defined through a policy. If locally configured settings are applied on the device, Network Threat Protection is disabled by default.
You can enable or disable Network Threat Protection, and also configure the protection settings:
- Select the action that the application will perform upon detection of network activity that is typical of network attacks.
- Enables or disables the blocking of network activity when a network attack attempt is detected.
- Set the duration for blocking an attacking device.
- Configure a list of IP addresses whose network activity will not be blocked by the application.
You can use the commands for administering blocked devices in the command line to view the list of blocked devices and manually unblock these devices. Kaspersky Security Center does not provide tools for monitoring and managing blocked devices, except for the Network attack detected events.
Kaspersky Embedded Systems Security adds a special chain of allowing rules (kess_bypass) to the list in the mangle table of the iptables and ip6tables utilities. This chain of allowing rules makes it possible to exclude traffic from scans by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Network Threat Protection task. For example, to exclude outgoing HTTP traffic, you need to add the following command: iptables -t mangle -I kess_bypass -m tcp -p tcp --dport http -j ACCEPT.
Configuring Network Threat Protection in the Web Console
In the Web Console, you can configure Network Threat Protection settings in the policy properties (Application settings → Essential Threat Protection → Network Threat Protection).
Network Threat Protection component settings
Setting |
Description |
|---|---|
Network Threat Protection enabled / disabled |
This toggle button enables or disables Network Threat Protection. The check toggle button is switched on by default. |
Action on threat detection |
Actions performed upon detection of network activity that is typical of network attacks.
|
Blocking attacking devices enabled / disabled |
This toggle button enables or disables blocking network activity when a network attack attempt is detected. The check toggle button is switched on by default. |
Block the attacking device for (min) |
In this field you can specify the duration an attacking device is blocked in minutes. After the specified time, Kaspersky Embedded Systems Security allows network activity from this device. Available values: integer from 1 to 32768. Default value: 60. |
Exclusions |
The table contains a list of IP addresses. Network attacks from these addresses will not be blocked. By default, the list is empty. |
IP address window
In this window, you can add and edit IP addresses. Network attacks from these IP addresses will not be blocked by Kaspersky Embedded Systems Security.
IP addresses
Setting |
Description |
|---|---|
Enter an IP address |
Entry field for an IP address. You can specify IP addresses in IPv4 and IPv6 formats. |
Configuring Network Threat Protection in the Administration Console
In the Administration Console, you can configure Network Threat Protection settings in the policy properties (Essential Threat Protection → Network Threat Protection).
Network Threat Protection component settings
Setting |
Description |
|---|---|
Enable Network Threat Protection |
This check box enables or disables Network Threat Protection. The check box is selected by default. |
Action on threat detection |
Actions performed upon detection of network activity that is typical of network attacks.
|
Block attacking devices |
This check box enables or disables the blocking of network activity when a network attack attempt is detected. The check box is selected by default. |
Block the attacking device for (min) |
In this field you can specify the duration an attacking device is blocked in minutes. After the specified time, Kaspersky Embedded Systems Security allows network activity from this device. Available values: integer from 1 to 32768. Default value: 60. |
Exclusions |
This group of settings contains the Configure button, which opens the Exclusions window, where you can specify a list of IP addresses. Network attacks from these IP addresses will not be blocked. |
Exclusions window
In this window, you can add IP addresses from which network attacks will not be blocked.
By default, the list is empty.
IP address window
In this window, you can add and edit IP addresses. Network attacks from these IP addresses will not be blocked by Kaspersky Embedded Systems Security.
IP addresses
Setting |
Description |
|---|---|
Enter an IP address |
Entry field for an IP address. You can specify IP addresses in IPv4 and IPv6 formats. |
Configuring Network Threat Protection in the command line
In the command line, you can manage Network Threat Protection using the Network Threat Protection predefined task (Network_Threat_Protection).
By default, the Network Threat Protection task does not run. You can start and stop the task manually.
You can configure Network Threat Protection settings by editing the settings of the Network Threat Protection predefined task.
Network Threat Protection task settings
Setting |
Description |
Values |
|---|---|---|
|
Actions performed upon detection of network activity that is typical of network attacks. Changing the value of this setting from |
|
|
Blocking network activity from attacking devices. |
|
|
Specifies how long attacking devices will be blocked (in minutes). |
1 – 32768 Default value: 60. |
|
The usage of a list of IP addresses whose network activity will not be blocked when a network attack is detected. The application will only log information about dangerous activity from these devices. You can add IP addresses to the exclusion list by using the |
|
|
Specifies an IP address whose network activity will not be blocked by the application. By default, the list is empty. |
The default value is not defined. |