Support

Support for business applications

Kaspersky Industrial CyberSecurity for Networks

Application architecture

Kaspersky Industrial CyberSecurity for Networks
Нет результатов
Online Help
FAQ Download Forum Contact support Recovery tools Product videos

Application architecture

March 22, 2024

ID 102350

Get as PDF

Kaspersky Industrial CyberSecurity for Networks includes the following components:

  • The Server is the main component that receives data, processes it, and provides it to users of the application. The received information (such as events and device information) is saved on the Server in the database. Only one Server can be used in each Kaspersky Industrial CyberSecurity for Networks deployment scenario.
  • A sensor is a component that is managed by the Server and receives and analyzes data from computer networks that are connected to the network interfaces of the sensor's computer. A sensor forwards the data analysis results to the Server. Based on the specific requests from the Server, the sensor can forward data in the same format in which the data was received for analysis (for example, traffic related to registered events). Sensors are installed on separate computers. A sensor cannot be installed on a computer that performs Server functions. The application can have up to 50 sensors.

The connections between the Server and sensors are secured by using certificates. Use of certificates also ensures the security of other connections with application components (for example, a connection to a component through a web interface or connections of recipient systems through specialized application modules called connectors).

The Kaspersky Industrial CyberSecurity for Networks Server performs the following functions:

  • Manages sensors and receives the results of their analysis of data received from computer networks.
  • Processes and saves received information about devices and their interactions.
  • Receives data from Kaspersky applications that perform functions to protect workstations and servers (EPP applications).
  • Interacts with the Kaspersky Endpoint Agent application installed on devices.
  • Establishes remote connections to devices to scan those devices as part of security audit jobs.
  • Registers and saves events.
  • Conducts an additional analysis of accumulated information to detect threats and incidents (for example, according to event correlation rules).
  • Monitors application performance.
  • Monitors the activities of application users.
  • Processes incoming requests submitted through the web interface and connectors, and provides the requested data.

A Kaspersky Industrial CyberSecurity for Networks sensor performs the following functions:

  • Analyzes incoming industrial network traffic:
    • Extracts information about device communications and process parameters from traffic.
    • Identifies signs of attacks in traffic.
  • Receives data from Kaspersky applications that perform functions to protect workstations and servers (EPP applications).
  • Interacts with the Kaspersky Endpoint Agent application installed on devices.
  • Establishes remote connections to devices to scan those devices as part of security audit jobs.
  • Registers events based on the results of data analysis.
  • Relays events, information about traffic, device information, and process parameters to the Kaspersky Industrial CyberSecurity for Networks Server.

Application components receive a copy of industrial network traffic from monitoring points. Monitoring points can be used on sensors as well as on the Server. You can add monitoring points to network interfaces detected on nodes that have application components installed. Monitoring points must be added to network interfaces that relay traffic from the industrial network.

You can add no more than 8 monitoring points on a sensor and no more than 4 monitoring points on the Server. You can use no more than 50 monitoring points total in the application.

All network interfaces with added monitoring points must be connected to the industrial network in such a way that excludes any possibility of impacting the industrial network. For example, you can connect using ports on industrial network switches configured to transmit mirrored traffic (Switched Port Analyzer, SPAN).

It is recommended to use a dedicated Kaspersky Industrial CyberSecurity network for connecting the Server to sensors and to other components of Kaspersky Industrial CyberSecurity (Kaspersky Industrial CyberSecurity for Nodes / Kaspersky Industrial CyberSecurity for Linux Nodes, Kaspersky Security Center). Network equipment used for interaction between components in the dedicated network must be installed separately from the industrial network. Normally, the following computers and devices should be connected to the dedicated network:

  • Kaspersky Industrial CyberSecurity for Networks Server node.
  • Kaspersky Industrial CyberSecurity for Networks sensor nodes.
  • Computers for connecting to the Server and sensors through the web interface.
  • Computers with Kaspersky Industrial CyberSecurity for Nodes / Kaspersky Industrial CyberSecurity for Linux Nodes and Kaspersky Endpoint Agent.
  • Computers that are used for establishing remote connections to devices to scan those devices as part of security audit jobs.
  • Computers hosting connector application modules.
  • Computer hosting Kaspersky Security Center.
  • Network switch.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.