Configuring industrial protocol traffic filtering

You can use the Kaspersky IoT Secure Gateway Network Protector application to configure rules for blocking and filtering industrial protocol traffic in the Kaspersky IoT Secure Gateway 1000 configuration settings. Industrial traffic filtering uses packet analysis rules and includes the following checks:

• Filtering of commands in the MQTT and Modbus protocols
• Scanning for MQTT and Modbus traffic anomalies

For Kaspersky IoT Secure Gateway Network Protector to work, you need to configure it first. When started without a completed configuration, Kaspersky IoT Secure Gateway 1000 enters emergency mode, as it cannot receive traffic filtering rules to ensure a secure state.

To configure traffic filtering rules for industrial protocols:

1. Use Kaspersky Update Utility to download files with lists of supported network packet analysis rules:
   • The industrial_commands.rules file contains a list of supported command filtering rules for industrial protocols.
   • The industrial_anomalies.rules file contains a list of supported traffic anomaly detection rules for industrial protocols.

   The entire range of identifiers (sid) 9XXXXXXX is used for service purposes. Do not use these identifiers for custom rules. When using service identifiers from this range for custom rules, Kaspersky IoT Secure Gateway 1000 may switch to emergency support mode.

   For detailed information on using the utility, refer to the Kaspersky Update Utility documentation.

2. Select from these files the rules that you want to apply to industrial protocol traffic filtering.

   Some rules contained in the industrial_commands.rules and industrial_anomalies.rules files may block business scenarios. Before using the rules from these files, we recommend that you first analyze them and select only the ones you need. As an example, you can use the rule described in step 7 of this instruction.

3. Encode the lists of command filtering and anomaly detection rules as two separate Base64 strings.
4. Stop Kaspersky IoT Secure Gateway Network Protector if running.

   While Kaspersky IoT Secure Gateway Network Protector is stopped, transit traffic on the device will be blocked to ensure the security of connected devices.

5. In the menu in the left part of the web interface screen, select Settings → Configuration.
6. In the configuration field under kaspersky.kisg.netprotector, add "APP_CONFIGURATION": {} .
7. Inside APP_CONFIGURATION, specify the following settings to enable and configure industrial protocol traffic filtering:
   • Add an "industrial_commands_rules": "" parameter and specify a list of Base64-encoded rules for filtering commands at industrial protocol level.
   • Add an "industrial_anomaly_rules": "" parameter and specify a list of Base64-encoded rules for detecting traffic anomalies at industrial protocol level.

   As a result, the settings configuration under kaspersky.kisg.netprotector will appear as shown below:

   "APP_CONFIGURATION": {

   "industrial_commands_rules": " <Base64 encoded rules> ",

   "industrial_anomaly_rules": " <Base64-encoded rules>"

   }

   For Kaspersky IoT Secure Gateway Network Protector to work, define at least one configuration setting, or else Kaspersky IoT Secure Gateway 1000 will enter emergency mode after you start it, as it cannot receive traffic filtering rules to ensure a secure state. You can disable only one of the settings by putting empty quotation marks "" as the parameter value.

   Rule configuration example

   For example, you can configure traffic filtering rules in Kaspersky IoT Secure Gateway Network Protector to respond to SYN port scanning.

   The configuration settings in the kaspersky.kisg.netprotector section then look as follows:

   "APP_CONFIGURATION": {

   "industrial_commands_rules": "",

   "industrial_anomaly_rules": "YWxlcnQgaXAgYW55IGFueSAtPiBhbnkgYW55IChtc2c6IlBPU1NCTCBTQ0FOIE5NQVAgS05PV04gRlJBR00gKHR5cGUgLWYpIjsgZnJhZ2JpdHM6TStEOyB0aHJlc2hvbGQ6dHlwZSBsaW1pdCwgdHJhY2sgYnlfc3JjLCBjb3VudCAyMCwgc2Vjb25kcyAxMjAwOyBjbGFzc3R5cGU6YXR0ZW1wdGVkLXJlY29uOyBzaWQ6MTAwMDAxNDsgcHJpb3JpdHk6MjsgcmV2OjY7KQ0KYWxlcnQgaXAgYW55IGFueSAtPiBhbnkgYW55IChtc2c6IlBPU1NCTCBTQ0FOIE5NQVAgRlJBR00gKHR5cGUgLWYpIjsgZnJhZ2JpdHM6TTsgdGhyZXNob2xkOnR5cGUgdGhyZXNob2xkLCB0cmFjayBieV9zcmMsIGNvdW50IDIwLCBzZWNvbmRzIDEyMDA7IGNsYXNzdHlwZTphdHRlbXB0ZWQtcmVjb247IHNpZDoxMDAwMDE1OyBwcmlvcml0eToyOyByZXY6MTspDQo="

   }

   In this example:

   • The industrial_commands_rules setting is blank/disabled.
   • The industrial_anomaly_rules setting contains the following Base64-encoded rules to scan for open/closed ports:

     alert ip any any -> any any (msg:"POSSBL SCAN NMAP KNOWN FRAGM (type -f)"; fragbits:M+D; threshold:type limit, track by_src, count 20, seconds 1200; classtype:attempted-recon; sid:1000014; priority:2; rev:6;)

     alert ip any any -> any any (msg:"POSSBL SCAN NMAP FRAGM (type -f)"; fragbits:M; threshold:type threshold, track by_src, count 20, seconds 1200; classtype:attempted-recon; sid:1000015; priority:2; rev:1;)

   After adding APP_CONFIGURATION and its settings, you cannot delete it, as it is required for the application to work.

8. Click Save to apply the configuration settings.
9. Start Kaspersky IoT Secure Gateway Network Protector.

Industrial protocol traffic will be filtered using the specified rules. If the rule is triggered, traffic that matches the rule is blocked, and the IP address where the traffic originated is added to the IP address denylist. The information that the IP address was blocked is sent to the Kaspersky IoT Secure Gateway 1000 firewall. The traffic blocking event is recorded in the audit log.

If you want to disable the use of specific rules specified in the "industrial_commands_rules" and "industrial_anomaly_rules" parameters, you can add the "disable_commands_rules": [] and "disable_anomaly_rules": [] parameters to the APP_CONFIGURATION object, respectively, and specify the following values for them:

• List of sid numbers from the "industrial_commands_rules" rule set for the "disable_commands_rules": [] parameter to disable specific command filtering rules at the industrial protocol level. Each sid number must be specified in double quotes, for example: "disable_commands_rules": ["123", "456"] .
• List of sid numbers from the "industrial_anomaly_rules" rule set for the "disable_anomaly_rules": [] parameter to disable specific anomaly detection rules in traffic passing at the industrial protocol level. Each sid number must be specified in double quotes, for example: "disable_anomaly_rules": ["123", "456"] .

In some cases when the Kaspersky IoT Secure Gateway Network Protector application cannot process traffic received by the device, it may crash and the system will switch to emergency support mode. This may occur when processing specific types of network packets sent via the SIP, SMB, SMTP, DNS, HTTP, or HTTP2 protocols. The SIP protocol is involved in establishing a connection from external IP addresses if the modem is being used as the main communication channel and has an installed SIM card whose IP address can be accessed directly from the internet.
If this happens, you will need to apply a patch to disable processing of unsupported traffic and thereby restore the functionality of the application and system.

Page top