The Network Threat Protection component allows you to scan inbound network traffic for activity that is typical for network attacks.
By default, the Network Threat Protection task is disabled.
If Network Threat Protection is enabled, the application scans incoming traffic for TCP ports whose numbers Kaspersky Industrial CyberSecurity for Linux Nodes gets from up-to-date application databases.
To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.
Current connections for intercepted TCP ports are reset when Network Threat Protection is enabled.
If an attempted network attack on a protected device is detected, the application blocks network activity from the attacking device and creates a Network attack detected event. The event contains information about the attacking device.
By default, network traffic from the attacking device is blocked for one hour. Once the blocking time has expired, the application unblocks the device.
You can enable or disable Network Threat Protection, and also configure the protection settings:
You can use the commands for administering blocked devices in the command line to view the list of blocked devices and manually unblock these devices. Kaspersky Security Center does not provide tools for monitoring and managing blocked devices, except for the Network attack detected events.
Kaspersky Industrial CyberSecurity for Linux Nodes adds a special chain of allowing rules (kics_bypass) to the list of the mangle table of the iptables and ip6tables utilities. This chain of allowing rules allows excluding traffic from scanning by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Network Threat Protection task. For example, to exclude incoming and outgoing HTTP traffic, you need to add a rule by running the following command: iptables -t mangle -I kics_bypass -m tcp -p tcp --dport http -j ACCEPT.