Network isolation

When integrated with Detection and Response solutions, a device can be isolated from the network as part of a threat response action.

Special considerations involved with network isolation

After enabling network isolation, the application severs all active network connections on the device and blocks all new TCP/IP network connections, except for the connections listed below:

• Connections specified in exclusions from network isolation.
• Initiated by Kaspersky Industrial CyberSecurity for Linux Nodes services.
• Between Kaspersky Industrial CyberSecurity for Linux Nodes and the Kaspersky Security Center Administration Server.
• Between Kaspersky Industrial CyberSecurity for Linux Nodes and the Kaspersky Industrial CyberSecurity for Networks server.
• With KSN (when integrated with Kaspersky Managed Detection and Response)

Network isolation can be applied when the following conditions are met:

• The application is integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response and/or with Kaspersky Industrial CyberSecurity for Networks.
• The ICS EDR component is activated.

When integrating with Kaspersky Industrial CyberSecurity for Networks, a security officer can use the data sent to Kaspersky Industrial CyberSecurity for Networks to send a command to isolate a device from the network to Kaspersky Industrial CyberSecurity for Linux Nodes using the Kaspersky Industrial CyberSecurity for Networks console. The security officer can also send a command to Kaspersky Industrial CyberSecurity for Linux Nodes to disable network isolation of the device.

When integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response, network isolation can be applied in one of the following modes:

• Automatic network isolation mode. A device can be isolated from the network automatically as a result of detection of indicators of compromise. When creating and configuring IOC Scan task settings in the Actions on IOC detection section, if you select the Apply response actions when an IOC is detected and Isolate device from the network check boxes, then network isolation is enabled automatically when the application detects indicators of compromise.

  You can manage the following automatic network isolation settings:

  • Change the period of time after which network isolation is automatically disabled.
  • Configure network isolation exclusions for automatically isolated devices.

  If a device that is being isolated automatically is subject to a policy, the settings specified in the policy are applied. If a policy is not applied, the settings specified in the device properties are applied.

• Manual network isolation mode. You can isolate a device from the network while the detected threat is being investigated. You can manually enable network isolation for a device in the alert details window and in the device properties in the Web Console.

  You can manage the following manual network isolation settings:

  • Change the period of time after which network isolation is automatically disabled.
  • Configure network isolation exclusions for manually isolated devices.

You can check the device network isolation status and disable device network isolation on the command line.

An isolated device is automatically assigned the ISOLATED FROM NETWORK tag. This tag is automatically removed when network isolation is disabled. For general information on getting a list of isolated devices by tag, see the Kaspersky Industrial CyberSecurity Endpoint Detection and Response Help.

Manually disabling network isolation is possible regardless of whether integration with Detection and Response solutions is enabled, and regardless of whether a policy is applied to the device.

Network isolation limitations

When you use network isolation, we strongly recommended that you familiarize yourself with the relevant limitations.

For network isolation to work, the Kaspersky Industrial CyberSecurity for Linux Nodes application must be running. If Kaspersky Industrial CyberSecurity for Linux Nodes malfunctions (the application is not running), traffic blocking is not guaranteed when network isolation is enabled by Kaspersky Industrial CyberSecurity Endpoint Detection and Response.

DHCP and DNS are not automatically added to network isolation exclusions, so if the network address of a resource changes during network isolation, Kaspersky Industrial CyberSecurity for Linux Nodes cannot gain access to it.

Excluding a process from network isolation by name is supported on devices with kernel versions from 4.18 to 6.6 that support eBPF with BTF.

When using network isolation, it is recommended to:

• Use a KSN proxy server to interact with Kaspersky Security Network.
• Use Kaspersky Security Center as a proxy server for application activation.

  If it is impossible to use Kaspersky Security Center as a proxy server, you must configure the proxy server that you want to use and add it to exclusions.

• Specify Kaspersky Security Center as the database update source.

In this section Manually enabling or disabling the network isolation of the device in the Web Console Configuring the duration of automatic network isolation Manually configuring network isolation Configuring exclusions from network isolation in the Web Console Managing the network isolation of a device on the command line

Page top