Configuring operation with EPP applications
Kaspersky Industrial CyberSecurity for Networks can receive and process data received from Kaspersky applications that perform functions to protect workstations and servers. These applications are included in the Endpoint Protection Platform (EPP) and are installed to endpoint devices within the enterprise IT infrastructure.
Data transfer from EPP applications is performed by the Endpoint Agent software components. Depending on the version of the supported EPP application, the following software can perform the Endpoint Agent functions:
- Software modules built into the EPP application.
- Kaspersky Endpoint Agent application.
To connect to Kaspersky Endpoint Agent on devices running obsolete operating systems, such as Windows 7, Kaspersky Industrial CyberSecurity for Networks may rely on outdated and potentially vulnerable encryption protocols and algorithms. If there are no devices running obsolete operating systems on your network, or there is no need to connect to such devices, we recommend disabling obsolete and potentially vulnerable protocols and encryption algorithms in Kaspersky Industrial CyberSecurity for Networks. For more information, you can contact Technical Support.
The maximum number of computers from which data from EPP applications can be received and processed is 1000.
Data from computers with the Endpoint Agent software components is forwarded to Kaspersky Industrial CyberSecurity for Networks through integration servers. Integration server functions can be performed by any node that has a Kaspersky Industrial CyberSecurity for Networks component installed (Server or sensor). For integration with Endpoint Agent, add integration servers to the nodes that receive data from computers with Endpoint Agent.
An integration server can operate in TCP and UDP modes. Depending on the mode being used by the integration server on the node, Kaspersky Industrial CyberSecurity for Networks implements one of the following services for integration with EPP applications:
- kics4net-epp-proxy if TCP mode is enabled for the integration server.
- kics4net-telemetry-proxy if UDP mode is enabled for the integration server.
On each integration server, you can use TCP and UDP modes either separately or simultaneously. The installation packages for the services are included in the distribution kit of Kaspersky Industrial CyberSecurity for Networks.
In TCP mode, you can both receive data from EPP applications and perform various actions on devices running Endpoint Agent using the received data from EPP applications. In UDP mode, data from EPP applications is sent without confirmation of receipt via the UDP protocol. Due to the unidirectional data transmission over UDP, you can use UDP mode in cases where computers running Endpoint Agent transmit data to the integration server via data diode. However, the functional capabilities when working in UDP mode are reduced compared to TCP mode.
The table below lists the actions available depending on the mode that you are using.
Available actions when working together with EPP applications
Action |
TCP mode |
UDP mode |
|---|---|---|
Registering events based on EPP technology (workstation and server protection events) |
|
|
Populating the table of devices with devices hosting installed EPP applications (and devices that have had bidirectional interactions with such devices) |
|
|
Updating the table of devices with information about devices hosting installed EPP applications (for example, the operating system version, information on the model or developer) |
|
|
Displaying special icons on the nodes of the network interaction map and the nodes of topology map, that indicate the presence and the connection state of EPP applications |
|
|
Network session registration |
|
|
Monitoring device equipment |
|
|
Monitoring device users |
|
|
Monitoring device applications and patches |
|
|
Device configuration control |
|
|
Executable file launch control on devices |
|
|
Scanning devices as a part of vulnerability and compliance audit jobs and configuration control jobs |
|
|
Triggering response actions when logging events using the EPP technology, if threat development chains are built for these events in Endpoint Agent |
|
|
The HTTPS over TCP protocol is used to securely connect computers running Endpoint Agent to integration servers in TCP mode. HTTP connections are secured by using certificates issued by the Kaspersky Industrial CyberSecurity for Networks Server. The following certificates can be used in TCP mode connections:
- Integration server certificate. This certificate is verified by the computer with Endpoint Agent each time a connection is established. A connection is not established until certificate verification is successfully completed.
- Client certificate. This certificate is used to authenticate integration server clients that are computers with Endpoint Agent. The same client certificate can be used by multiple computers with Endpoint Agent. By default, an integration server does not verify certificates of clients, but you can enable client certificate verification to reinforce the security of connections.
Kaspersky Security Center is used to deliver certificates and public keys to computers with Endpoint Agent. This data is uploaded to Kaspersky Security Center using a communication data package, which needs to be created in Kaspersky Industrial CyberSecurity for Networks after an integration server is added.
When working in UDP mode, you can ensure the protection of transmitted data by encrypting it. Data encryption is performed by computers running Endpoint Agent. Encryption keys are created when configuring the integration server. After you configure the integration server, you must create a communication data package for the encryption key and use Kaspersky Security Center to upload it to the computer running Endpoint Agent.
Only users with the Administrator role can configure receipt of data from EPP applications.