While the Network Threat Protection task is running, the application scans inbound network traffic for activity that is typical for network attacks. Kaspersky Industrial CyberSecurity for Linux Nodes receives the numbers of the TCP ports from the current application databases and scans incoming traffic for these ports.
To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.
Upon detection of a network attack attempt aimed at your computer, the application logs the corresponding event, and can also block network activity from the attacking computer.
Kaspersky Industrial CyberSecurity for Linux Nodes adds a special chain of allowing rules (kics_bypass) to the list of the mangle table of the iptables and ip6tables utilities. This chain of allowing rules allows excluding traffic from scan by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Network Threat Protection task.
The table describes all available values and the default values of all the settings that you can specify for the Network Threat Protection task.
Network Threat Protection task settings
Setting |
Description |
Values |
---|---|---|
|
Actions performed upon detection of network activity that is typical of network attacks. |
|
|
Enables or disables blocking of network activity from attacking computers. |
|
|
Specifies how long attacking computers will be blocked (in minutes). |
The default value is |
|
Enables or disables the usage of a list of IP addresses whose network activity will not be blocked when a network attack is detected. The application will only log information about dangerous activity from these computers. You can add IP addresses to the exclusion list by using the |
|
|
Specifies an IP address whose network activity will not be blocked by the application. |
d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255. d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32. x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff. x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64. The default value is not defined. |