Network Threat Protection task (Network_Threat_Protection, ID:17)

While the Network Threat Protection task is running, the application scans inbound network traffic for activity that is typical for network attacks. Kaspersky Industrial CyberSecurity for Linux Nodes receives the numbers of the TCP ports from the current application databases and scans incoming traffic for these ports.

To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.

Upon detection of a network attack attempt aimed at your computer, the application logs the corresponding event, and can also block network activity from the attacking computer.

Kaspersky Industrial CyberSecurity for Linux Nodes adds a special chain of allowing rules (kics_bypass) to the list of the mangle table of the iptables and ip6tables utilities. This chain of allowing rules allows excluding traffic from scan by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Network Threat Protection task.

The table describes all available values and the default values of all the settings that you can specify for the Network Threat Protection task.

Network Threat Protection task settings

Setting	Description	Values
`ActionOnDetect`	Actions performed upon detection of network activity that is typical of network attacks.	`Notify` (default value) – allow network activity, log information about detected network activity. `Block` – block network activity and log information about it.
`BlockAttackingHosts`	Enables or disables blocking of network activity from attacking computers.	`Yes` (default value) — Block network activity from an attacking computer. `No` — Allow network activity from an attacking computer.
`BlockDurationMinutes`	Specifies how long attacking computers will be blocked (in minutes).	`1` – `32768` The default value is `60`.
`UseExcludeIPs`	Enables or disables the usage of a list of IP addresses whose network activity will not be blocked when a network attack is detected. The application will only log information about dangerous activity from these computers. You can add IP addresses to the exclusion list by using the `ExcludeIPs.item_#` parameter. By default, the list is empty.	`Yes` — Use the list of excluded IP addresses. `No` (default value) — Do not use the list of excluded IP addresses.
`ExcludeIPs.item_#`	Specifies an IP address whose network activity will not be blocked by the application.	d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255. d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32. x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff. x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64. The default value is not defined.

Page top