Network Threat Protection

The Network Threat Protection component scans inbound network traffic for activity that is typical of network attacks. Upon detecting an attempted network attack that targets your computer, Kaspersky Industrial CyberSecurity for Nodes blocks network activity from the attacking computer. Descriptions of currently known types of network attacks and ways to counteract them are provided in the application databases. The list of network attacks that the Network Threat Protection component detects is updated during database and application module updates.

By default, the Network Threat Protection task runs in the Inform mode. In this mode, Kaspersky Industrial CyberSecurity for Nodes scans inbound network traffic for activity that is typical of network attacks, and logs event corresponding to the detected activity, but does not block the connection to the computers that are involved in such activity, and does not add the IP addresses of such computers to the list of blocked network sessions.

In the Block mode, Kaspersky Industrial CyberSecurity for Nodes blocks connection to computers that display activity typical of network attacks, and in some cases adds IP addresses of such computers to the list of blocked network sessions.

You can view the list of blocked hosts in the Blocked Hosts storage.

Kaspersky Industrial CyberSecurity for Nodes clears the block list when the application is restarted and when the Network Threat Protection settings are changed.

You can restore access to blocked hosts, and specify the number of days, hours, and minutes after which hosts regain access to network file resources after being blocked by configuring the Blocked Hosts storage settings.

The IP addresses of hosts showing activity typical of network attacks are deleted from the list of blocked hosts in the following cases:

Kaspersky Industrial CyberSecurity for Nodes is uninstalled.
The IP address was deleted manually from the list of blocked hosts.
Host blocking term has expired.
The Block mode was turned off.

For Kaspersky Industrial CyberSecurity for Nodes to work correctly on virtual machines in a Microsoft Hyper-V infrastructure, you need to install Kaspersky Industrial CyberSecurity for Nodes before you configure Hyper-V virtual switches.

How to enable and configure Network Threat Protection in the Kaspersky Security Center Administration Console

In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.
Select the administration group for which you want to configure the task.
Select the Policies tab.
Double-click the policy name you want to configure.
In the policy properties window, go to the Network activity control section.
In the Network Threat Protection block, click the Settings button.
The Network Threat Protection window opens on the General tab.
Select the Network Threat Protection check box to enable the Network Threat Protection component.
Select the task mode in the Operating mode section:
- Block. If this mode is selected, Kaspersky Industrial CyberSecurity for Nodes scans inbound network traffic for activity that is typical of network attacks, blocks connection to computers that display such activity, and in some cases adds IP addresses of computers to the list of blocked network sessions. The application also logs events about detected activity typical of network attacks in the component log.
- Inform. If this mode is selected, Kaspersky Industrial CyberSecurity for Nodes scans inbound network traffic for activity that is typical of network attacks, but does not block connection to computers that display such activity, and does not add IP addresses of computers to the list of blocked network sessions. The application logs events about detected activity typical of network attacks in the component log.
Use the Treat port scanning and network flooding as attacks check box to enable or disable the detection of the corresponding attacks.
A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on the computer. This attack allows the attacker to identify the degree of vulnerability of the computer before conducting more dangerous types of network attacks. Port Scanning also enables the attacker to identify the operating system on the computer and select the appropriate network attacks for this operating system.

Network Flooding is an attack on network resources of an organization (such as web servers). This attack consists of sending a large number of requests to overload the bandwidth of network resources. As a result, users are unable to access the network resources of the organization.

If this functionality is enabled, Kaspersky Industrial CyberSecurity for Nodes monitors network traffic for port scanning and network flooding. If such behavior is detected, the application notifies the user and sends the corresponding event to Kaspersky Security Center. The application provides information about the computer that is making the requests. This information is necessary for a timely response. However, Kaspersky Industrial CyberSecurity for Nodes does not block the computer that is making the requests because such traffic may be a normal occurrence on the corporate network.

This option is disabled by default.
If necessary, select the Block attacking devices for N min check box.
If the check box is selected, the Network Threat Protection component blocks the network connection with the attacking computer after the first network attack attempt for the specified amount of time. This block automatically protects the user's computer against possible future network attacks from the same address. The minimum time an attacking computer must spend in the block list is one minute. The maximum time is 999 minutes.

If the Inform mode is selected, Kaspersky Industrial CyberSecurity for Nodes does not block the network connection.

The check box is selected by default.
In the MAC spoofing protection block, select or clear the Enable protection against MAC spoofing attacks check box.
A MAC address spoofing attack consists of changing the MAC address of a network device (network card). As a result, an attacker could redirect data sent to a device to another device and gain access to this data.

If the check box is selected, Kaspersky Industrial CyberSecurity for Nodes scans incoming network traffic for actions that are typical of MAC address spoofing attacks and performs actions in accordance with the mode, selected for the Network Threat Protection component.

For Kaspersky Industrial CyberSecurity for Nodes to work correctly on virtual machines in a Microsoft Hyper-V infrastructure, you need to install Kaspersky Industrial CyberSecurity for Nodes before you configure Hyper-V virtual switches.

If the check box is cleared, Kaspersky Industrial CyberSecurity for Nodes does not scan incoming network traffic for actions typical of MAC address spoofing attacks.

By default, the check box is cleared.
If necessary, you can add exclusions from blocking.
Kaspersky Industrial CyberSecurity for Nodes can recognize a network attack and block an unsecured network connection that is transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you can add the IP addresses of these devices to the list of exclusions. You can also select the protocol and port that are used for communication and allow specific network activities.

The ability to select protocols and ports for exclusions was added in Kaspersky Industrial CyberSecurity for Nodes 4.5. Make sure the application and the management plug-in are updated to version 4.5 or later. If you are using an earlier version of the application or the management plug-in, Kaspersky Industrial CyberSecurity for Nodes can allow network activities only by IP address.
1. Select the Exclusions tab.
2. Select the Do not control excluded addresses check box to prevent Kaspersky Industrial CyberSecurity for Nodes from scanning inbound network traffic for excluded IP addresses.
3. Click Add.
4. In the Exclusions window, enter the IP address of the computer from which network attacks must not be blocked.
5. If required, select the protocol and ports through which data is transmitted.
6. Click OK.
7. Perform steps c-f for every added exclusion.
Save your changes.

How to enable and configure Network Threat Protection in the Application Console

In the Application Console tree, select the Real-Time Computer Protection → Network Threat Protection node.
Click the Properties link in the results pane.
The Properties: Network Threat Protection window opens.
Select the Network Threat Protection check box to enable the Network Threat Protection component.
Select the task mode in the Operation mode section:
- Block. If this mode is selected, Kaspersky Industrial CyberSecurity for Nodes scans inbound network traffic for activity that is typical of network attacks, blocks connection to computers that display such activity, and in some cases adds IP addresses of computers to the list of blocked network sessions. The application also logs events about detected activity typical of network attacks in the component log.
- Inform. If this mode is selected, Kaspersky Industrial CyberSecurity for Nodes scans inbound network traffic for activity that is typical of network attacks, but does not block connection to computers that display such activity, and does not add IP addresses of computers to the list of blocked network sessions. The application logs events about detected activity typical of network attacks in the component log.
Use the Treat port scanning and network flooding as attacks check box to enable or disable the detection of the corresponding attacks.
If necessary, select the Block attacking devices for N min check box.
In the MAC spoofing protection block, select or clear the Enable protection against MAC spoofing attacks check box.
If necessary, you can add exclusions from blocking.
Kaspersky Industrial CyberSecurity for Nodes can recognize a network attack and block an unsecured network connection that is transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you can add the IP addresses of these devices to the list of exclusions. You can also select the protocol and port that are used for communication and allow specific network activities.

The ability to select protocols and ports for exclusions was added in Kaspersky Industrial CyberSecurity for Nodes 4.5. Make sure the application and the management plug-in are updated to version 4.5 or later. If you are using an earlier version of the application or the management plug-in, Kaspersky Industrial CyberSecurity for Nodes can allow network activities only by IP address.
1. Select the Exclusions tab.
2. Select the Do not control excluded addresses check box to prevent Kaspersky Industrial CyberSecurity for Nodes from scanning inbound network traffic for excluded IP addresses.
3. Click Add.
4. In the Exclusions window, enter the IP address of the computer from which network attacks must not be blocked.
5. If required, select the protocol and ports through which data is transmitted.
6. Click OK.
7. Perform steps c-f for every added exclusion.
Save your changes.

How to enable and configure Network Threat Protection in the Kaspersky Security Center Web Console

In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
Select the Application settings tab.
Select Network activity control → Network Threat Protection.
Select the Enable Network Threat Protection check box on the General tab to enable the Network Threat Protection component.
Select the task operating mode:
- Block. If this mode is selected, Kaspersky Industrial CyberSecurity for Nodes scans inbound network traffic for activity that is typical of network attacks, blocks connection to computers that display such activity, and in some cases adds IP addresses of computers to the list of blocked network sessions. The application also logs events about detected activity typical of network attacks in the component log.
- Inform. If this mode is selected, Kaspersky Industrial CyberSecurity for Nodes scans inbound network traffic for activity that is typical of network attacks, but does not block connection to computers that display such activity, and does not add IP addresses of computers to the list of blocked network sessions. The application logs events about detected activity typical of network attacks in the component log.
Use the Treat port scanning and network flooding as attacks check box to enable or disable the detection of the corresponding attacks.
If necessary, select the Block attacking devices for N min check box.
Select or clear the Enable protection against MAC spoofing attacks check box.
If necessary, you can add exclusions from blocking.
Kaspersky Industrial CyberSecurity for Nodes can recognize a network attack and block an unsecured network connection that is transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you can add the IP addresses of these devices to the list of exclusions. You can also select the protocol and port that are used for communication and allow specific network activities.

The ability to select protocols and ports for exclusions was added in Kaspersky Industrial CyberSecurity for Nodes 4.5. Make sure the application and the management plug-in are updated to version 4.5 or later. If you are using an earlier version of the application or the management plug-in, Kaspersky Industrial CyberSecurity for Nodes can allow network activities only by IP address.
1. Select the Exclusions tab.
2. Select the Do not control excluded addresses check box to prevent Kaspersky Industrial CyberSecurity for Nodes from scanning inbound network traffic for excluded IP addresses.
3. Click Add.
4. In the Exclusions window, enter the IP address of the computer from which network attacks must not be blocked.
5. If required, select the protocol and ports through which data is transmitted.
6. Click OK.
7. Perform steps c-f for every added exclusion.
Save your changes.

Page top