Firewall

The Kaspersky Security functionality described in this section is available only if the application is installed on a virtual machine with a Windows desktop or server operating system.

During your work on local networks and the Internet your virtual machine is exposed to viruses, other malicious applications, and a variety of attacks that exploit vulnerabilities in operating systems and software.

Firewall protects personal data that is stored on the protected virtual machine by blocking network threats while the protected virtual machine is connected to the Internet or a local area network.

When a remote connection to a protected virtual machine is established after installation of the application, Firewall is enabled by default, blocking the RDP session. To prevent the session from being blocked, you need to change the Firewall action for the "Remote desktop network activity" network packet rule to Allow.

During operation of the Firewall component, the Windows Firewall is disabled to prevent conflicts. If a domain policy is being used for the Windows Firewall, you must disable the Windows Firewall in the domain policy during operation of the Firewall component.

Network connection statuses

Firewall component controls all network connections on protected virtual machine and automatically assigns a status to each detected network connection.

The network connection can have one of the following status types:

• Public network. This status is for networks that are not protected by any anti-virus applications, firewalls, or filters (for example, for Internet cafe networks). When the user operates a protected virtual machine that is connected to such a network, Firewall blocks access to files and printers of this virtual machine. External users are also unable to access data through shared folders and remote access to the desktop of this virtual machine. Firewall filters the network activity of each application according to the network rules that are set for it.

  Firewall assigns Public network status to the Internet by default. You cannot change the status of the Internet.

• Local network. This status is assigned to networks whose users are trusted to access files and printers on the secured virtual machine (for example, a LAN or home network).
• Trusted network. This status is intended for a safe network in which the virtual machine is not exposed to attacks or unauthorized data access attempts. Firewall permits any network activity within networks with this status.

You can change the statuses that the Firewall component assigns to detected network connections.

In addition, when working via Kaspersky Security Center, you can redefine the settings of networks whose activity is monitored by the Firewall: add a network, change network settings, or delete a network from the table.

Network rules

Network rule is an allowed or blocked action that is performed by Firewall on detecting a network connection attempt. Configuring network rules lets you specify the desired level of virtual machine protection, from blocking Internet access for all applications to allowing unlimited access.

Firewall protects a virtual machine on two levels: network level and application level.

• Protection at the network level is provided by applying rules for network packets (network packet rules). Network packet rules are used to restrict network packets, regardless of the application. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol. Firewall specifies certain network packet rules by default.
• Protection at the program level is provided by applying rules by which applications installed on the protected virtual machine can access network resources. Application network rules are used to restrict network activity of a specific application. They factor in not only the characteristics of the network packet, but also the specific application to which this network packet is addressed or which issued this network packet. Such rules make it possible to fine-tune network activity filtering: for example, when a certain type of network connection is blocked for some applications but is allowed for others.

Applications' access to operating system resources, processes, and personal data is controlled by the Application Privilege Control component using application control rules.

The network rules for applications do not take into account the following filter settings specified at the network level:

• Network adapter ID
• List of MAC addresses of the local adapter
• List of local MAC addresses
• Remote MAC addresses list
• Type of Ethernet frame (IP, IPv6, ARP)
• Time to live (TTL) of the IP packet

As a result of the joint use of rules by the network level and application level, network traffic may be blocked at the application level even if it is allowed at the network level.

Network rules for an application and for a group of applications

By default, Kaspersky Security groups all applications that are installed in the operating system of the protected virtual machine by the name of the vendor of the software whose file or network activity it monitors. Application groups are in turn categorized into trust groups. All applications and application groups inherit properties from their parent group: application control rules, application network rules, and their execution priority.

The Firewall component creates a set of network rules for each group of applications detected on the protected virtual machine, and applies network rules for a group of applications to filter the network activity of all applications that belong to the group. The application group network rules define the rights of applications within the group to access different network connections.

Default network rules for a group of applications, as well as inherited application network rules, cannot be modified, deleted, or disabled, and their priority cannot be changed.

You can change the Firewall action that is applied to the network rules created by default for an application group as well as to the inherited network rules of an application.

You can create network rules for a group of applications or for an individual application. A network rule for an application has a higher priority than the network rule of the group to which the application belongs.

Network rule priorities

Each rule has a priority. The higher the rule in the list, the higher priority it has. If network activity is added to several rules, Firewall controls network activity according to the rule with the highest priority.

Network packet rules have a higher priority than network rules for applications. If both network packet rules and network rules for applications are specified for the same type of network activity, the network activity is handled according to the network packet rules.

You can set the execution priority for network packet rules and manually created network rules for an application or group of applications.

Special considerations when working with Firewall

When working with the Firewall, please keep in mind the following special considerations:

• Network activity at the application level via the TCP and UDP protocols is not blocked if the IP address of the sender matches the IP address of the recipient, under the condition that the packet was sent via RAW socket.
• The Firewall does not check the application rules and allows network activity if the remote device has the following IP address:
  • for IPv4: 127.0.0.1
  • for IPv6: ::1

  under the condition that the packet was sent via RAW socket.

• The local address from which or to which data is sent may be undefined in the following cases:
  • The application that initiated the network activity via the TCP or UDP protocols did not specify a local IP address.
  • The application initiated the network activity via the ICMP protocol.
  • The application receives an incoming packet via the UDP protocol.
• The Firewall does not filter loopback traffic at the network level. Decisions on loopback packets are made at the application level.
• When filtering network activity at the application level via the ICMP protocol, the Firewall supports only an outgoing ICMP Echo-Request.
• There is no filtering of incoming ICMP packets at the application level.
• For outgoing network activity via RAW socket, there is no filtering based on packet rules at the application level.
• Packets that are filtered out by the Network Attack Blocker component are not scanned by the Firewall.
• If an SVM has tunneling network interfaces, filtering of tunneling traffic based on packet rules is repeated for the same packet as the packet propagates between interfaces.

This section describes how to configure Firewall settings using the Administration Console and the Light Agent for Windows local interface. You can also configure the Firewall settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application Settings → Anti-Virus protection → Firewall). Configuring network rules for an application or application group using the Web Console is not supported.