Firewall Kaspersky Internet Security, dealing with the default settings

Alexander Antipov

The first step to a safe journey through the vast expanses of all sorts of networks is, of course, installing a reliable means of protection. One of the few such tools is the complex product Kaspersky internet security.

The first step to a safe journey through the vast expanses of all sorts of networks is, of course, installing a reliable means of protection. One of the few such tools is the comprehensive product Kaspersky Internet Security. Despite the fact that the KIS product is quite complex, it is ready to perform all the duties assigned to it immediately after installation. The need for additional settings is extremely rare, and this is a very big plus for developers. But it must be understood that this possibility is based on a sharp edge of compromise solutions. What they are, let's look at the example of a firewall.

Firewall settings consist of two parts: application rules and packet rules. Using application rules, you can allow or block certain programs or groups of programs from sending or receiving packets or establishing network connections. Packet rules allow or deny incoming or outgoing connections, and sending or receiving packets.

Let's see what the rules for programs are.

All programs have four categories:

1. Trusted - they are allowed everything without exception.
2. Weak restrictions - the “action request” rule has been established, which allows the user to independently decide on the expediency of network communication between programs of this group.
3. Strong restrictions - regarding the permission to work with the network, the same as the weak ones.
4. Untrusted - by default, these programs are prohibited from any network communication (humanly, they are very sorry).

By default, the “trusted” group includes all programs from Microsoft, KIS itself, and other programs from well-known manufacturers. For default settings, the choice is good, but personally I would not trust all programs, even famous manufacturers, so completely.

How do programs get into one or another group? Everything is not so simple here. The decision to place a particular program in one of the four groups is made based on several criteria:

1. Availability of information about the application in KSN (Kaspersky Security Network).
2. The program has digital signature(already passed).
3. Heuristic analysis for unknown programs (something like fortune-telling).
4. Automatically place the program in a group preselected by the user.

All these options are located in the “Application Control” settings. By default, the first three options are set, the use of which leads to a large number of “trusted” programs. The fourth option can be chosen independently as an alternative to the first three.

Let's do an experiment. Let's put some program (for example, the “Opera” browser) in the list of programs with weak restrictions and see how the “action request” rule works. For application rules to take effect, you must close and reopen the application whose rules have been changed. If you now try to go to any site, then no action request will occur, and the program will quietly install network connection. As it turned out, the “action request” rule only works if the “Select action automatically” option is unchecked in the main protection settings.

Another surprise awaits users of network utilities such as ping, tracert (if the “request for action” rule is extended to trusted programs), putty (ssh client) and, possibly, the like. For them, KIS stubbornly refuses to display the action request screen. There can be only one way out - to set permissions for a specific program manually.

Before moving on to package rules, let me give you one piece of advice: create your own subgroups for each group of programs. For example: “Network Utilities”, “ Office programs”, “Programs for the Internet”, etc. First, it will always be possible to quickly find desired program, and secondly, it will be possible to set rules for specific groups, instead of setting rules for individual programs.

Packet rules.

Packet rules define individual features of packets: protocol, direction, local or remote port, network address. Packet rules can act as "allow", "deny" and "according to program rules". The rules are scanned from top to bottom until an allowing or denying rule is found based on the combination of features. If the rule for the package is not found, then the default rule (the last one) is applied. Usually, in firewalls, the last rule is to prohibit the reception and transmission of any packets, but for KIS this rule is permissive.

The action “by program rule” is by its nature a “window” for the actual actions of the program rules. This is convenient because you can determine the order in which the rules are executed. For example, the program tries to send a packet to port 53 of the DNS server. If there is a packet rule with the action “according to application rules”, direction “outbound”, remote port 53 (or not defined), and the program has an allow rule set to send a packet to port 53, then the packet will be sent if the program is forbidden to send packets to port 53, this packet will not be sent.

The scope of the rules covers specific area: “any address” (all addresses), “subnet address” - here you can select the type of subnet “trusted”, “local” or “public”, and “addresses from the list” - specify IP addresses or domain names manually. The relationship of a particular subnet to “trusted”, “local” or “public” is set in the general settings of the firewall.

KIS Packet Rules, unlike most firewalls, are overloaded with a large number of directions: “inbound”, “inbound (flow)”, “outbound”, “outbound (flow)”, and “inbound/outbound”. Moreover, the rules with some combinations of protocol and direction do not work. For example, an ICMP deny rule will not work in combination with streaming directions; forbidden packets will get through. For some reason, streaming directions are applied to UDP packets, although the UDP protocol, by its nature, does not create a “stream” as such, unlike TCP.

Another, not entirely pleasant, point is that the packet rules do not have the ability to specify a reaction to the denial of an incoming packet: to prohibit the receipt of a packet with notification of the party that sent it, or simply discard the packet. This is the so-called “invisibility” mode, which used to be present in the firewall.

Now let's turn to the actual rules.

Rules 1 and 2 allow, according to the program rules, to send DNS requests via TCP and UDP protocols. Of course, both rules are useful, but basically such network programs as mailers and browsers request site addresses through the DNS system service, which is controlled by the system program “svchost.exe”. In turn, the service itself uses very specific DNS server addresses, specified manually or via DHCP. DNS server addresses rarely change, so it would be enough to allow sending DNS queries for the “svchost.exe” system service to fixed domain name servers.

Rule 3 allows programs to send e-mail over the TCP protocol. Here, as well as for the first two rules, it would be enough to create a rule for a specific program for working with email specifying which port and server to send to.

Rule 4 allows any network activity for trusted networks. Be very careful when enabling this rule, do not accidentally confuse the network type. This rule effectively disables firewall functionality on trusted networks.

Rule 5 allows any network activity according to the rules of programs for local networks. Although this rule does not completely disable the firewall, it significantly weakens its control functions. According to the logic of 4 and 5, the rules should have been placed at the very top in order to prevent the processing of packets by rules 1 - 3 when the computer is in a trusted or local network.

Rule 6 forbids remote control computer using the RDP protocol. Although the scope of the rule is “all addresses”, in fact it only works in “public networks”.

Rules 7 and 8 prohibit access from the network to the computer's network services via the TCP and UDP protocols. In fact, the rule only applies to “public networks”.

Rules 9 and 10 allow everyone, without exception, to connect to the computer from any networks, of course, excluding services prohibited by rules 6 - 8. The rule applies only to programs with allowed network activity. But be very careful, network activity is allowed by default for almost all programs, with the exception of untrusted ones.

Rules 11 - 13 allow receiving incoming ICMP packets for all programs. There is no more sense in these rules than in 1 - 3, because ICMP in the vast majority of cases uses ping program and tracer.

Rule 14 prohibits receiving all types of ICMP packets, of course, with the exception of those allowed by rules 11 - 13.

Rule 16 denies incoming ICMP v6 echo request. ICMP v6 is not needed in the vast majority of cases. It could be banned entirely.

Rule 17 allows everything that is not explicitly allowed or prohibited by the previous rules. Although this rule is not displayed on the screen, it is certainly necessary to remember its existence.

The default firewall settings of KIS are certainly good and suitable for most home computer users, which, in fact, this product is aimed at. But flexibility and undemanding to additional settings, which was mentioned at the beginning of the article, unfortunately is achieved at the expense of the security of the users themselves, making this very security very much dependent on the human factor: the knowledge and correct actions of the user himself.

To add or edit a web resource access rule:

1. Open the program settings window.
2. On the left side of the window, in the section Workplace control select the Web Control subsection.

   The settings of the Web Control component will be displayed in the right part of the window.

3. Perform one of the following actions:
   • If you want to add a rule, click the Add button.
   • If you want to change the rule, select the rule in the table and click the Edit button.

   A window will open.

4. Set or change rule settings. To do this, follow these steps:
   1. In the Name field, enter or change the name of the rule.
   2. Drop Filter content select the desired item:
      • Any content.
      • By content category.
      • By data type.
      • By content category and data type.
   3. If an item other than Any content, boxes will open to select content categories and/or data types. Check the boxes next to the names of the desired content categories and/or data types.

      Checking the box next to the name of the content category and/or data type means that Kaspersky Endpoint Security, in accordance with the rule, controls access to web resources belonging to the selected content categories and/or data types.

   4. Drop Apply to addresses select the desired element:
      • to all addresses.
      • To individual addresses.
   5. If an item is selected To individual addresses, a block will open in which you want to create a list of web resource addresses. You can add or change web resource addresses using the Add , Edit , Delete buttons.
   6. Check box Specify users and/or groups.
   7. Click on the Select button.

      A window will open Microsoft Windows Selecting Users or Groups.

   8. Set or change the list of users and/or user groups that are allowed or restricted access to the web resources described in the rule.
   9. From the Action drop-down list, select the required item:
      • Permit . If this value is selected, Kaspersky Endpoint Security allows access to web resources that match the rule settings.
      • Forbid . If this value is selected, Kaspersky Endpoint Security denies access to web resources that match the rule settings.
      • Warn . If this value is selected, when attempting to access web resources that match the rule, Kaspersky Endpoint Security displays a warning that the web resource is not recommended for visiting. Using the links in the warning message, the user can access the requested web resource.
   10. Select from drop down list Rule Schedule the name of the required schedule or generate a new schedule based on the selected rule operation schedule. To do this, follow these steps:
       1. Click the Settings button next to the drop-down list Rule Schedule.

          A window will open Rule Schedule.

       2. To add a time interval to the rule operation schedule during which the rule does not work, in the table with the rule operation schedule image, left-click the table cells corresponding to the time and day of the week you need.

          The cell color will change to grey.

       3. To change the time interval during which the rule works in the rule operation schedule to the time interval during which the rule does not work, left-click the gray cells of the table corresponding to the time and day of the week you need.

          The cell color will change to green.

       4. Click on the Save As button.

          A window will open Rule schedule name.

       5. Enter a name for the rule's schedule, or leave the default name.
       6. Click on the OK button.
5. In the window Web resource access rule click on the OK button.
6. Click the Save button to save your changes.

It often happens that Kaspersky Anti-Virus, which is supposed to ensure the security of the local network, on the contrary, in every possible way interferes with access to network resources.

Therefore, here we will analyze what to do if Kaspersky blocks local network, and what settings are needed if access to the computer is restricted.

Before diagnosing a problem, make sure that

• - you have installed fresh version antivirus;
• - the driver for the network card has been updated on the computer.

What to do if kaspersky blocks the local network?

To check, temporarily disable protection. For this right click mouse click on the antivirus icon in the system tray and select "pause protection".

It is also necessary to disable the windows firewall - Kaspersky itself will perform the task of the firewall, assign statuses and control the network connection. If you leave the firewall enabled, the antivirus will periodically turn off the network.

You must immediately remember the name of the network and.

To do this, go to "Start" - "Control Panel" - "Network and Internet" - "Network and Control Center" public access" - "Changing adapter settings" - "Local area network connection" (the default local network name is the network card model: Realtek RTL8102E ..., Atheros and others).

Configuring Kaspersky for the local network:

1) open the main antivirus window;
2) at the bottom left, click the settings sign (gear);
3) in the left column, click "protection";
4) further in the right window - "firewall";

5) at the bottom - the "network" button;
6) select your network (whose name you memorized earlier)

Double-click to open the network properties and select the "trusted network" network type.
Further, if necessary, you can disable the NDIS filter driver (the network exchange speed will increase significantly). It is disabled in the local network settings and cannot be configured.

It is necessary to turn on and restart the computer with the local network turned on and connected to network card computer cable, because Kaspersky starts to conflict with the Computer Browser service.

You can also disable or restrict certain programs access to the local network. To do this, follow the steps from the first to the fourth and select "Configure application rules".

There are four groups to choose from: trusted, weak restrictions, strong restrictions, and untrusted. Use the right mouse button to select the appropriate priority for programs to run, and then add new groups and programs. To do this, select:

1)details and rules
2) network rules
3) restrictions
4) reset parameters
5) remove from the list
6) open the program folder

Program rules are "inherited" by default from installed program, but they can be changed to the necessary. To do this, right-click the desired program (or subgroup) and select the appropriate item in the menu.

Advanced administration features
allow you to remotely centralize and automate vulnerability monitoring, patch and update distribution, accounting, and software deployment, which not only saves administrators time, but also increases the security of the organization.

Extended capabilities system administration imply full administrator control over controlled devices through a single management console. With this feature, the administrator can at any time:

1. Find out about a new device or application, including a guest device. This function allows you to centrally manage user and device access to corporate data and applications in accordance with company policy.

2. Independently download, install, test, update applications. The administrator can set automatic download updates and patches from Kaspersky Lab servers. Before installing the program, the administrator has the right to test the application for system performance load.

3. Check the network for software and hardware. When checking the network, the administrator can get a complete picture corporate network with all devices and identify outdated software versions that need to be updated to improve system security.

4. Identify vulnerabilities. The search for vulnerabilities can be performed not only automatically, but also according to a schedule set by the administrator.

On the this moment enterprise network infrastructure requires enhanced protection each element of the network. One of the most vulnerable places for malware to attack is the file server. To protect the server, a specialized solution is required that can provide it with the proper level of security.

Has more features than . One of the main advantages of this program is that it is able to protect file servers from ransomware attacks.

Pursued goals - safety and once again safety

Let's imagine a very common situation: you have a lot of servers on your network that provide some kind of service. It is very likely that some of them have an external interface that looks to the WAN, i.e. to the global network. Usually this is a Proxy Server, Web Server, Mail Server, etc. It's no secret that this very fact makes you think about how competent system administrator about the security of your network infrastructure. It makes no sense to tell you what a hacker's penetration into your network can be. There are many options to protect yourself from attacks by an intruder. Among them is building a so-called demilitarized zone or publishing a server through your proxy, which is definitely (isn't it?) set up very tough and serious for you. The first option (DMZ) has not yet been “raised” due to any reasons. Let it be the lack of time and equipment of the system administrator. The second one (publish through another server) is very controversial, we will omit it for now. In the meantime, for starters, let's set up a firewall, it's a firewall, it's also a firewall. The main function of any firewall is to secure access to our computer from the outside. I specifically wrote the word “computer” because home computers and workstations can also be secured with a screen. Naturally, there is no 100% protection with a software firewall, but it's better than nothing. Besides, I have a feeling that after my manipulations today, the server will no longer be at risk Let's get started.

laboratory bench

There is a server based on Windows Server 2008 R2 that provides VPN service using the Microsoft RAS service. Windows Firewall configured by default. I did not delve into it, although I should have. But since there is a corporate license for Kaspersky Enterprise Space Security, why not use it and install Kaspersky Endpoint Security 8, which includes a software firewall.

Configuring the Kaspersky Firewall

The firewall of Kaspersky Endpoint Security 8 is identical to many firewalls from this manufacturer, including the home screen. Kaspersky version Internet Security 2013, so if someone has a different version of the antivirus, then most likely this article will also help him. And now let's start.

Setting - antivirus protection- network screen. Click the "Network Packet Rules" button. We get a list of rules that are currently working. Some of them prohibit something, others allow it. At the moment everything looks like this:

If you notice, the screenshot is non-native. I took it from another product - KIS2013, but take my word for it - everything was exactly the same in KES8. And this is a server where protection should be at the highest level! As we can see, there is a lot here and everything is approximately clear: DNS queries (TCP / UDP), sending messages, any activity from trusted networks is completely allowed, from local - partially, the port responsible for the remote desktop is disabled, various TCP / ports are disabled UDP, but the activity from the outside is partially, at the end of 5 rules of the ICMP protocol. Yeah, half the rules are incomprehensible, half are redundant. Let's create a sheet from scratch and create our own rules.

The first thing I did was create my favorite rule - Deny All(ban all)

and placed it down. Then, by searching the Internet, I found out which ports the VPN technology uses. it Protocol 47, which also has the name GRE:

I placed the GRE rule above the prohibition rule. Another port to open for VPN is 1723 . So I made a rule VPN_IN:

I placed the rule with port 1723 at the very top. I changed the rest of the rules a little, I left some. The resulting list (Firewall List):

I will comment on each.

I must say right away that you should not completely rely on this article. Perhaps I have overlooked something. I'm not a guru when it comes to security, so I apologize in advance if I've made any mistakes. Criticism, wishes and praise are welcome, write comments below.

You will also like:

Monitor server load with Munin