Firewall: network rules - Kaspersky Lab
Firewall: network rules - Kaspersky Lab
Firewall: network rules - Kaspersky Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Kaspersky</strong> PURE 2.0<br />
<strong>Firewall</strong>:<br />
<strong>network</strong> <strong>rules</strong>
<strong>Kaspersky</strong> PURE 2.0<br />
Content<br />
<strong>Firewall</strong> <strong>rules</strong> .............................................................................................................................. 2<br />
Packet <strong>rules</strong> ............................................................................................................................ 2<br />
Creating a packet rule ......................................................................................................... 2<br />
Editing packet <strong>rules</strong> ............................................................................................................. 7<br />
Application <strong>rules</strong> ..................................................................................................................... 9<br />
Creating application <strong>rules</strong> .................................................................................................... 9<br />
Editing an application rule ................................................................................................. 13<br />
Configuring <strong>network</strong> service .......................................................................................... 15<br />
Allocating range of IP-addresses ................................................................................... 17<br />
Extending the range of IP addresses ............................................................................. 20<br />
Changing the rule for a group of applications ................................................................ 21<br />
Changing the rule priority .............................................................................................. 25<br />
Configuring notifications of changes in the <strong>network</strong> .............................................................. 26<br />
Advanced <strong>Firewall</strong> settings ................................................................................................... 28<br />
<strong>Firewall</strong> working features ...................................................................................................... 30<br />
1 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
<strong>Firewall</strong> <strong>rules</strong><br />
There are two <strong>Firewall</strong> rule types, used to control <strong>network</strong> connections:<br />
► Packet <strong>rules</strong> are used to create general restrictions on <strong>network</strong> activity, regardless<br />
of the applications installed. Example: if you create a packet rule that blocks inbound<br />
connections on port 21, no applications that use that port (an ftp server, for example)<br />
will be accessible from the outside.<br />
► Rules for applications are used to create restrictions on <strong>network</strong> activity for specific<br />
applications. Example: If connections on port 80 are blocked for each application,<br />
you can create a rule that allows connections on that port for Firefox only.<br />
Packet <strong>rules</strong> have higher priority than application <strong>rules</strong>. If both packet <strong>rules</strong> and <strong>rules</strong> for<br />
applications are applied to the same type of <strong>network</strong> activity, this <strong>network</strong> activity is processed<br />
using the packet <strong>rules</strong>.<br />
Packet <strong>rules</strong><br />
Creating a packet rule<br />
All <strong>network</strong> connections on your computer are monitored by <strong>Firewall</strong>. <strong>Firewall</strong> assigns a<br />
specific status to each connection and applies various <strong>rules</strong> for filtering of <strong>network</strong> activity<br />
depending on that status, thus, it allows or blocks a <strong>network</strong> activity.<br />
Packet <strong>rules</strong> are used in order to restrict packets transferring regardless applications.<br />
You can specify an action performed by <strong>Firewall</strong> if it detects the <strong>network</strong> activity:<br />
► Allow<br />
► Block<br />
► By application <strong>rules</strong>. The packet rule is not used, but the rule for the application is<br />
used.<br />
The Allow or Block <strong>rules</strong> can be logged. In order to do this, check the Log events box in the<br />
Action section.<br />
To create a packet rule, for example, to allow remote access to your computer desktop, please<br />
do the following:<br />
1. In the right part of the <strong>Firewall</strong> settings window in the Network <strong>rules</strong> section, click the<br />
Settings button.<br />
2 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
2. In the <strong>Firewall</strong> window go to the Packet <strong>rules</strong> tab.<br />
3. Click the Add button. In the Network rule window that opens specify the settings for a<br />
rule.<br />
3 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
4. In the Network rule window in the Action section select the Allow variant.<br />
5. In the Name section click an arrow next to the input field and select the Remote<br />
Desktop item.<br />
4 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
6. In the Address section select Any address.<br />
7. Check the Log events box if you want to log actions performed according to the rule.<br />
8. In the Network rule window click the OK button. The created rule appears in the list of<br />
packet <strong>rules</strong> on the Packet rule tab.<br />
5 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
9. In the <strong>Firewall</strong> window click the OK button.<br />
10. In the Settings window click the Apply button.<br />
Now any user has remote access to your desktop.<br />
6 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
Editing packet <strong>rules</strong><br />
All packet <strong>rules</strong> (default or created by the user) can be edited. For example, if you want to<br />
block remote access to your computer desktop, then edit the Remote Desktop packet rule:<br />
1. In the right part of the Settings window of the <strong>Firewall</strong> component in the Network <strong>rules</strong><br />
section click the Settings button.<br />
2. In the <strong>Firewall</strong> window go to the Packet <strong>rules</strong> tab.<br />
3. In the list of packet <strong>rules</strong> select the Remote Desktop rule.<br />
7 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
4. Click the Edit button. In the Network rule window that opens you can edit the settings<br />
of the selected rule.<br />
5. In the Action section change the Allow variant to Block.<br />
6. In the Address section select the Subnet address variant and choose the Public<br />
<strong>network</strong>s item from the displayed list.<br />
8 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
7. In the Network rule window click the OK button.<br />
8. The made changes are displayed in the <strong>Firewall</strong> window on the Packet <strong>rules</strong> tab in the<br />
list of packet <strong>rules</strong>: for the Remote Desktop rule the <strong>network</strong> type in the Address<br />
column will change to Public <strong>network</strong>s, and an allowing icon in the Permission column<br />
will change to a blocking icon.<br />
9. In the <strong>Firewall</strong> window click the OK button.<br />
10. In the Settings window click the Apply button.<br />
Now only users of local and trusted <strong>network</strong>s have access to your computer desktop<br />
Application <strong>rules</strong><br />
Creating application <strong>rules</strong><br />
You can create applications 1 <strong>rules</strong> for more subtle filtering of the <strong>network</strong> activity, edit <strong>rules</strong> for<br />
a group of applications or for an individual application in a group.<br />
Custom <strong>rules</strong> for individual applications have a higher priority than the <strong>rules</strong> inherited from a<br />
group.<br />
When creating an application rule, you can define an action to be performed by <strong>Firewall</strong> upon<br />
detection of this type of the <strong>network</strong> activity when working with an application:<br />
► Allow;<br />
► Block;<br />
► Prompt (user) for action.<br />
An allowing or blocking action of a rule can be displayed in a report, for this during the rule<br />
creation in the Action section, check the Log events box.<br />
1 Application <strong>rules</strong> monitor connections only by TCP and UDP protocols.<br />
9 | 30
<strong>Kaspersky</strong> PURE 2.0<br />
To create a rule for an individual application, for example a rule blocking the QIP internet pager<br />
any <strong>network</strong> activity outside your local and trusted <strong>network</strong>s, perform the following actions:<br />
1. In the right part of the Settings window in the Network <strong>rules</strong> section click the Settings<br />
button.<br />
2. In the <strong>Firewall</strong> window on the Application <strong>rules</strong> tab select QIP 2012.<br />
3. Click the Edit button.<br />
4. In the Application <strong>rules</strong> window that opens, go to the Network <strong>rules</strong> tab.<br />
5. At the top of the window click the Add button.<br />
10 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
6. In the Network rule window perform the following actions:<br />
► In the Action section select the Block action;<br />
► In the Name section select the Any <strong>network</strong> activity service;<br />
► In the Address section select the Subnet address variant and in the displayed list<br />
select Public <strong>network</strong>s;<br />
► Check the Log events box if you want to log actions performed according to the<br />
rule;<br />
► Click the OK button.<br />
11 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
7. The created rule will appear in the Application <strong>rules</strong> window on the Network <strong>rules</strong> tab<br />
in the list of <strong>rules</strong> for QIP 2012.<br />
12 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
8. Click the OK button in the Application <strong>rules</strong> window.<br />
9. In the <strong>Firewall</strong> window click the OK button.<br />
10. In the Settings window click the Apply button<br />
Editing an application rule<br />
For the default <strong>network</strong> <strong>rules</strong> created by <strong>Kaspersky</strong> PURE you can edit only an action (such<br />
<strong>rules</strong> cannot be deleted). For this, perform the following actions:<br />
1. In the right part of the Settings window in the Network <strong>rules</strong> section click the Settings<br />
button.<br />
2. In the <strong>Firewall</strong> window on the Application <strong>rules</strong> tab select a required application.<br />
3. Click the Edit button. In the Application <strong>rules</strong> window that opens, go to the Network<br />
<strong>rules</strong> tab.<br />
4. From the list of <strong>rules</strong> for an application, select a rule whose action you want to change.<br />
5. In the Permission column for the selected rule right-click the action icon.<br />
6. From the context menu select the required action:<br />
► Allow<br />
► Block<br />
► Prompt for action<br />
7. In the Application <strong>rules</strong> window click the OK button.<br />
8. In the <strong>Firewall</strong> window click the OK button.<br />
9. In the Settings window click the Apply button.<br />
13 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
For a <strong>network</strong> rule created by the user you can edit all earlier created settings. For this,<br />
perform the following actions:<br />
1. In the right part of the Settings window in the Network <strong>rules</strong> section click the Settings<br />
button.<br />
2. In the <strong>Firewall</strong> window on the Application <strong>rules</strong> tab select an application whose rule<br />
you want to edit.<br />
3. Click the Edit button. In the Application <strong>rules</strong> window that opens, go to the Network<br />
<strong>rules</strong> tab.<br />
4. From the list of <strong>rules</strong> select a rule you want to edit.<br />
5. Click the Edit button.<br />
6. In the Network rule window change the required settings.<br />
14 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
7. In the Network rule window click the OK button.<br />
8. In the Application <strong>rules</strong> window click the OK button.<br />
9. In the <strong>Firewall</strong> window click the OK button.<br />
10. In the Settings window click the Apply button.<br />
Configuring <strong>network</strong> service<br />
When creating any <strong>network</strong> rule you should specify the <strong>network</strong> service. Settings<br />
characterizing the activity of the <strong>network</strong> for which a rule is created are described by the<br />
<strong>network</strong> service.<br />
You can select type of the <strong>network</strong> activity from the list or create a new type.<br />
Network service includes the following parameters:<br />
► Name. Preferably use the names which would explicitly describe the rule. For<br />
example, DNS over TCP.<br />
15 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
► Protocol. <strong>Firewall</strong> restricts connections via TCP, UDP, ICMP, ICMPv6, IGMP and<br />
GRE 2 protocols. If protocol ICMP or ICMPv6 was selected as the protocol, you can<br />
specify the type and the code of the ICMP packet.<br />
► Direction. <strong>Firewall</strong> controls connections with the following directions:<br />
► Inbound. A rule is applied to data packets received by your computer.<br />
2 TCP, UDP, ICMP, ICMPv6, IGMP, GRE are protocols (sets of <strong>rules</strong>) of the data transfer in the <strong>network</strong>.<br />
ICMP-packet —is a packet which contains the error message about the error or any other exceptional situation<br />
which occurred during the data transfer. The fields code and type of the ICMP-packet correspondingly contain<br />
the type and code of the occurred situation.<br />
16 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
► Inbound (stream). The rule is for <strong>network</strong> connections created from another<br />
computer.<br />
► Inbound/Outbound. The rule is for inbound and outbound data packets and data<br />
streams regardless the direction.<br />
► Outbound. A rule is applied to data packets transferred from your computer.<br />
► Outbound (stream). The rule is only for <strong>network</strong> connections created by your<br />
computer.<br />
► Remote and Local ports. You can specify ports which are used by your and remote<br />
computers for TCP and UDP protocols. These ports will be controlled by <strong>Firewall</strong>.<br />
Allocating range of IP-addresses<br />
While creating the rule's conditions you can specify the <strong>network</strong> service and the <strong>network</strong><br />
address. You can use an IP address as the <strong>network</strong> address or specify the <strong>network</strong> status. In<br />
the latter case the addresses will be copied from all <strong>network</strong>s that are connected and have the<br />
specified status at this moment.<br />
You can select one of the following statuses:<br />
17 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
► Any address – the rule will be applied to any IP address;<br />
► Sub<strong>network</strong> addresses with status – the rule will be applied to IP addresses of all<br />
<strong>network</strong>s that are connected and have the specified status at the moment:<br />
► Trusted <strong>network</strong>s<br />
► Local <strong>network</strong>s<br />
► Public <strong>network</strong>s<br />
► Addresses from group – the rule will be applied to IP addresses included into the<br />
specified range. Select one of the existing groups of addresses. If no range of IP<br />
addresses in any group satisfies you, create a new one.<br />
18 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
For this perform the following steps:<br />
1. At the bottom part of the section click on the Add link.<br />
2. In the IP address or DNS name window specify the addresses from the group.<br />
3. Click the OK button.<br />
4. In the Network rule window click the OK button.<br />
A method to allocate IP-addresses using Classless Inter-Domain Routing (CIDR) 3 has been<br />
implemented in <strong>Kaspersky</strong> PURE.<br />
CIDR uses Variable Length Subnet Mask (VLSM) whereas in Class Inter-Domain Routing<br />
the mask length is strictly set by 0, 1, 2 or 3 bytes.<br />
For example, let’s take a record of the range of IP-addresses as 10.96.0.0/11. In this case the<br />
subnet mask will look as 11111111 11100000 00000000 00000000, or as 255.224.0.0 in a<br />
decimal view. 11 bits of the IP-address are allocated to the number of <strong>network</strong>; the other 21<br />
3 CIDR (Classless InterDomain Routing, CIDR) is the method of IP-addressing which allows managing the<br />
range of IP-address flexibly, without rigid frames of the Class Inter-Domain Routing. CIDR allows using the end<br />
resource of IP-addresses economically, thus enhancing efficiency of KSOS 2.<br />
19 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
bits (32-11= 21) of the full address are allocated to the local address in the <strong>network</strong>. To sum<br />
up, 10.96.0.0/11 is a range of addresses from 10.96.0.1 to 10.127.255.255.<br />
Remember, when defining CIDR-addressing in the <strong>network</strong>s of the IP-protocol version 4 (IPv4)<br />
in any case the rule will be applied to the whole <strong>network</strong>.<br />
To convert IP-addresses into CIDR <strong>Kaspersky</strong> <strong>Lab</strong> experts recommend using any web site<br />
which provides free service of converting IP-addresses to CIDR-addressing (for example, the<br />
web site http://ip2cidr.com/).<br />
Extending the range of IP addresses<br />
Each <strong>network</strong> matches one or more ranges of IP address. If you connect to a <strong>network</strong>, access<br />
to sub<strong>network</strong> of which is performed via a router, you can manually add sub<strong>network</strong>s<br />
accessible through it.<br />
Example: You are connecting to the <strong>network</strong> in an office of your company and wish to use the<br />
same filtering <strong>rules</strong> for the office where you are connected directly and for the offices<br />
accessible over the <strong>network</strong>.<br />
Obtain <strong>network</strong> address ranges for those offices from the <strong>network</strong> administrator and add them.<br />
To extend the range of <strong>network</strong> address, please perform the following:<br />
1. In the right part of the <strong>Firewall</strong> settings window in the Networks section select an active<br />
connection and click the Edit button.<br />
20 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
2. In the Network connection window on the Properties tab in the Additional<br />
sub<strong>network</strong>s section click the Add link.<br />
3. In the IP address window specify an IP address or address masks.<br />
4. Click the OK button.<br />
5. In the Network connection window click the OK button.<br />
6. In the Settings window click the Apply button.<br />
Changing the rule for a group of applications<br />
<strong>Firewall</strong> analyzes the activity of each application running on your computer. Depending on the<br />
threat rating, every application is included to one of the following groups:<br />
► Trusted 4 . Trusted applications are applications with digital signatures of trusted<br />
vendors and applications signatures of those are included to the trusted applications<br />
database. Activities of such applications are monitored by Proactive Defense and<br />
File Anti-Virus.<br />
4 Applications of that group are allowed to perform any <strong>network</strong> activity irrespectively of the <strong>network</strong> status.<br />
21 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
► Low Restricted 5 . Low restricted applications are applications which are without<br />
digital signatures of trusted vendors and which are not included to the trusted<br />
applications database. Nevertheless, the low risk rating is assigned to such<br />
applications.<br />
► High Restricted 6 . High restricted applications are applications without digital<br />
signatures and which are not included to the trusted applications database. The high<br />
risk rating is assigned to such applications.<br />
► Untrusted 7 . Untrusted applications are applications without digital signatures and<br />
which are not included to the trusted applications database. Very high risk rating is<br />
assigned to such applications.<br />
You can modify <strong>rules</strong> for a whole group.<br />
Custom <strong>rules</strong> for individual applications have a higher priority than the <strong>rules</strong> inherited<br />
from a group. If you create an allowed rule for a whole group of applications and a prohibited<br />
rule for a certain application from this group, then any <strong>network</strong> activity of a certain application<br />
will be restricted according to a rule for this application, because it has a higher priority level.<br />
In order to change <strong>rules</strong> for a group of applications, for example, if you want that low restricted<br />
programs would have unrestricted rights to the <strong>network</strong> activity within the local <strong>network</strong>s,<br />
perform the following actions:<br />
1. In the right part of the settings window of the <strong>Firewall</strong> component in the Network <strong>rules</strong><br />
section click the Settings button.<br />
5 Applications of that group are allowed to perform any <strong>network</strong> activity in non-interactive mode. If you are using<br />
the interactive mode, a notification will be displayed on the screen using which you can allow or block a<br />
connection, or create an application rule using the Wizard.<br />
6 Applications of that group are not allowed to perform <strong>network</strong> activity in non-interactive mode. If you are using<br />
the interactive mode, a notification will be displayed on the screen using which you can allow or block a<br />
connection, or create an application rule using the Wizard.<br />
7 Any <strong>network</strong> activity is prohibited for the applications of that group.<br />
22 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
2. In the <strong>Firewall</strong> window go to the Application <strong>rules</strong> tab.<br />
3. Select the Low restricted group of applications.<br />
4. Click the Edit button.<br />
23 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
5. In the Group <strong>rules</strong> window go to the Network <strong>rules</strong> tab and click the Add button.<br />
6. In the Network rule window in the Action section select Allow, and in the Name<br />
section select Any <strong>network</strong> activity and click the OK button.<br />
24 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
7. In the Network rule window click the OK button.<br />
8. In the <strong>Firewall</strong> window click the OK button.<br />
9. In the Settings window click the OK button.<br />
Now all applications of the Low Restricted group have unrestricted right to the <strong>network</strong><br />
activity.<br />
Changing the rule priority<br />
The priority of a rule is determined by its position on the list of <strong>rules</strong>. The first rule on the list<br />
has the highest priority. Each packet rule created manually will be added to the end of the list<br />
of packet <strong>rules</strong>.<br />
Application groups are integrated by the name of the program and rule priority applies to a<br />
definite group only.<br />
Manually created <strong>rules</strong> for applications have a higher priority, than the <strong>rules</strong> inherited from the<br />
group.<br />
To change the rule priority, please perform the following actions:<br />
1. In the right part of the settings window of the <strong>Firewall</strong> component in the Network <strong>rules</strong><br />
section click the Settings button.<br />
2. In the <strong>Firewall</strong> window go to the Application <strong>rules</strong> tab select the required application.<br />
3. Click the Edit button.<br />
4. The Application <strong>rules</strong> window opens. Go to the Network <strong>rules</strong> tab.<br />
5. Select a rule and move it to the required place in the list by clicking the Move up and<br />
Move down button.<br />
25 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
6. In the Application <strong>rules</strong> window click the OK button.<br />
7. In the <strong>Firewall</strong> window click the OK button.<br />
8. In the Settings window click the Apply button.<br />
Configuring notifications of changes in the <strong>network</strong><br />
Network connection settings can be changed during the work. You can receive notifications of<br />
the following modifications in the settings:<br />
► When <strong>network</strong> connection is established.<br />
► When the correspondence between MAC address and IP address is changed. The<br />
notification will appear if IP address of a <strong>network</strong> computer was changed.<br />
► When new MAC address appears. The notification appears if a new computer was<br />
added to the <strong>network</strong>.<br />
Pay attention, that notifications about changes in the work can be configured only for the<br />
<strong>network</strong>s with the status Local or Trusted <strong>network</strong>.<br />
26 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
To enable notification about changes to <strong>network</strong> connection settings, please perform the<br />
following:<br />
1. In the right part of the <strong>Firewall</strong> settings window in the Networks section select an active<br />
connection and click the Edit button.<br />
2. In the Network connection window go to the Additional tab.<br />
3. Check the boxes next to the events whose notifications you want to receive.<br />
27 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
4. In the Network connection window click the OK button.<br />
5. In the Settings window click the Apply button.<br />
Advanced <strong>Firewall</strong> settings<br />
You can specify additional settings of the <strong>Firewall</strong> operation:<br />
► Allow active FTP mode. Active mode suggests that to ensure connection between<br />
the server on the client computer a port to which the server will connect will be<br />
opened on the client computer (unlike the passive mode when the client connects to<br />
the server). The mode allows to control which exactly port will be opened. The<br />
mechanism works even if a blocking rule was created. By default, active FTP mode<br />
is allowed.<br />
► Block connections if there is no possibility to prompt for action (application<br />
interface is not loaded). This setting allows to avoid disruption of the <strong>Firewall</strong><br />
operation when the interface of <strong>Kaspersky</strong> PURE is not loaded. This is the default<br />
action.<br />
► Do not disable <strong>Firewall</strong> until the system totally stops. This setting allows to avoid<br />
disruption of the <strong>Firewall</strong> operation until the system is completely stopped. This is<br />
the default action.<br />
By default all settings are enabled.<br />
To modify advanced <strong>Firewall</strong> settings, please perform the following:<br />
1. In the right part of the <strong>Firewall</strong> settings window in the Network <strong>rules</strong> section click the<br />
Settings button.<br />
28 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
2. In the <strong>Firewall</strong> window go to the Packet <strong>rules</strong> tab and click the Additional button.<br />
29 | 3 0
<strong>Kaspersky</strong> PURE 2.0<br />
3. In the Additional window check or uncheck the boxes next to the required settings and<br />
click the OK button.<br />
4. In the <strong>Firewall</strong> window click the OK button.<br />
5. In the Settings window click the Apply button.<br />
<strong>Firewall</strong> working features<br />
When working with the <strong>Firewall</strong> component you should remember about the following<br />
peculiarities:<br />
► <strong>Firewall</strong> <strong>rules</strong> do not influence Network Attack Blocker;<br />
For the zone Local <strong>network</strong> ICMP packages are always allowed.<br />
30 | 3 0