Charging device 

Firewall Kaspersky 10 settings. Adding and changing access rules to web resources. Setting up Kaspersky for local network

It often happens that Kaspersky antivirus, which is supposed to provide security local network, on the contrary, in every possible way interferes with access to network resources.

Therefore, here we will look at what to do if Kaspersky blocks the local network, and what settings are necessary if access to the computer is limited.

Before you begin diagnosing the problem, make sure that

  • - you have the latest version of the antivirus installed;
  • - The driver for the network card has been updated on the computer.

What to do if Kaspersky blocks the local network?

To check, you should temporarily disable the protection. For this right click Click on the antivirus icon in the system tray and select “pause protection”.

It is also necessary to disable the windows firewall - Kaspersky itself will perform the firewall task, assign statuses and control network connection. If you leave the firewall enabled, the antivirus will periodically shut down the network.

You must immediately remember the name of the network and .

To do this, go to “Start” - “Control Panel” - “Network and Internet” - “Network and Sharing Center” shared access" - "Changing adapter parameters" - "Local network connection" (default local network name - network card model: Realtek RTL8102E..., Atheros and others).

Setting up Kaspersky for local network:

1) open the main antivirus window;
2) at the bottom left click the settings sign (gear);
3) in the left column, click “protection”;
4) then in the right window - “firewall”;

5) at the bottom - the “network” button;
6) select your network (the name of which you remembered earlier)

Double-click to open network properties and select the “trusted network” network type.
Then, if necessary, you can disable the NDIS filter driver (network speed will increase significantly). It is disabled in the local network settings and cannot be configured.

You must turn on and restart your computer with the local network turned on and connected to network card computer cable, because Kaspersky begins to conflict with the Computer Browser service.

You can also prohibit or restrict certain programs from accessing the local network. To do this, follow steps one through four and select “Configure application rules.”

There are four groups to choose from: trusted, weakly constrained, strongly constrained, and untrusted. Using the right mouse button, select the appropriate priority for the programs to run, then add new groups and programs. To do this, select:

1) details and rules
2) network rules
3) restrictions
4) reset parameters
5)remove from the list
6) open the program folder

Default program rules are "inherited" from installed program, but they can be changed to the necessary ones. To do this, right-click the desired program(or subgroup) and select the appropriate item in the menu.

The goals pursued are safety and safety again.

Let's imagine a very common situation: you have many servers on your network that provide some services. It is very likely that some of them have an external interface that looks into the WAN, i.e. V global network. Usually this is a Proxy server, Web server, mail server, etc. It's no secret that this fact itself makes you think about how literate system administrator about the security of your network infrastructure. It makes no sense to tell you what could happen if a hacker penetrates your network. There are many options to protect yourself from malicious attacks. Among them is building a so-called demilitarized zone or publishing a server through your proxy, which you certainly (isn’t it?) configured very strictly and seriously. The first option (DMZ) has not yet been “raised” due to some reasons. Let it be a lack of time and equipment for the system administrator. The second one (publish through another server) is very controversial, we’ll leave it out for now. For now, first, let's set up a firewall, also known as a firewall, or firewall. The main function of any firewall is to secure access to our computer from the outside. I specifically wrote the word “computer” because home computers and workstations can also be secured using a screen. Naturally, there is no 100% protection with a software firewall, but it’s better than nothing. In addition, I have a feeling that after my manipulations today, the server will no longer be at risk. Let's get started.

Laboratory stand

There is a server on Windows based Server 2008 R2, providing VPN service using the Microsoft RAS service. Windows Firewall configured by default. I didn’t delve into it, although I should have. But because I have a Kaspersky Enterprise corporate license Space Security, why not take advantage of it and install Kaspersky Endpoint Security 8, which includes a software firewall.

Configuring Kaspersky firewall

The Kaspersky Endpoint Security 8 firewall is identical to many screens from this manufacturer, including the home screen Kaspersky version Internet Security 2013, so if someone has a different version of the antivirus, then most likely this article will also help him. Now let's begin.

Settings – antivirus protection– firewall. Click the “Network packet rules” button. We get a list of rules that this moment are working. Some of them prohibit something, others allow it. At the moment everything looks something like this:

If you noticed, the screenshot is not original. I took it from another product - KIS2013, but take my word for it - in KES8 everything was exactly the same. And this is the server where the protection should be on top level! As we can see, there is a lot here and everything is approximately clear: DNS queries (TCP/UDP), sending messages, any activity from trusted networks is completely allowed, from local ones - partially, the port responsible for the remote desktop is disabled, various TCP ports are disabled/ UDP, but activity from outside is partial, at the end of 5 rules of the ICMP protocol. Yes, half the rules are incomprehensible, half are unnecessary. Let's create a sheet from scratch and create our own rules.

The first thing I did was create my favorite rule - Deny All(ban all)

and placed it down. Then, by searching the Internet, I found out which ports the VPN technology uses. This Protocol 47, which also has the name GRE:

I placed the rule with GRE above the prohibiting rule. Another port that needs to be opened for VPN is 1723 . So I created a rule VPN_IN:

I placed the rule with port 1723 at the very top. I modified the rest of the rules a little, and left some. The result is the following list (Firewall List):

I will comment on each one.

Let me make a reservation right away that you should not completely rely on this article. Perhaps I missed something. I'm not a security guru, so I apologize in advance if I made any mistakes. Criticism, suggestions and praise are welcome, write comments below.

You will also like:

Monitoring server load with Munin

To add or change a web resource access rule, follow these steps:

  1. Open the program settings window.
  2. On the left side of the window in the section Workplace control select the Web Control subsection.

    The parameters of the Web Control component will be displayed in the right part of the window.

  3. Perform one of the following actions:
    • If you want to add a rule, click on the Add button.
    • If you want to change a rule, select the rule in the table and click the Edit button.

    A window will open.

  4. Set or change the rule settings. To do this, follow these steps:
    1. In the Name field, enter or change the name of the rule.
    2. In the dropdown list Filter content select the required element:
      • Any content.
      • By content category.
      • By data type.
      • By content category and data type.
    3. If an item other than Any content, blocks for selecting content categories and/or data types will open. Check the boxes next to the names of the desired content categories and/or data types.

      Checking the box next to the name of the content category and/or data type means that Kaspersky Endpoint Security, in accordance with the rule, controls access to web resources belonging to the selected content categories and/or data types.

    4. In the dropdown list Apply to addresses select the required element:
      • To all addresses.
      • To individual addresses.
    5. If an item is selected To individual addresses, a block will open in which you need to create a list of web resource addresses. You can add or change web resource addresses using the Add, Edit, Delete buttons.
    6. Check the box Specify users and/or groups.
    7. Click on the Select button.

      A window will open Microsoft Windows Selecting Users or Groups.

    8. Set or change the list of users and/or user groups for whom access to the web resources described in the rule is allowed or restricted.
    9. From the Action drop-down list, select the desired item:
      • Allow . If this value is selected, Kaspersky Endpoint Security allows access to web resources that meet the rule parameters.
      • Forbid . If this value is selected, Kaspersky Endpoint Security denies access to web resources that meet the rule parameters.
      • Warn. If this value is selected, then when you try to access web resources that satisfy the rule, Kaspersky Endpoint Security displays a warning that the web resource is not recommended for visiting. Using the links in the warning message, the user can access the requested web resource.
    10. Select from drop down list Work schedule rules the name of the required schedule or create a new schedule based on the selected rule schedule. To do this, follow these steps:
      1. Click the Settings button next to the drop-down list Work schedule rules.

        A window will open Work schedule rules.

      2. To add a time interval during which the rule does not work to the rule’s work schedule, in the table showing the rule’s work schedule, use the left mouse button to select the table cells corresponding to the time and day of the week you need.

        The color of the cells will change to gray.

      3. To change the time interval during which the rule works in the rule schedule to the time interval during which the rule does not work, use the left mouse button to select the gray table cells corresponding to the time and day of the week you need.

        The color of the cells will change to green.

      4. Click on the Save As button.

        A window will open Rule work schedule name.

      5. Enter a name for the rule's work schedule or leave the default name.
      6. Click on the OK button.
  5. In the window Rule for accessing web resources click on the OK button.
  6. Click the Save button to save your changes.

Advanced administration functions
allow you to remotely centralize and automate vulnerability monitoring, distribution of patches and updates, record keeping and program deployment, which not only saves administrators time, but also increases the security of the organization.

Extended capabilities system administration imply full control administrator over controlled devices through a single management console. Thanks to this function, the administrator can at any time:

1. Find out about the emergence of a new device or application, including a guest device. This feature allows you to centrally manage user and device access to corporate data and applications in accordance with company policy.

2. Download, install, test, update applications yourself. The administrator can configure automatic download updates and patches from Kaspersky Lab servers. Before installing the program, the administrator has the right to test the application for system performance load.

3. Check the network to account for software and hardware. When checking the network, the administrator can get a complete picture corporate network with all devices and identify outdated software versions that need to be updated to improve system security.

4. Identify vulnerabilities. The search for vulnerabilities can be performed not only automatically, but also according to a schedule set by the administrator.

At the moment, the enterprise network infrastructure requires enhanced protection of each network element. One of the most vulnerable places for malware attacks is the file server. To protect a server, a specialized solution is required that can provide it with the proper level of security.

It has more functions than . One of the main advantages of this program is that it is able to protect file servers from ransomware attacks.

Function

Kaspersky Endpoint Security 10 for Windows

(for file servers)

Kaspersky Security 10 for Windows Server

Unified console of Kaspersky Security Center 10

Protecting Terminal Servers

Terminal Services (Remote Desktop Services) Windows Server 2008 R2

Terminal Services Windows Server 2008 R2 / 2012 / 2012 R2 Citrix XenApp 6.0, 6.5, 7.0, 7.5, 7.6 Citrix XenDesktop 7.0, 7.1, 7.5, 7.6

Server load distribution

Identifying servers running under high load

Cluster mode configuration support

Core mode configuration support

Local support operating system ReFS used in Windows Server

Support for the network protocol for managing SNMP devices in TCP/UDP networks

Individual configuration of protective parameters for each protected area

Application launch control

Firewall

Protection against ransomware

Firewall Kaspersky Internet Security, understanding the default settings

Alexander Antipov

The first step to safe travel through the vast expanses of various networks is, of course, installing a reliable means of protection. One of the few such tools is the comprehensive product Kaspersky Internet Security.


The first step to safe travel through the vast expanses of various networks is, of course, installing a reliable means of protection. One of the few such tools is the comprehensive product Kaspersky Internet Security. Despite the fact that the KIS product is quite complex, immediately after installation it is ready to perform all the duties assigned to it. The need for additional settings is extremely rare, and this is a very big plus for developers. But it is necessary to understand that this opportunity is based on the sharp edge of compromise solutions. Let's look at what they are using the example of a firewall.

Firewall settings consist of two parts: program rules and package rules. Using program rules, you can allow or deny certain programs or groups of programs to send or receive packets or establish network connections. Packet rules allow or deny the establishment of incoming or outgoing connections, and the transmission or reception of packets.

Let's see what the rules for programs are.

All programs have four categories:

  1. Trusted - they are allowed to do everything without exception.
  2. Weak restrictions - the “action request” rule has been established, allowing the user to independently make a decision about the advisability of network communication between programs of this group.
  3. Strong restrictions - in terms of permission to work with the network, the same as weak ones.
  4. Not trusted - by default, these programs are prohibited from any network communication (from a human standpoint, I feel very sorry for them).

By default, all programs from Microsoft, KIS itself and other programs from well-known manufacturers are placed in the “trusted” group by default. For the default settings, the choice is good, but personally I would not trust all programs, even from famous manufacturers, so completely.

How do programs fall into one group or another? It's not that simple here. The decision to place a particular program into one of four groups is made based on several criteria:

  1. Availability of information about the program in KSN (Kaspersky Security Network).
  2. Availability of the program digital signature(already passed).
  3. Heuristic analysis for unknown programs (something like fortune telling).
  4. Automatically place a program in a group pre-selected by the user.

All these options are located in the “Application Control” settings. By default, the first three options are installed, the use of which leads to a large number“trusted” programs. The fourth option can be selected independently as an alternative to the first three.

Let's conduct an experiment. Let’s put some program (for example, the “Opera” browser) in the list of programs with weak restrictions and see how the “action request” rule works. For program rules to take effect, you must close and reopen the program for which the rules have been changed. If you now try to go to any website, no action request will occur, and the program will calmly establish a network connection. As it turns out, the “action request” rule only works if the “Select action automatically” option is unchecked in the main protection settings.

Another surprise awaits users of network utilities such as ping, tracert (if the “action request” rule is extended to trusted programs), putty ( ssh client) and perhaps others like them. For them, KIS stubbornly refuses to display the action request screen. There can only be one way out - to set permissions for a specific program manually.

Before moving on to package rules, let me give you one piece of advice: create your own subgroups for each group of programs. For example: “Network utilities”, “ Office programs”, “Internet programs”, etc. Firstly, you will always be able to quickly find the program you need, and secondly, you will be able to set rules for specific groups, instead of setting rules for individual programs.

Batch rules.

Packet rules define individual characteristics of packets: protocol, direction, local or remote port, network address. Batch rules can act as “allowing”, “denying” and “according to program rules”. The rules are scanned from top to bottom until an allowing or prohibiting rule is found based on a set of characteristics. If a rule for a package is not found, then the default rule (the latest one) is applied. Usually in firewalls the last rule is to prohibit the reception and transmission of any packets, but for KIS this rule is permissive.

The action “according to a program rule” is by its nature a “window” for the actual actions of the program rules. This is convenient because you can determine the order in which rules are executed. For example, the program tries to send a packet to port 53 of the DNS server. If there is a packet rule with an action “according to program rules”, direction “outgoing”, remote port 53 (or not defined), and an allowing rule is set for the program to send a packet to port 53, then the packet will be sent if the program is prohibited from sending packets to port 53, then this packet will not be sent.

The scope of the rules covers a certain area: “any address” (all addresses), “subnet address” - here you can select the type of subnet “trusted”, “local” or “public”, and “addresses from the list” - specify IP addresses or domain names manually. The relationship of a specific subnet to “trusted”, “local” or “public” is set in the general firewall settings.

KIS packet rules, unlike most firewalls, are overloaded with a large number of directions: “inbound”, “inbound (stream)”, “outbound”, “outbound (stream)”, and “inbound/outbound”. Moreover, rules with some combinations of protocol and direction do not work. For example, an ICMP deny rule in combination with stream directions will not work, i.e. prohibited packets will pass through. For some reason, stream directions are applied to UDP packets, although UDP protocol by its nature, it does not create a “flow” as such, unlike TCP.

Another, not entirely pleasant, point is that the packet rules do not have the ability to specify a reaction to blocking an incoming packet: prohibit receiving the packet with a notification to the party that sent it, or simply discard the packet. This is the so-called “invisibility” mode, which was previously present in the firewall.

Now let's turn to the rules themselves.

Rules 1 and 2 allow, according to program rules, to send DNS requests via TCP protocols and UDP. Of course, both rules are useful, but basically they are network programs how email and browsers request website addresses through the system DNS service, for whose work he is responsible system program"svchost.exe". In turn, the service itself uses very specific addresses DNS servers, specified manually or via DHCP. DNS server addresses rarely change, so allowing DNS queries to be sent for system service“svchost.exe” to fixed domain name servers.

Rule 3 allows programs to send email using the TCP protocol. Here, as well as for the first two rules, it would be enough to create a rule for a specific program for working with by email indicating which port and server to send to.

Rule 4 allows any network activity for trusted networks. Be very careful when enabling this rule, do not accidentally confuse the network type. This rule effectively disables firewall functionality on trusted networks.

Rule 5 allows any network activity according to the rules of programs for local networks. Although this rule does not completely disable the firewall, it significantly weakens its control functions. According to the logic of rules 4 and 5, rules would need to be placed at the very top to prevent packets from being processed by rules 1 - 3 when the computer is on a trusted or local network.

Rule 6 prohibits remote control computer by RDP protocol. Although the scope of the rule is “all addresses,” it actually only applies to “public networks.”

Rules 7 and 8 prohibit access from the network to the computer’s network services via the TCP and UDP protocols. In fact, the rule only applies to “public networks.”

Rules 9 and 10 allow everyone, without exception, to connect to a computer from any network, of course excluding services prohibited by rules 6 - 8. The rule applies only to programs with permitted network activity. But be very careful network activity By default, it is allowed to almost all programs except untrusted ones.

Rules 11 - 13 allow the reception of incoming ICMP packets for all programs. These rules make no more sense than 1 - 3, because ICMP in the vast majority of cases is used by the ping and tracert programs.

Rule 14 prohibits the reception of all types of ICMP packets, of course, with the exception of those allowed by rules 11 - 13.

Rule 16 prohibits incoming ICMP v6 echo request. ICMP v6 is not needed in the vast majority of cases. It would be possible to ban it completely.

Rule 17 allows everything that is not expressly permitted or prohibited by the previous rules. Although this rule is not displayed on the screen, it is absolutely necessary to remember its existence.

The default KIS firewall settings are certainly good and are suitable for most home computer users, which is what this product is aimed at. But flexibility and undemanding additional settings, which was mentioned at the beginning of the article, unfortunately is achieved at the expense of the security of the users themselves, making this very security very dependent on the human factor: the knowledge and error-free actions of the user himself.