Sie sind auf Seite 1von 31

Kaspersky PURE 2.

Firewall: network rules

Kaspersky PURE 2.0

Content Firewall rules .............................................................................................................................. 2 Packet rules ............................................................................................................................ 2 Creating a packet rule ......................................................................................................... 2 Editing packet rules ............................................................................................................. 7 Application rules ..................................................................................................................... 9 Creating application rules .................................................................................................... 9 Editing an application rule ................................................................................................. 13 Configuring network service .......................................................................................... 15 Allocating range of IP-addresses ................................................................................... 17 Extending the range of IP addresses ............................................................................. 20 Changing the rule for a group of applications ................................................................ 21 Changing the rule priority .............................................................................................. 25 Configuring notifications of changes in the network .............................................................. 26 Advanced Firewall settings ................................................................................................... 28 Firewall working features ...................................................................................................... 30

1|30

Kaspersky PURE 2.0

Firewall rules
There are two Firewall rule types, used to control network connections: Packet rules are used to create general restrictions on network activity, regardless of the applications installed. Example: if you create a packet rule that blocks inbound connections on port 21, no applications that use that port (an ftp server, for example) will be accessible from the outside. Rules for applications are used to create restrictions on network activity for specific applications. Example: If connections on port 80 are blocked for each application, you can create a rule that allows connections on that port for Firefox only. Packet rules have higher priority than application rules. If both packet rules and rules for applications are applied to the same type of network activity, this network activity is processed using the packet rules.

Packet rules
Creating a packet rule All network connections on your computer are monitored by Firewall. Firewall assigns a specific status to each connection and applies various rules for filtering of network activity depending on that status, thus, it allows or blocks a network activity. Packet rules are used in order to restrict packets transferring regardless applications. You can specify an action performed by Firewall if it detects the network activity: Allow Block By application rules. The packet rule is not used, but the rule for the application is used. The Allow or Block rules can be logged. In order to do this, check the Log events box in the Action section. To create a packet rule, for example, to allow remote access to your computer desktop, please do the following: 1. In the right part of the Firewall settings window in the Network rules section, click the Settings button.

2|30

Kaspersky PURE 2.0

2. In the Firewall window go to the Packet rules tab. 3. Click the Add button. In the Network rule window that opens specify the settings for a rule.

3|30

Kaspersky PURE 2.0

4. In the Network rule window in the Action section select the Allow variant.

5. In the Name section click an arrow Desktop item.

next to the input field and select the Remote

4|30

Kaspersky PURE 2.0

6. In the Address section select Any address. 7. Check the Log events box if you want to log actions performed according to the rule.

8. In the Network rule window click the OK button. The created rule appears in the list of packet rules on the Packet rule tab.

5|30

Kaspersky PURE 2.0

9. In the Firewall window click the OK button. 10. In the Settings window click the Apply button. Now any user has remote access to your desktop.

6|30

Kaspersky PURE 2.0

Editing packet rules All packet rules (default or created by the user) can be edited. For example, if you want to block remote access to your computer desktop, then edit the Remote Desktop packet rule: 1. In the right part of the Settings window of the Firewall component in the Network rules section click the Settings button.

2. In the Firewall window go to the Packet rules tab. 3. In the list of packet rules select the Remote Desktop rule.

7|30

Kaspersky PURE 2.0

4. Click the Edit button. In the Network rule window that opens you can edit the settings of the selected rule. 5. In the Action section change the Allow variant to Block. 6. In the Address section select the Subnet address variant and choose the Public networks item from the displayed list.

8|30

Kaspersky PURE 2.0

7. In the Network rule window click the OK button. 8. The made changes are displayed in the Firewall window on the Packet rules tab in the list of packet rules: for the Remote Desktop rule the network type in the Address column will change to Public networks, and an allowing icon in the Permission column will change to a blocking icon.

9. In the Firewall window click the OK button. 10. In the Settings window click the Apply button. Now only users of local and trusted networks have access to your computer desktop

Application rules
Creating application rules You can create applications1 rules for more subtle filtering of the network activity, edit rules for a group of applications or for an individual application in a group. Custom rules for individual applications have a higher priority than the rules inherited from a group. When creating an application rule, you can define an action to be performed by Firewall upon detection of this type of the network activity when working with an application: Allow; Block; Prompt (user) for action. An allowing or blocking action of a rule can be displayed in a report, for this during the rule creation in the Action section, check the Log events box.
1

Application rules monitor connections only by TCP and UDP protocols.

9|30

Kaspersky PURE 2.0

To create a rule for an individual application, for example a rule blocking the QIP internet pager any network activity outside your local and trusted networks, perform the following actions: 1. In the right part of the Settings window in the Network rules section click the Settings button. 2. In the Firewall window on the Application rules tab select QIP 2012.

3. Click the Edit button. 4. In the Application rules window that opens, go to the Network rules tab. 5. At the top of the window click the Add button.

10 | 3 0

Kaspersky PURE 2.0

6. In the Network rule window perform the following actions: In the Action section select the Block action; In the Name section select the Any network activity service; In the Address section select the Subnet address variant and in the displayed list select Public networks; Check the Log events box if you want to log actions performed according to the rule; Click the OK button.

11 | 3 0

Kaspersky PURE 2.0

7. The created rule will appear in the Application rules window on the Network rules tab in the list of rules for QIP 2012.

12 | 3 0

Kaspersky PURE 2.0

8. Click the OK button in the Application rules window. 9. In the Firewall window click the OK button. 10. In the Settings window click the Apply button Editing an application rule For the default network rules created by Kaspersky PURE you can edit only an action (such rules cannot be deleted). For this, perform the following actions: 1. In the right part of the Settings window in the Network rules section click the Settings button. 2. In the Firewall window on the Application rules tab select a required application. 3. Click the Edit button. In the Application rules window that opens, go to the Network rules tab. 4. From the list of rules for an application, select a rule whose action you want to change. 5. In the Permission column for the selected rule right-click the action icon. 6. From the context menu select the required action: Allow Block Prompt for action

7. In the Application rules window click the OK button. 8. In the Firewall window click the OK button. 9. In the Settings window click the Apply button. 13 | 3 0

Kaspersky PURE 2.0

For a network rule created by the user you can edit all earlier created settings. For this, perform the following actions: 1. In the right part of the Settings window in the Network rules section click the Settings button. 2. In the Firewall window on the Application rules tab select an application whose rule you want to edit. 3. Click the Edit button. In the Application rules window that opens, go to the Network rules tab. 4. From the list of rules select a rule you want to edit. 5. Click the Edit button.

6. In the Network rule window change the required settings.

14 | 3 0

Kaspersky PURE 2.0

7. In the Network rule window click the OK button. 8. In the Application rules window click the OK button. 9. In the Firewall window click the OK button. 10. In the Settings window click the Apply button. Configuring network service When creating any network rule you should specify the network service. Settings characterizing the activity of the network for which a rule is created are described by the network service. You can select type of the network activity from the list or create a new type. Network service includes the following parameters: Name. Preferably use the names which would explicitly describe the rule. For example, DNS over TCP.

15 | 3 0

Kaspersky PURE 2.0

Protocol. Firewall restricts connections via TCP, UDP, ICMP, ICMPv6, IGMP and GRE 2 protocols. If protocol ICMP or ICMPv6 was selected as the protocol, you can specify the type and the code of the ICMP packet.

Direction. Firewall controls connections with the following directions: Inbound. A rule is applied to data packets received by your computer.

TCP, UDP, ICMP, ICMPv6, IGMP, GRE are protocols (sets of rules) of the data transfer in the network. ICMP-packet is a packet which contains the error message about the error or any other exceptional situation which occurred during the data transfer. The fields code and type of the ICMP-packet correspondingly contain the type and code of the occurred situation.

16 | 3 0

Kaspersky PURE 2.0

Inbound (stream). The rule is for network connections created from another computer. Inbound/Outbound. The rule is for inbound and outbound data packets and data streams regardless the direction. Outbound. A rule is applied to data packets transferred from your computer. Outbound (stream). The rule is only for network connections created by your computer.

Remote and Local ports. You can specify ports which are used by your and remote computers for TCP and UDP protocols. These ports will be controlled by Firewall.

Allocating range of IP-addresses While creating the rule's conditions you can specify the network service and the network address. You can use an IP address as the network address or specify the network status. In the latter case the addresses will be copied from all networks that are connected and have the specified status at this moment. You can select one of the following statuses:

17 | 3 0

Kaspersky PURE 2.0

Any address the rule will be applied to any IP address; Subnetwork addresses with status the rule will be applied to IP addresses of all networks that are connected and have the specified status at the moment: Trusted networks Local networks Public networks Addresses from group the rule will be applied to IP addresses included into the specified range. Select one of the existing groups of addresses. If no range of IP addresses in any group satisfies you, create a new one.

18 | 3 0

Kaspersky PURE 2.0

For this perform the following steps: 1. At the bottom part of the section click on the Add link.

2. In the IP address or DNS name window specify the addresses from the group.

3. Click the OK button. 4. In the Network rule window click the OK button. A method to allocate IP-addresses using Classless Inter-Domain Routing (CIDR) 3 has been implemented in Kaspersky PURE. CIDR uses Variable Length Subnet Mask (VLSM) whereas in Class Inter-Domain Routing the mask length is strictly set by 0, 1, 2 or 3 bytes. For example, lets take a record of the range of IP-addresses as 10.96.0.0/11. In this case the subnet mask will look as 11111111 11100000 00000000 00000000, or as 255.224.0.0 in a decimal view. 11 bits of the IP-address are allocated to the number of network; the other 21

CIDR (Classless InterDomain Routing, CIDR) is the method of IP-addressing which allows managing the range of IP-address flexibly, without rigid frames of the Class Inter-Domain Routing. CIDR allows using the end resource of IP-addresses economically, thus enhancing efficiency of KSOS 2.

19 | 3 0

Kaspersky PURE 2.0

bits (32-11= 21) of the full address are allocated to the local address in the network. To sum up, 10.96.0.0/11 is a range of addresses from 10.96.0.1 to 10.127.255.255. Remember, when defining CIDR-addressing in the networks of the IP-protocol version 4 (IPv4) in any case the rule will be applied to the whole network. To convert IP-addresses into CIDR Kaspersky Lab experts recommend using any web site which provides free service of converting IP-addresses to CIDR-addressing (for example, the web site http://ip2cidr.com/). Extending the range of IP addresses Each network matches one or more ranges of IP address. If you connect to a network, access to subnetwork of which is performed via a router, you can manually add subnetworks accessible through it. Example: You are connecting to the network in an office of your company and wish to use the same filtering rules for the office where you are connected directly and for the offices accessible over the network. Obtain network address ranges for those offices from the network administrator and add them. To extend the range of network address, please perform the following: 1. In the right part of the Firewall settings window in the Networks section select an active connection and click the Edit button.

20 | 3 0

Kaspersky PURE 2.0

2. In the Network connection window on the Properties tab in the Additional subnetworks section click the Add link.

3. In the IP address window specify an IP address or address masks.

4. Click the OK button. 5. In the Network connection window click the OK button. 6. In the Settings window click the Apply button. Changing the rule for a group of applications Firewall analyzes the activity of each application running on your computer. Depending on the threat rating, every application is included to one of the following groups: 4 Trusted . Trusted applications are applications with digital signatures of trusted vendors and applications signatures of those are included to the trusted applications database. Activities of such applications are monitored by Proactive Defense and File Anti-Virus.

Applications of that group are allowed to perform any network activity irrespectively of the network status.

21 | 3 0

Kaspersky PURE 2.0

Low Restricted5. Low restricted applications are applications which are without digital signatures of trusted vendors and which are not included to the trusted applications database. Nevertheless, the low risk rating is assigned to such applications. 6 High Restricted . High restricted applications are applications without digital signatures and which are not included to the trusted applications database. The high risk rating is assigned to such applications. 7 Untrusted . Untrusted applications are applications without digital signatures and which are not included to the trusted applications database. Very high risk rating is assigned to such applications. You can modify rules for a whole group.

Custom rules for individual applications have a higher priority than the rules inherited from a group. If you create an allowed rule for a whole group of applications and a prohibited rule for a certain application from this group, then any network activity of a certain application will be restricted according to a rule for this application, because it has a higher priority level. In order to change rules for a group of applications, for example, if you want that low restricted programs would have unrestricted rights to the network activity within the local networks, perform the following actions: 1. In the right part of the settings window of the Firewall component in the Network rules section click the Settings button.

Applications of that group are allowed to perform any network activity in non-interactive mode. If you are using the interactive mode, a notification will be displayed on the screen using which you can allow or block a connection, or create an application rule using the Wizard. 6 Applications of that group are not allowed to perform network activity in non-interactive mode. If you are using the interactive mode, a notification will be displayed on the screen using which you can allow or block a connection, or create an application rule using the Wizard. 7 Any network activity is prohibited for the applications of that group.

22 | 3 0

Kaspersky PURE 2.0

2. In the Firewall window go to the Application rules tab. 3. Select the Low restricted group of applications. 4. Click the Edit button.

23 | 3 0

Kaspersky PURE 2.0

5. In the Group rules window go to the Network rules tab and click the Add button.

6. In the Network rule window in the Action section select Allow, and in the Name section select Any network activity and click the OK button.

24 | 3 0

Kaspersky PURE 2.0

7. In the Network rule window click the OK button. 8. In the Firewall window click the OK button. 9. In the Settings window click the OK button. Now all applications of the Low Restricted group have unrestricted right to the network activity. Changing the rule priority The priority of a rule is determined by its position on the list of rules. The first rule on the list has the highest priority. Each packet rule created manually will be added to the end of the list of packet rules. Application groups are integrated by the name of the program and rule priority applies to a definite group only. Manually created rules for applications have a higher priority, than the rules inherited from the group. To change the rule priority, please perform the following actions: 1. In the right part of the settings window of the Firewall component in the Network rules section click the Settings button. 2. In the Firewall window go to the Application rules tab select the required application. 3. Click the Edit button. 4. The Application rules window opens. Go to the Network rules tab. 5. Select a rule and move it to the required place in the list by clicking the Move up and Move down button.

25 | 3 0

Kaspersky PURE 2.0

6. In the Application rules window click the OK button. 7. In the Firewall window click the OK button. 8. In the Settings window click the Apply button.

Configuring notifications of changes in the network


Network connection settings can be changed during the work. You can receive notifications of the following modifications in the settings: When network connection is established. When the correspondence between MAC address and IP address is changed. The notification will appear if IP address of a network computer was changed. When new MAC address appears. The notification appears if a new computer was added to the network. Pay attention, that notifications about changes in the work can be configured only for the networks with the status Local or Trusted network.

26 | 3 0

Kaspersky PURE 2.0

To enable notification about changes to network connection settings, please perform the following: 1. In the right part of the Firewall settings window in the Networks section select an active connection and click the Edit button.

2. In the Network connection window go to the Additional tab. 3. Check the boxes next to the events whose notifications you want to receive.

27 | 3 0

Kaspersky PURE 2.0

4. In the Network connection window click the OK button. 5. In the Settings window click the Apply button.

Advanced Firewall settings


You can specify additional settings of the Firewall operation: Allow active FTP mode. Active mode suggests that to ensure connection between the server on the client computer a port to which the server will connect will be opened on the client computer (unlike the passive mode when the client connects to the server). The mode allows to control which exactly port will be opened. The mechanism works even if a blocking rule was created. By default, active FTP mode is allowed. Block connections if there is no possibility to prompt for action (application interface is not loaded). This setting allows to avoid disruption of the Firewall operation when the interface of Kaspersky PURE is not loaded. This is the default action. Do not disable Firewall until the system totally stops. This setting allows to avoid disruption of the Firewall operation until the system is completely stopped. This is the default action. By default all settings are enabled. To modify advanced Firewall settings, please perform the following: 1. In the right part of the Firewall settings window in the Network rules section click the Settings button.

28 | 3 0

Kaspersky PURE 2.0

2. In the Firewall window go to the Packet rules tab and click the Additional button.

29 | 3 0

Kaspersky PURE 2.0

3. In the Additional window check or uncheck the boxes next to the required settings and click the OK button.

4. In the Firewall window click the OK button. 5. In the Settings window click the Apply button.

Firewall working features


When working with the Firewall component you should remember about the following peculiarities: Firewall rules do not influence Network Attack Blocker; For the zone Local network ICMP packages are always allowed.

30 | 3 0