Controlling network access
This protection mode makes it possible to control specific applications’ incoming or outgoing access to networks.
Access can be filtered by:
- Network events such as "bind", "accept" (server rule) and "connect" (client rule),
- TCP and UDP protocols,
- Specific ports,
- Specific IPv4 or IPv6 addresses.
Communications between the SES Evolution server and agents do not need to be explicitly opened as the agent's self-protection mechanism guarantees that no security rules can block communications.
EXAMPLE
Network rules make it possible to:
Network rules make it possible to:
- Protect a server by controlling access to the host,
- Force users of a service in the company to use a specific application to access a given network resource.
Requirements
The following must be created beforehand:
- Application IDs for allowed applications or applications that cannot access the network. For more information, refer to the section Creating application identifiers.
- Network IDs for the IP addresses that you want to protect. For more information, refer to the section Creating network identifiers.
Creating a network access rule
There are two types of rules; client rules and server rules.
- As part of a rule set that applies to workstations, client rules allow or do not allow applications to connect to remote resources (Remote field) by controlling the “connect” network event. They also make it possible to cater to specific subnets for example (Local field).
- As part of a rule set that applies to servers, server rules allow or do not allow applications to open ports and accept incoming connections (Local field) by controlling the "bind" and "accept” network events. They also make it possible to specify the source of connections (Remote field).
To create a network access rule:
- Select the Security > Policies menu and click on your policy.
- Select a rule set.
- Click on the Networks > firewall tab.
- If you are in read-only mode, click on Edit in the upper banner.
- Choose whether to add a client network rule or a server network rule by clicking on one of the Add a rule buttons. A new row appears.
- Choose the network IDs of the resources you want to protect in the left side of the rule:
- Include (Local): local resource impacted by the rule. E.g., if the workstation has several network cards, you can specify which card is impacted.
- Exclude (Local): local resource excluded from the rule.
- Include (Remote): remote resource impacted by the rule. E.g., the internet.
- Exclude (Remote): remote resource excluded from the rule.
- In the Ports field, indicate the ports affected by the network rule. These ports are the destination ports for client rules and local ports for server rules.
- To add several ports at one go, separate them with commas. Example: 8080.8081.
- To add a port range, separate the first value and last value with a dash. Example: 80-90
- Leave the field empty to specify that all ports are concerned.
- Choose the TCP or UDP transport protocol, or both.
- In Default behavior, choose the behavior of each Connect, Accept or Bind network event:
- Accept (for server rules): allows or does not allow specified applications to receive incoming connections on the network resource(s) indicated,
- Bind (for server rules): allows or does not allow specified applications to open connections on the network resource(s) indicated,
- Connect (for client rules): allows or does not allow specified applications to connect to the network resource(s) indicated.
- Allow to allow the action by default,
- Block to block the action by default,
- Block and kill to block the action by default, and shut down the process that launched the action.
- Block, kill and quarantine to block the action by default, kill the process that triggered the action, and quarantine suspicious files. For more information, see the section Managing file quarantine.
Protection rules can behave as follows:
- Click on + Add a specific behavior and choose the application identifiers of resource(s) that you want to exclude from the default behavior.
EXAMPLE
This is the client rule that can block connections from the network card on the unprotected network card to the internet and the protected network over ports 80, 443 and 8080 and TCP. Only the web server specified in the protected network can be accessed.
- In the upper banner in the rule, you can:
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies. - Indicate whether the rule must generate a context when it is applied. By default, if a rule generates Emergency or Alert logs, it will generate a context, but you can disable this feature. In case of mass generation of similar logs, the context is not generated. For more information on mass log generation, refer to the section Monitoring SES Evolution agent activity.
- Select the log settings that this rule will send.
- Specify whether an action must be performed when a log is sent for this rule. You can choose to display a notification on the agent and/or run a script.
- Enter a description to explain what this rule aims to achieve.
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
- The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
- Click on Save at the top right of the window to save changes.