Intrusion Prevention

You can register IP address to allow or block in an agent system, where a security product is installed. The allowed IP address will not be blocked by configured firewall rules. For example, if 127.0.0.1 is added to the allowed IP address list, the network connection through 127.0.0.1 will be allowed regardless of the configured firewall rules.

Note

If network intrusion prevention is not enabled, a system can be exposed to a hacking risk such as a worm or a Trojan horse. Please off the intrusion prevention function when you install the Host IPS for Windows.

Network Intrusion Prevention

You can specify the network intrusion prevention settings in the following way.

1. Log in to the admin console.
2. Click Policy > Security Program Policy.
3. Click Add to move to Anti-Malware Policy > V3 Net.
4. Click Network Security > Network Security > Intrusion Prevention.
5. Enable or disable the server policy settings. To apply the server settings to agents, select Server Policy Settings.

• Apply the malicious websites settings configured in the agents: Keeps the configured network intrusion prevention settings in an agent system without the server settings applied.
• Apply the server policy: Applies the network intrusion prevention settings in the server to an agent system.

6. Enable to disable the settings for blocking network intrusion. To enable network intrusion prevention, select Intrusion Prevention.

• Enable signature-based protection: If enabled, the user PC will be protected based on the network intrusion prevention rules.

7. Add the Exception rules for network Intrusion prevention. Specifies the rules not to be used for network Intrusion prevention in the exception rules list. Other rules except for exception rules will be applied to an agent system as configured in the default settings.

• Add: Click Add to specify exception rules, which will not be used for network intrusion prevention. Click Add to add exception rules in <Excluded Rule>.

• Delete: Deletes a rule registered in the exception rules list. Select the required item in the exception rules list and then click Delete(). Then a message saying Do you want to delete the selected exclusion appears. Click Yes to delete the selected rule from the list.

8. To specify an IP address to allow or block, select the Enable IP Filtering checkbox.

• Temporarily block attacker's IP address: Any inbound traffic from the IP addresses blocked by network intrusion prevention rules will be blocked for 30 minutes.
• Blocked IPs: Keeps blocking any inbound traffic from the blocked IP address.
• Add: Adds an IP address to block. Specifies an IP address to block in <Add a Blocked IP Address>.
• Modify: Click an IP address registered in the blocked IP addresses list and then click Modify to revise the required information in <Modify a Blocked IP Address>.
• Allowed IPs: Allows all connections of inbound and outbound traffic for the allowed IP address without applying network intrusion prevention rules or AhnLab cloud server for detecting a malicious IP address.
• Add: Adds an IP address to allow. Specifies an IP address to allow in <Add an Allowed IP Address>.
• Modify: Click an IP address registered in the allowed IP addresses list and then click Modify to revise the required information in <Modify a Allowed IP Address>.
• Delete: Select an IP address from the allowed/blocked IP addresses list and then click Delete to delete an IP address registered in the list.
• Allowed/Blocked IP Address: You can configure Single IP Address/Subnet Mask for configuring allowed or blocked IP addresses.

Note

Single IP Address/Subnet Mask must be entered for an IP address.
If an IP address is IPv4: The subnet mask should be between 1 and 32. E.g. 192.168.0.12/1, 192.168.0.12/24, 192.168.0.12/32
If an IP address is IPv6: The subnet mask should be between 1 and 128. E.g. 2002:9b3d:1a32:4:208:74ff:fe39:0/112, 2002:9b3d:1a32:4:208:74ff:fe39:0/128

• Single IP Address/Subnet Mask: Allows or blocks a specific IP address or a subnet mask specified by a user.
• IP Range: Allows or blocks IP addresses between a starting IP address and an ending IP address.
• Starting IP: Specifies a starting IP address for an IP range.
• Ending IP: Specifies an ending IP address for an IP range. The ending IP address must be greater than the staring IP address.

9. Select Enable Port Filtering to add ports to allow or block.

• Block all ports: Blocks all port in the selected group or agent. If this option is enabled, all network connection, regardless of status, will be disconnected.

  Warning

Blocking all ports will deny all ports in the computer or the network and the network communication will be blocked, and therefore you should be very considerate prior to configuring the settings.

• Block only the user-defined ports: Blocks only the user-defined port but allows other ports. Select the option for Block only the port specified by user and then click Blocked Port Settings to configure the settings for the protocol, port type and access permission in <Blocked Port Settings>.
• Allow only the user- defined ports: Allows only the user-defined port but blocks other ports. Select the option for Allow only the port specified by user and then click Allowed Port Settings to configure the settings for the protocol, port type and access permission in <Allowed Port Settings>.

10. Select Port Exception Settings. This does not apply the port blocking rules registered in the list but always allows connection

• Port No.: The port number
• Enable: The enabled or disabled status for the exception port. Enabled/Disabled
• Protocol: Indicates the protocol information such as TCP or UDP.
• Access Permission: Indicates an access permission type such as allow all, allow outbound, etc.
• Port Type: Indicates a port type such as remote, local, remote/local, etc.

11. Click Save.

Blocked/Allowed Port Settings

Click Blocked Port Settings or Allowed Port Settings to specify the allowed or blocked port settings. Block Port denies only the user-specified port. All other ports will be allowed. Allow Port allows only the user-specified port. All other ports will be denied.

• Protocol
• TCP: Allows or blocks the TCP communication in the registered port.
• UDP: Allows or blocks the UDP communication in the registered port.

Note 

Allows or blocks only the TCP and UDP communication. Does not allow or block the communication of protocols other than TCP or UDP.

• Port Type
• Local Port: Indicates a port in the agent computer.
• Remote Port: Indicates a port in another computer that an agent computer tries to access.
• Type
• Single Port: Specifies a single port to allow or block for defining a remote port.
• Port Range: Specifies a port range to allow or block for defining a remote port.
• Access Permission
• Block inbound connections: Allows or blocks the inbound packet received from a user-defined port.
• Block outbound connections: Allows or blocks the outbound packet sent from a user-defined port.
• Block All: Allows or blocks both inbound and outbound packets received or sent from a user-defined port.

Note

To modify or delete a port added in the allowed/blocked ports list, select the required port in the list and then click Modify or Delete.