How to Create and Apply a Network Access Rule

ZeroLock® Network Access rules allow the system administrator to restrict what process has access to networking functionality.

A Network Access rule allows the limiting of incoming and/or outbound network traffic.

Rule Creation

1. To create a Network Access rule, from the ZeroLock® Management Console (ZMC), go to Dashboard | Control Policies | Rules. Under the Actions drop-down menu, select Add New Rule.
   
   
   
2. On the New Policy Rule pop-up, select Network Access from the drop-down menu.
    
3. Using the variety of features offered for this Rule Type, craft a rule that fits the exact network access control action you want ZeroLock to monitor.
   
   
   

   Each field of the Network Access Rule screen is described below:

   Name	1	The name of the rule as it will appear on your Rules page when added to a policy.
   Description	2	The description of the rule as it will be on your Rules page and when added to a policy.  This is useful for explaining the purpose of the rule.
   Rule Type	3	Selecting what type of rule to create (SSH-MFA, Hash, Canary, File Access, Network Access, or Program Execution). This can only be changed during initial rule creation. Once the rule is created, this is the only field that can no longer be edited.
   Source Type	4	Select Process, Executable, or Command. Process - will trigger based on the name of the process (either child, parent process, or both, as defined in "Scope" below) running in memory. Executable - will trigger based on the program's filename running in directories such as /bin, /sbin, and others. Command - will trigger based on the full command line arguments used to launch a process.
   Source Process/ Executable/ Command	5	Designate the Regex that matches on the Process, Executable, or Command to be either allowed or blocked from executing another specific Process, Executable, or Command. This allows for granularity by allowing specific processes to execute a program but not others. If you do not want ANY process executing your target program, put a .* in this field.
   Operation	6	Designate whether the source Process, Executable, or Command is inbound, outbound, or both.
   Block Operation	7	Designate whether the source Process, Executable, or Command will be Blocked or Allowed from making a connection. Checking the box Blocks, while leaving it unchecked Allows the connection.
   Target Type	8	Select Process, Executable, or Command. Process - will trigger based on the name of the process (either child, parent process, or both, as defined in "Scope" below)  running in memory. Executable - will trigger based on the program's filename running in directories such as /bin, /sbin, and others. Command - will trigger based on the name of the shell command used to launch the process or executable.
   IP	9	The IP rule allows or restricts access.  You may specify a range of IP addresses with CIDR notation. You may also denote multiple IPs or CIDR ranges with a comma-separated list.
   Scope	10	Specifies if the rule applies to the Process, Executable, or Command occurring as a parent process, a child of another process, or either.
   Alert Level	11	When this rule triggers, designate whether the alert on the Alerts page will be a Low, Medium, or High-level alert.
   Send Email Alerts	12	When this rule triggers, designate whether it will send an email alert to all Users assigned to the Endpoint Group of the endpoint that this rule triggered on. Email alerts can be configured on the System Configuration | System Settings page.  Note: The SMTP server must be configured under System Settings. Emails will be sent to all ZMC users.
   Response Type	13	When this rule is triggered, it will designate the response actions ZeroLock will take. Do Nothing - will simply trigger an alert on the Alerts page where an administrator can either release the alert or manually Kill & Remediate the triggering connection. Suspend - will lock the triggering connection but not end it immediately, waiting for an administrator to choose to release the alert and allow the connection to continue or Kill & Remediate it. Kill - will automatically end the connection, but any actions taken by the connection will remain in place. Remediate - will end the connection and remediate any actions taken on the system by restoring the system to an unaltered state using the backup cache.
   Auto Quarantine	14	When this rule triggers, designate whether the endpoint will be automatically set to Quarantine until an administrator manually Unquarantines the endpoint on the Endpoints page.

4. Once the Network Access Rule is configured, click the Create button at the bottom of the New Policy Rule pop-up menu.

Add New Policy

Before implementing a rule on an endpoint, it must first be applied to a policy.

1. Navigate to the Control Policies | Policies page.  Then select the Add New Policy button.
   
   
2. Give your new policy a name and description in the New Policy pop-up menu. To add the new network access rule, click the Add Rules button.
   
3. On the Policy Rules menu, select any rules you want to add to the new policy. When all are selected, click the Add Selected button at the bottom. 
   
   
4. The following screen appears when Add Selected is chosen.
5. When all preferred rules have been added to the policy, you can configure the order in which your lockdown rules will be evaluated. Lockdown rules (File Access, Network Access, and Program Execution rules) are evaluated top-to-bottom, with the rules on top resolving actions before moving on to the following rule.
   As with a firewall, if an action matches a lockdown rule at the top of the list, it will take the actions specified for that rule and stop evaluating any following rules. If an action does not match, it will continue to the next rule until it matches. If no rules match, then the action is allowed.

Create a New Configuration Profile

To apply a policy to an endpoint, the policy must first be applied to a Configuration Profile.

1. Navigate to the System Configuration | Config Profiles page.  Select Add New Profile.
   
    
2. On the New Configuration Profile pop-up menu, you can configure exactly what actions ZeroLock will take for each protection engine. Here, settings can be fine-tuned for Ransomware, Cryptojacking, and Tampering protection, as well as settings for all Hash Rules set to deny based on a SHA-256 hash.
   
   To apply the policy created, navigate to the Default Control Policy drop-down menu and select the preferred policy. Only one policy may be applied to a Configuration Profile at a time. Once complete, select the Create button at the bottom of the menu.
   
   
   

Apply to New Profile to an Endpoint

Once a Configuration Profile has been created, it must be applied to an endpoint so the settings can take effect.

1. Go to Endpoints and select an endpoint to apply the Network Access policy.  Then, from the Actions drop-down menu, select Set Endpoint Config.
   
   
    
2. On the Set Endpoint Configs drop-down menu, select the created configuration profile from the drop-down menu. Then click the Set Configs button, and the new profile will be assigned to Endpoint #2.
3. Your endpoint is now properly configured with the desired profile, rules and policies.