Teramind's Networking rules allow you to detect and prevent network-related threats by monitoring and controlling user interactions with various network protocols and destinations.

The example below shows you how to create a Networking rule to block traffic to dangerous ports, but explicitly bypasses the block if the connection is destined for an IP address on your approved list.

1. Assign a Rule Name. For example, “Block dangerous ports”.

2. Select a Parent Policy. For example, “Admin Policy”.

3. Select “Activity” for Rule Type.

4. Select “Networking” under Select the type of activities.

5. Turn on the Inherit targets from Parent Policy option to use the policy’s default targets.

6. Alternatively, turn it off and manually select the employees, departments and/or computers for the rules target from the Assign to field.

7. Optionally, you can exclude targets in the Exclude from rule field.

8. Add two condition blocks by clicking the New Condition button two times. Then, configure the conditions as follows:

9. Add the Remote host criterion by clicking the +Add button.

10. In the Except field, specify the IP addresses you wish to allow network access to. In this example, we used a Shared List named “White listed IPs” containing those IP addresses.

11. Add the Remote port criterion by clicking the +Add button.

12. In the Remote port field, add these ports: “20, 21, 22, 23, 137, 138, 139, 445, 1433, 1434, 3389, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889”

13. Select the Block action.

14. Optionally, add a message. For example, “Network connection terminated for security reasons.”.

15. Optionally, turn on the Use HTML Template option to show the message in a visually appealing template.

With the first condition, "Remote host" we created an exception for whitelisted IP addresses to ensure that essential and trusted network communications can occur even if they use remote ports listed in the second condition.

With the second condition, "Remote port", we blocked some risky ports because they involve either unencrypted data transmission or facilitate unrestricted remote access to critical systems. Ports 20/21 (FTP) and 23 (Telnet) are dangerous as they send credentials in plaintext. 137-139, 445 (Windows sharing) and 1433/1434 (SQL) grant access to core networking and database services, making them primary targets for malware and data theft. 3389 (RDP) is constantly targeted for brute-force attacks leading to full system compromise. Lastly, 6881-6889 (P2P) poses risks due to bandwidth abuse and malware distribution.

This works because, in Teramind, rule condition blocks operate with an "OR" logic. Therefore, the rule will trigger only if the remote host's IP address is not listed in the first condition's exception field OR if the connection port is one of those listed in second condition's remote port field.