Teramind's Networking rules allow you to detect and prevent network-related threats by monitoring and controlling user interactions with various network protocols and destinations.

The example below shows you how to create a Networking rule to block traffic to dangerous ports, but explicitly bypasses the block if the connection is destined for an IP address on your approved list.

1. Assign a Rule Name. For example, “Block dangerous ports”.

2. Select a Parent Policy. For example, “Admin Policy”.

3. Select “Activity” for Rule Type.

4. Select “Networking” under Select the type of activities.

5. Turn on the Inherit targets from Parent Policy option to use the policy’s default targets.

6. Alternatively, turn it off and manually select the employees, departments and/or computers for the rules target from the Assign to field.

7. Optionally, you can exclude targets in the Exclude from rule field.

8. Add two condition blocks by clicking the New Condition button two times. Then, configure the conditions as follows:

9. Add the Remote host criterion.

10. In the Except field, add IP addresses that you want to allow network access. In this example, we used a Shared List named “White listed IPs” containing those IP addresses.

11. Add the Remote port criterion.

12. In the Remote port field, add these ports: “20, 21, 22, 23, 137, 138, 139, 445, 1433, 1434, 3389, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889”

12. Select the Block action.

13. Optionally, add a message. For example, “Network connection terminated for security reasons.”.

14. Optionally, turn on the Use HTML Template option to show the message in a visually appealing template.

With the first condition, the rule blocks risky ports because they involve either unencrypted data transmission or facilitate unrestricted remote access to critical systems. 20/21 (FTP) and 23 (Telnet) are dangerous as they send credentials in plaintext. 137-139, 445 (Windows sharing) and 1433/1434 (SQL) grant access to core networking and database services, making them primary targets for malware and data theft. 3389 (RDP) is constantly targeted for brute-force attacks leading to full system compromise. Lastly, 6881-6889 (P2P) poses risks due to bandwidth abuse and malware distribution.

The second condition creates an exception for whitelisted IP addresses to ensure that essential and trusted network communications can still occur. This works because, in Teramind, rule condition blocks operate with an "OR" logic. Therefore, the rule will trigger only if the remote host's IP address is not listed in the exception field OR if the connection port is one of those listed in the remote port field.