Teramind Network rules allow you to detect and prevent network-related threats by monitoring and controlling user interactions with various network protocols and destinations.

The example below shows you how to create a Network rule to block traffic to dangerous ports, but explicitly bypasses the block if the connection is destined for an IP address on your approved list.

1. Assign a Rule Name. For example, “Block dangerous ports”.

2. Select a Parent Policy. For example, “Admin Policy”.

3. Select “Activity” for Rule Type.

4. Select “Networking” under Select the type of activities.

5. Turn on the Inherit targets from Parent Policy to use the policy’s default targets.

6. Alternatively, turn it off and manually select the employees, departments and/or computers for the rules target from the Assign to field.

7. Optionally, you can exclude targets in the Exclude from rule field.

You will need to add two conditions:

8. Add the Remote host criterion.

9. In the Except field, add IP addresses that you want to allow network access. In this example, we used a Shared List named “White listed IPs” containing those IP addresses.

10. Add the Remote port criterion.

11. In the Remote port field, add these ports: “20, 21, 22, 23, 137, 138, 139, 445, 1433, 1434, 3389, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889”

12. Select the Block action.

13. Optionally, add a message. For example, “Network connection terminated for security reasons.”.

14. Optionally, turn on the Use HTML Template option to show the message in a nice template.

With the first condition, the rule blocks risky ports because they involve either unencrypted data transmission or facilitate unrestricted remote access to critical systems. 20/21 (FTP) and 23 (Telnet) are dangerous as they send credentials in plaintext. 137-139, 445 (Windows sharing) and 1433/1434 (SQL) grant access to core networking and database services, making them primary targets for malware and data theft. 3389 (RDP) is constantly targeted for brute-force attacks leading to full system compromise. Lastly, 6881-6889 (P2P) poses risks due to bandwidth abuse and malware distribution.

In the second condition, the exception for Remote host whitelisted IP addresses ensures that essential and trusted network communications can still occur.