Unauthorized Connection
The unauthorized connection is accessible under Policies → Connection Policies → Unauthorized Connection.
The unauthorized connection contains a list of connection policies that are not allowed to communicate in the system.
Any device pair that are listed in the unauthorized connection policies will make Neuralyzer trigger an alert when they have unwanted communication in the system.
Unauthorized connection policies are added manually by the user.
Note: The blocklist policy can be detected even user didn’t turn on Anomaly Detection.
Actions on Unauthorized Connection
1. View policy
Unauthorized Connection page is paginated, each page contains 20 records, the total number of policy records are displayed at the bottom of the list.
Policies are displayed in a list, each record contains the following information:
Source device/Host: field source device can have these following values:
- Device name in the system, detected by Neuralyzer.
- Device type/subtype, which indicates that the policy will apply to all devices of that type/subtype.
- Device purdue model.
- Device vendor, detected by Neuralyzer.
- Custom a specific IP address.
- “Any”, which indicates that the policy will apply to all devices.
Destination device/Host: as same as source device.
Note: Device type will be displayed with green background, “Any” will be displayed with red background.
- Protocol: Each record display a single protocol that allow for the connection between 2 devices.
2. Create a new policy
You can create a new policy by tapping on button “+” on the top right of the Policy screen, a policy creation pop-up will appear.
| Field | Type of input | Note |
|---|---|---|
| Source device/Host | Choose from drop-down list Input device name, type, purdue model, vendor. | Choose a specific device to apply to that device only Choose a device type to apply to all devices of that type Choose a vendor to apply to all devices have that vendor Choose a purdue model level to apply to all devices are on that level Choose option “Any” to apply to all devices |
| Destination device/Host | Choose from drop-down list Input device name, type, purdue model, vendor. | Choose a specific device to apply to that device only Choose a device type to apply to all devices of that type Choose a vendor to apply to all devices have that vendor Choose a purdue model level to apply to all devices are on that level Choose option “Any” to apply to all devices |
| Protocol | Choose from drop-down list Input protocol name (support searching by layer and protocol’s name) | Choose a specific protocol to allow only that protocol (support searching by protocol name) Left blank to allow all protocol |
| Enable/Disable policy option | Tap to turn on/off policy | Once disabled, the policy will not be applied. |
3. Edit policy
You can edit a policy by tapping on “Edit” button on the right of each policy record, a policy editing pop-up will appear.
In the pop-up editing, you can see the detail policy. You can edit by clicking on the field to be edited and perform input operations like when creating a policy.
When finished editing, click “Save” to save the changes or “Cancel” to discard all.
4. Filter policy
Filter for policy list is located at the top of the policy page,
You can search on one or more fields of the policy, just input value onto one or more fields on.
E.g. You want to search policy for a source device with ip 192.168.1.120 and protocol is modbus, proceed to input “192.168.1.120” into field source device and “modbus” into field protocol, the result list will displayed
Click the “Clear” button to clear the values in the filters.
Note: You can input device name or IP into source device or destination device field, we support searching device by both name and IP.
5. Remove policy
You can remove a policy from the list by clicking the "Delete" button on each the policy record.