manualshive.com logo in svg

Norman NetworkProtection, Administrator'S Manual

Share
Download
Norman NetworkProtection Administrator'S Manual Download Page 6

6

Copyright © 1990-2011 Norman ASA

Norman Network Protection

Administrator Guide  

Introduction | Implementation 

Norman Network Protection versus proxy

Traditional proxy solutions have several drawbacks. Most important is the latency effect because the 

proxy holds back the entire stream until it has received all the data and analyzed it in its entirety. 

Network Protection avoids this problem since it does not hold back more data than necessary. It takes 

packets from the stream and reassembles them locally as a file. When the amount of data collected is 

what the scanner engine has required, the packets are duplicated in Network Protection and the origi-

nals are passed on.

However, when the engine is busy scanning, the packets are held back until the engine returns with 

status OK. In this case a slight delay in the transmission of the last packet may be experienced, but 

generally there is practically no interruption to the packet flow. Packets belonging to an unsupported 

session type are not scanned. As the stream is passing through the system it is scanned, and as soon 

as something malicious is found, the stream is stopped.

Proxy servers require quite a bit of configuration on both servers and clients. Moreover, the proxy 

solution needs maintenance when running in the network. 

Network Protection is transparent to the network operation and requires no network adaptation and 

very little assistance to keep it in order once it is up and running. Since Network Protection works on 

packet level, the system has full control over the network flow. 

What is Norman Network Protection?

Norman Network Protection is a new technology from Norman providing protection for an entire local 

area network or critical segment of a network. Norman Network Protection can be installed onto an 

Intel based server with three network interfaces. One network interface is reserved for alerting and 

remote configuration and the remaining interfaces collect network packets for scanning from the net-

work segments they are connected to.

In a pair of connected interfaces, one interface provides an upstream or naked network connection, 

while the second interface provides the downstream or protected network connection. The network 

connections can be of any physical type that supports the TCP/IP protocol. 

Figure 1: The Network Protection installed

In Figure 1 Network Protection runs 

NIC1

 and 

NIC2

 in promiscuous mode. This means that all net-

work packets from the other network will be received by the network cards regardless of their destina-

tion address. 

Packets of the selected protocol type are then gathered into a group and passed on to the scanning 

engine to be scanned for malicious code. If the group of packets are clean, they are passed on to the 

protected zone via 

NIC2

. If the packets contain malicious code, they are effectively blocked from the 

protected zone and an alert is sent to the network via 

NIC0

. Norman Network Protection is also avail-

able as an appliance.

 

 

NIC1 

 

 

 

NIC2

 

NIC0

Summary of Contents for NetworkProtection

Page 1: ...Antivirus Norman SandBox Reports statistics Appliance Administrator Guide version 4 2...

Page 2: ...t be liable for loss of profits or other commercial damage including but not limited to incidental or consequential damages This warranty expires 30 days after purchase The information in this documen...

Page 3: ...77 Nonoperative functions 78 System requirements 4 Obtaining Norman Network Protection 4 About this guide 4 Help and support 4 Introduction 5 Network virus protection 5 The Norman approach 5 Norman Ne...

Page 4: ...t We strongly recommend that you read this guide thoroughly before installing Norman Network Protection and that you use it as reference during installation In this guide you will find instructions on...

Page 5: ...g a proxy server to scan incoming streams is that the entire stream must be gathered before it is scanned Only when the entire data stream has been scanned and established free of malicious code it is...

Page 6: ...ittle assistance to keep it in order once it is up and running Since Network Protection works on packet level the system has full control over the network flow What is Norman Network Protection Norman...

Page 7: ...rver By placing the Network Protection server between the gateway and the LAN as shown in Figure 2 it protects the entire LAN from malicious code entering from the Internet Figure 2 Protecting a small...

Page 8: ...traffic Traffic on unsupported protocols pass through unhindered Currently supported protocols are HTTP Normal web content traffic including web mail SMTP Outgoing email traffic POP3 Incoming email tr...

Page 9: ...Decompression Network Protection can decompress packets representing files compressed in a number of dif ferent formats before scanning the content The following compressed file formats are supported...

Page 10: ...ioned IP address For easier deployment you can plan your IP address hostname etc before you start the installation Network Planning Worksheet Host name Network Protection Primary IP address Default Ga...

Page 11: ...inistrator Guide Installation Configuration Figure 4 Starting the installation by selecting an option 4 Checking installation archives The installer will check the integrity of the installation archiv...

Page 12: ...rman Network Protection Administrator Guide Installation Configuration 5 Select your keyboard layout and click Next Figure 6 Select keyboard layout 6 Select your time zone by choosing continent and th...

Page 13: ...r desired password The password is the same for both the web based admin interface and the Linux console so store it in a safe place Figure 8 Enter and confirm the root password 8 Admin interface setu...

Page 14: ...ator Guide Installation Configuration Figure 9 Admin interface setup The optimal configuration is to use the eth0 as Admin interface and the eth2 and eth3 as Bridge interfaces 9 Installing files from...

Page 15: ...ed in the next chapter Completing the web based Setup Wizard IMPORTANT Do not power up the appliance before connecting it to the network 1 Connect only the Admin interface to the appropriate switch in...

Page 16: ...16 Copyright 1990 2011 Norman ASA Norman Network Protection Administrator Guide Installation Configuration Figure 12 Connect to Network Protection Username and password...

Page 17: ...2 168 0 0 See also page 53 Figure 6 Setup Wizard Remote Access Note IP address 0 0 0 0 0 0 0 0 is default and will provide access to all IP addresses Please remove this entry only after other IP addre...

Page 18: ...or malware Bypass No traffic will be scanned This option allows all traffic to be transferred through Network Protection without being scanned Using this option will result in no traffic or incident s...

Page 19: ...e scan settings later See Scanner settings on page 38 Figure 10 Setup Wizard Protocols The MSN and BitTorrent protocols will support the Block and Bypass options in this version Additional scan modes...

Page 20: ...elected and a computer creates a connection to a Citrix server this will not be visible in the log because the ICA protocol is not supported for scan Purge logs older than Provides an option to delete...

Page 21: ...ge on a reachable web server Provides for example the option of redirecting users to a HTML page on an internal web serv er This enables you to create a very specific HTML page where the design layout...

Page 22: ...lected to delete an existing address SMTP server settings SMTP server address Enter the server name or the IP address for the email server to receive the SMTP mes sage Note If you type in the SMTP ser...

Page 23: ...date See also page 55 and onwards Figure 14 Setup Wizard Update Update manually NIU will never run All updates must be done manually with the Update now option Automatic update at set intervals Updat...

Page 24: ...ion Administrator Guide Setup wizard 10 Reviewing the configuration Once the setup wizard is completed Norman Network Protection is ready for use The Setup Wizard s final dialog presents a summary of...

Page 25: ...ll settings for the Network Protection application Figure 16 Home page The home page provides an immediate status of the five most recent malware incidents and displays detailed information about your...

Page 26: ...erface is divided into two main sectors On the left hand side menus with expandable submenus are available On the right hand side the options within selected menu or submenu are presented Some screens...

Page 27: ...ective IP addresses NICs are displayed by their known Linux device name for example eth0 the NIC manufacturer s name and model in which mode NNP has set them the MAC address and the duplex settings Fi...

Page 28: ...ws you to restart the application but not the Linux operating system itself Figure 20 Restart Network Protection System monitor Provides real time information for system and network Figure 21 System m...

Page 29: ...Please observe that the upper right corner values in the graph are changing based on the peak values of transmitted traffic Incident logs The Incident logs screen provides information about malware t...

Page 30: ...and configuration Incident logs By default incidents from the current date are displayed Click the calendar icon next to the Please select a date field to view logs from other days Detailed view Click...

Page 31: ...he browser settings this will present a dialog asking you where to save the file or ask you to open the file from the current location Figure 24 Download log file By saving the file to your computer y...

Page 32: ...are is trying to write the file C WINDOWS SYSTEM32 ratcvexgzi exe to disk In addition the malware is trying to establish a connection to the web site http www6 seruijingandeshijinpos com on port 80 an...

Page 33: ...a share called TIMEFILES an entry in the Blocked URLs would look like this 2007 03 27 15 32 04 cifs HERODES TIMEFILES magicstart exe W32 Tibs gen455 On a server on the Internet a typical entry would l...

Page 34: ...er http www example com all URLs under that domain are blocked i e the referring pages Entering an Internet or ftp address without the http or ftp prefix has no blocking effect whatsoever These are th...

Page 35: ...a month or specify a date range you want to see statistics for You can also select a specific date by only enter ing a date in the first field of the two data range fields and then click submit When s...

Page 36: ...Displays the amount of data transferred through the Network Protection application both in numbers and percent of total traffic per supported protocol Top 20 receivers Displays the amount of data rece...

Page 37: ...en click submit When selecting a month you can also choose a specific day by clicking the graph for the desired day Daily Hourly incident histogram The top graphs display the amount of traffic that ha...

Page 38: ...malware through the Network Protection application Top 20 Origins Displays information about the top origins where malware has been found Configure These modules allow you to configure the various op...

Page 39: ...only scans for malware Detected malware will NOT be stopped but logged only Please be cautious using this mode as your computers will be infected by the detected malware Bypass This option allows all...

Page 40: ...ces per supported protocol Figure 34 Scanner protocol settings The supported protocols are HTTP Hyper Text Transfer Protocol SMTP Simple Mail Transfer Protocol IMAP4 Internet Message Access Protocol P...

Page 41: ...ure 35 Advanced scanner settings Note This value can also be changed individually per blocked URL in the Blocked URL menu Sites blocked will be blocked for The period an URL is blocked can be changed...

Page 42: ...face is reserved for cluster com munication between two NNPs In the figure below you can see that all interfaces are in use Figure 36 Admin network interfaces As an option you can order your Network P...

Page 43: ...o save the changes Cluster failover settings At the lower part of the page is a separate section where you can select to enable cluster failover which is selected by default Click Advanced settings fo...

Page 44: ...ode yet and choose Cluster This must be done at both the primary NNP and the secondary NNP 2 To enable cluster settings select Enable cluster failover first at the primary NNP Click Apply 3 In the Nam...

Page 45: ...gured by the primary cluster failover node Figure 41 Cluster warning This NNP is configured in a cluster as a secondary NNP You should only change settings on the primary NNP If you are absolutely sur...

Page 46: ...blocking or excluding an IP address would normally be sufficient but in a DHCP based IP network the lease time may be very short and the excluded computers may acquire a different IP address next tim...

Page 47: ...an IP address from the block or exclude list Select one IP address or more and click Remove selected The IP address can now transfer traffic through Network Protection MAC block and exclude Figure 45...

Page 48: ...Network Protection Message handling The Message handling menu provides several methods to configure and send alerts from Network Protection The two main methods to receive alerts from Network Protect...

Page 49: ...essage routing Provides the option of sending messages to a central Norman Endpoint Manager This option is reserved for future use and has not yet been activated Figure 48 Message routing Messages to...

Page 50: ...pients Enter the machine name or the IP address for the recipient s Click on Add to enter the name or address for an SNMP recipient Select an entry from the list and click Remove selected to delete an...

Page 51: ...as entries in the log file Email settings Provides configuration options for where to send emails Figure 52 Email settings Mail recipients Enter the email addresses for the recipients Click Add to en...

Page 52: ...ns transferred through Network Protection will be logged to file Deselect this option to disable all traffic statistics Log only supported protocols Select this option to reduce the number of log entr...

Page 53: ...resses or IP subnets that can access the Network Protection web based management interface IPv6 addresses are also valid input Figure 55 Remote access Allowed IP addresses Enter the IP address net inc...

Page 54: ...er pool closest to your loca tion or enter your custom NTP server name if you have a specific preference or have already set up your own local NTP server Figure 56 System time Change administrator pas...

Page 55: ...updated automatically without any downtime to the sys tem Some application updates will require downtime These are downloaded automatically but will not be updated without user intervention Please see...

Page 56: ...e carried out manually with the Update now option Automatically at set intervals Automatic update at set intervals 6 hours 12 hours 1 day Wait for dialup connection A legacy setting for those who stil...

Page 57: ...a critical update is available Figure 64 Critical updates options Install now This option will start the installation immediately A dialog box will warn you that this installation requires a restart...

Page 58: ...rt personnel will guide you to the correct value Enter the necessary values and click Generate and send Figure 67 Generate and send diagnostics data The diagnostics data will be packed and sent to Nor...

Page 59: ...tection will start when the server and operating system starts and will shut down together with the operating system and server If you need to start or stop Network Protection for other reasons use th...

Page 60: ...will typically see this screen screen output from ifconfig command nnp ifconfig eth0 Link encap Ethernet HWaddr 00 30 05 AB 55 23 inet addr 172 17 5 125 Bcast 172 17 5 255 Mask 255 255 255 0 inet6 ad...

Page 61: ...n on the same speed I m still experiencing slow performance even though I ve done a restart and adjusted the Network Interface Card speed Check the CPU and memory consumption for your system You can s...

Page 62: ...should contact your local vendor or nearest Norman office to remedy the situation You may be asked to provide logs from the Norman Network Protection application to minimize the Support department s...

Page 63: ...xternal machine do the following SSH to the IP address of Network Protection server using any SSH enabled application For Linux use standard SSH application On the Windows platform use the putty comma...

Page 64: ...format Example time type src module src session dest module dest session mes sage src module Refers to the Network Protection module that generated the message The following table lists the Network P...

Page 65: ...1 18 10 04 58 YYYY MM DD HH MM SS type This column contains a code relating to the type of message displayed The following table lists the Network Protection type code used src session Many of Network...

Page 66: ...address pairs that have been discovered by the TCP protocol handler For practical rea sons only a partial list is displayed below show connections 2011 01 18 13 43 44 0 CMD 0 CON 2 connections 2011 0...

Page 67: ...2011 01 18 13 40 29 0 HASH 0 CON 2 Hash entries 4 1 unmapped M1 9bee0bc3 M2 7a0f10fa show opmode Displays the operation mode of Network Protection show opmode 2011 01 18 14 12 56 0 CMD 0 CON 1 opmode...

Page 68: ...1 18 13 39 11 0 CMD 0 CON 2 smtp decomp on 2011 01 18 13 39 11 0 CMD 0 CON 2 pop3 enable on 2011 01 18 13 39 11 0 CMD 0 CON 2 pop3 scanner on 2011 01 18 13 39 11 0 CMD 0 CON 2 pop3 sandbox on 2011 01...

Page 69: ...2011 01 18 13 23 04 0 CMD 0 CON 1 Binary def version 18 1 2011 9172357 viruses 2011 01 18 13 23 04 0 CMD 0 CON 1 Macro def version 14 12 2010 20465 viruses show vlan Displays known VLAN for the Netwo...

Page 70: ...ion for col lecting network packets from the interface Network interfaces are indexed from 0 For example lo 0 eth0 1 and so on Show adapters will display the adapters and their assigned index numbers...

Page 71: ...canned The default and maximum file size limit is 64 MB This is a global protocol setting vlanblock id Blocks the specific VLAN ID vlanunblock id Removes the VLAN ID from the block list vlanexclude id...

Page 72: ...and start listening and replicating cluster configuration and state Operation is set to block to avoid multiple network outages due to mul tiple nodes being master cluster enable will fail with an er...

Page 73: ...uto 1 for secondary 2 for primary ping_timeout Integer How long a node will wait before it times out secret Integer Password This must be the same on all nodes in a cluster sync_timeout Integer Number...

Page 74: ...e bypass sets NNP in bypass no traffic will be scanned block sets NNP to block no traffic will pass NNP scan sets NNP to scan all supported protocols will be scanned based on settings below log only s...

Page 75: ...enable disable Sandbox scanning for this protocol decomp on off enable disable decomp of archive files on off enable disable all scan option for this protocol except block irc enable on off enable dis...

Page 76: ...enable disable this protocol Must be set to configure the protocol block on off block allow all traffic for this protocol scancache enable enables the scancache disable disables the scancache flush f...

Page 77: ...ntation is able to stop malware also In port mirror mode out of band malware will only be detected but not stopped since it s only a mirror of the traffic that Network Protection sees Configuring Note...

Page 78: ...nterfere with the data traffic The functions listed below will not be opera tive in this mode Scanner settings Block mode will not work for any protocol scanner Stop malicious code injection on execut...

Page 79: ...its main markets Copyright 1990 2011 Norman ASA Italy Norman Data Defense Systems Centro Cassina Plaza Via Roma 108 20060 Cassina de Pecchi MI Tel 39 02 951 58 952 Fax 39 02 951 38 270 Email info nor...

Reviews:

No comments

Brands by name

Popular brands

Load more brands