8
Copyright © 1990-2011 Norman ASA
Norman Network Protection
Administrator Guide
Introduction | Functionality
Figure 3: Network Protection - protecting a business enterprise.
Functionality
Norman Network Protection works at the Data Link Layer within the OSI data transmission model.
This allows it to operate on a number of protocols and offers more features than proxy solutions.
Network Protection has configurable protocol scanning that can be enabled and disabled in real-time.
Furthermore, it can be configured to block protocols, computers and network segments depending on
the infections and the threats in the network. In addition, Network Protection uses Norman Sandbox
technology which can stop new and undiscovered viruses and worms before detection signature files
have been released.
Currently, Network Protection scans protocols with a high probability of carrying malicious traffic.
Traffic on unsupported protocols pass through unhindered. Currently supported protocols are:
● HTTP
Normal web content traffic including web mail
● SMTP
Outgoing email traffic
● POP3
Incoming email traffic
● RPC
Remote procedure call traffic
● FTP
File transfer protocol
● TFTP
Trivial file transfer protocol
● Windows File Sharing Covers the protocols CIFS, SMB, and SMB2
● IRC
Internet Relay Chat, a chat system protocol
● MSN
Microsoft Windows Live Messenger - a real-time chat application and protocol
● BitTorrent
Peer-to-peer file sharing protocol used for distributing large amounts of data
Protocol scanning does not rely on port identification. All packet headers are inspected to identify the
protocol independent of the port. If, for example, the HTTP protocol is being identified on port 4599 it
will still be scanned.
Network Protection scanning performance is dependent on the number of protocols being monitored,
the number of network segments covered and the number of network clients.
As each packet is received, it is passed on to the appropriate protocol-scanning module. Each scan-