1. Manuals
  2. Brands
  3. Norman Manuals
  4. Firewall
  5. NetworkProtection
  6. Administrator's manual

Norman NetworkProtection Administrator's Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Appliance
Administrator Guide
version 4.2
Antivirus
Norman SandBox
Reports & statistics

Advertisement

Table of Contents
loading

Summary of Contents for Norman NetworkProtection

  • Page 1 Appliance Administrator Guide version 4.2 Antivirus Norman SandBox Reports & statistics...

  • Page 2: Limited Warranty

    DVD-R, and/or documentation at no charge. Proof of purchase must be enclosed with any claim. This warranty is limited to replacement of the product. Norman is not liable for any other form of loss or damage arising from use of the software or documentation or from errors or deficiencies therein, including but not limited to loss of earnings.

  • Page 3: Table Of Contents

    Administrator Guide Table of Contents System requirements ..........4 Incident statistics ............37 .............. 37 Functions Obtaining Norman Network Protection ....... 4 Configure ..............38 About this guide ............4 ............ 38 Scanner settings Help and support ............4 ..........42 Network configuration .........

  • Page 4: System Requirements

    For training or further support issues please do not hesitate to contact your local dealer or a Norman Office. Please see the last page of this document for information on Norman Offices.

  • Page 5: Introduction

    Norman Network Protection aims to deliver such a concept, protecting both servers and clients in the network. By placing Network Protection between the Internet and the local network, each computer on the network side is protected, and viruses being downloaded are stopped before they reach their destination.

  • Page 6: Norman Network Protection Versus Proxy

    If the group of packets are clean, they are passed on to the protected zone via NIC2. If the packets contain malicious code, they are effectively blocked from the protected zone and an alert is sent to the network via NIC0. Norman Network Protection is also avail- able as an appliance.

  • Page 7: Implementation

    The firewall divides the network into an untrusted zone, a trusted zone, and a demilitarized zone (DMZ). Network Protection thus protects the LAN from both the Internet and machines in the DMZ. The DMZ is also protected from the Internet, providing a belt-and-braces security to the entire net- work. Copyright © 1990-2011 Norman ASA...

  • Page 8: Functionality

    Figure 3: Network Protection - protecting a business enterprise. Functionality Norman Network Protection works at the Data Link Layer within the OSI data transmission model. This allows it to operate on a number of protocols and offers more features than proxy solutions.
  • Page 9 ● NIU signature update ○ Norman Internet Update (NIU) can be set to automatically update the virus scanning engine and signature files at hourly intervals. ● Decompression ○...

  • Page 10: Installation

    Norman Network Protection Administrator Guide Installation | Prerequisites Installation The Norman Network Protection appliance is pre-installed with Norman Network Protection software. The action required from you is to provide your network IP address details and to change the default passwords. Prerequisites To take full advantage of the Network Protection functions, a good understanding of running programs on the Linux platform and network management is recommended.
  • Page 11 Administrator Guide Installation | Configuration Figure 4: Starting the installation by selecting an option. 4. Checking installation archives. The installer will check the integrity of the installation archive.: Figure 5: Progress bar displays checking installation archives. Copyright © 1990-2011 Norman ASA...
  • Page 12 Norman Network Protection Administrator Guide Installation | Configuration 5. Select your keyboard layout and click Next.: Figure 6: Select keyboard layout. 6. Select your time zone by choosing continent and then country: Figure 7: Select time zone. Copyright © 1990-2011 Norman ASA...
  • Page 13 Figure 8: Enter and confirm the root password. 8. Admin interface setup. You need an IP address to manage your NNP. Use your Network Planning Worksheet now and enter the details in the appropriate fields. Copyright © 1990-2011 Norman ASA...
  • Page 14 Figure 9: Admin interface setup. The optimal configuration is to use the eth0 as Admin interface, and the eth2 and eth3 as “Bridge” interfaces. 9. Installing files from archive. The installation will resume. Click Details for verbose output. Copyright © 1990-2011 Norman ASA...

  • Page 15: Completing The Web-Based Setup Wizard

    Administrator Guide Installation | Configuration Figure 10: Installing files from archive. 10. Configuration and installation is now complete. Click Reboot to finish and start Norman Network Protection. Figure 11: Installation complete. 11. After completing the configuration wizard connect the device to the network as described in the next chapter.
  • Page 16 Norman Network Protection Administrator Guide Installation | Configuration Figure 12: Connect to Network Protection - Username and password Copyright © 1990-2011 Norman ASA...

  • Page 17: Setup Wizard

    Figure 7: Setup Wizard License Key 3. Join Endpoint Manager Realm This option allows you to manage NNP centrally from a Norman Endpoint Manager console. To man- age this NNP centrally, you must enter the IP address, username and password for the Norman Endpoint Manager.
  • Page 18 ● Sites blocked will be blocked for ○ The period an URL is blocked can be changed with this option. The default value is 1 week. Select the desired value for the period a blocked URL/path should remain blocked. Copyright © 1990-2011 Norman ASA...
  • Page 19 Traffic will be scanned using traditional signature scanning. Archive files are scanned. The Sandbox is used. 6. Selecting logging options Provides options for enabling and handling Network Protection logs. The main logs are the Traffic log Copyright © 1990-2011 Norman ASA...
  • Page 20 7. Blocking - informing users that have been blocked Provides options for how Network Protection should notify users that are blocked because malware was detected, files that exceeded the maximum size, or a URL was blocked. This option only applies to HTTP traffic. Copyright © 1990-2011 Norman ASA...
  • Page 21 ● There are identical tabbed dialogs for entering text when files are blocked due to size, or when a URL is blocked. Click on the respective links at the lower part of this page to enter the desired information. See also “Blocking” on page 52. Copyright © 1990-2011 Norman ASA...
  • Page 22 ○ Reply-to address • Enter a reply-to address for the recipient, for example the system administrator. ● Mail message body ○ Subject • The email title, for example “Message from Network Protection”. ○ Common appended text Copyright © 1990-2011 Norman ASA...

  • Page 23: Proxy Settings

    ● Proxy settings • Proxy settings must be entered in networks where Network Protection cannot communi- cate directly with the Internet. Click the Proxy Settings link at the bottom of the page to access the configuration options. Copyright © 1990-2011 Norman ASA...
  • Page 24 Administrator Guide | Setup wizard 10. Reviewing the configuration Once the setup wizard is completed, Norman Network Protection is ready for use. The Setup Wizard’s final dialog presents a summary of the selections you made: Figure 15: Setup Wizard Finished...

  • Page 25: Administration And Configuration

    Update, and Cluster Failover. Cluster Failover will only be available when a cluster has been set up and will not appear in a brand new installation. Click on the section header to go directly to the configuration options for that section. Copyright © 1990-2011 Norman ASA...

  • Page 26: Navigating The User Interface

    On the right--hand side the options within selected menu or submenu are presented. Some screens may exist of several pages. Use the page scroll in the bottom right corner to navigate through the pages. Figure 17: Page scroll Status Figure 18: Quick status page Copyright © 1990-2011 Norman ASA...

  • Page 27: Version And Uptime

    Medium scan Traffic will be scanned using traditional signature scanning. Archive files are scanned. Sandbox is not used. Traffic will be scanned using traditional signature scanning. Sandbox scan Archive files are not scanned. Sandbox is used. Copyright © 1990-2011 Norman ASA...

  • Page 28: Restart Network Protection

    Displays real-time memory load for the Network Protection application. NNP version Installed version of Network Protection. Engine version Installed version of Norman Scanner engine. Binary definitions Version of binary definition file. Macro definitions Version of macro definition file. Copyright © 1990-2011 Norman ASA...

  • Page 29: Network Information

    The protocol used, for example HTTP for web traffic, FTP for file transfer, etc. Name of the malware that was stopped. Malware If the incident logs screen exists of more than one page, this icon appears in the bottom right corner: Copyright © 1990-2011 Norman ASA...

  • Page 30: Detailed View

    By default incidents from the current date are displayed. Click the calendar icon next to the Please select a date field, to view logs from other days. Detailed view Click on an entry for a more detailed view. See the next figure. Figure 23: Incident logs detailed view Copyright © 1990-2011 Norman ASA...

  • Page 31: Download Log File

    By saving the file to your computer you can later use the log file(s) to compile reports. The log file is formatted in the standard CSV format. Note You can only download single log files. The download option is not available when a date range has been selected. Copyright © 1990-2011 Norman ASA...

  • Page 32: Show Sandbox Log

    Network Protection are not allowed to establish these connections. One way of pre- venting this is to add the URL as a rule to your firewall or other type of gateway with firewall function- ality. Copyright © 1990-2011 Norman ASA...

  • Page 33: Blocked Urls

    Detailed view This view provides details of the incident that led to an entry in the URL block database The actual time of the incident. Date (and time) When this record entry expires. Expires Copyright © 1990-2011 Norman ASA...

  • Page 34: Custom Url Block

    Wildcard: Valid characters are ‘?’ for one character and ‘*’ for more than one unknown characters. For example: http://www.examp*.com. As always, wildcards should be used with caution. The Comment field is optional. You can use it for a brief description of the blocked pattern. Copyright © 1990-2011 Norman ASA...

  • Page 35: Traffic Statistics

    Network Protection application. The displayed graphs can be either by day (if a month or date range is selected), or by hour (if a specific day is selected). Move the mouse over the desired bar. See figure below. Copyright © 1990-2011 Norman ASA...
  • Page 36 Displays the amount of data sent through the Network Protection application, both in numbers and percent of total traffic per IP address. Top 20 connects Displays the amount of connections made through the Network Protection application by any given IP address. Copyright © 1990-2011 Norman ASA...

  • Page 37: Incident Statistics

    Top 20 – Detected with Sandbox Displays the amount of malware stopped by the Network Protection application using the Norman Sandbox, both in numbers and percent of total malware per Norman Sandbox category.

  • Page 38: Configure

    These modules allow you to configure the various options for Network Protection. Click the desired module to configure the settings. Figure 32: Configure page Scanner settings Configure the operation mode and scanner settings and decide how the Network Protection should work. Copyright © 1990-2011 Norman ASA...
  • Page 39 Please use this option with care as absolutely all traffic in the segment/network where Network Protection is installed will be blocked. Scan This is the most used option. Select this option to scan all traffic for malware on sup- ported protocols. Copyright © 1990-2011 Norman ASA...
  • Page 40 File Transfer Protocol TFTP Trivial File Transfer Protocol Windows File Sharing Includes SMB and CIFS Server Message Blocks (SMB) (CIFS) Common Internet File System Internet Relay Chat Microsoft Windows Live Messenger BitTorrent Peer-to-peer file sharing protocol Copyright © 1990-2011 Norman ASA...
  • Page 41 Protection can maintain a secure cache to minimize scanning of duplicate objects. This can also increase Network Protection’s performance. Maximum file size for scanning Files that exceeds the set limit will not be scanned. This option allows you to change the maximum Copyright © 1990-2011 Norman ASA...

  • Page 42: Network Configuration

    Before you change any values, please verify that these are correct. Click Apply to save the changes Note: If you change the IP address of the administrator interface you will loose your existing manage- ment connection and must reconnect to the new IP address you selected. Copyright © 1990-2011 Norman ASA...
  • Page 43 Cluster failover is implemented primarily for the purpose of improving the availability of services. The Norman Network Protection (NNP) cluster failover option is a 2-node solution where two NNPs (pri- mary and secondary) are placed in parallel. The primary NNP is always responsible for bridging the traffic.
  • Page 44 In this section you can customize some advanced settings for your cluster setup. Unless you are absolutely sure about changes you want to make, leave the default settings as they are suitable for almost all network environments. Figure 40: Advanced settings for cluster failover. Copyright © 1990-2011 Norman ASA...

  • Page 45: Join Endpoint Manager Realm

    7. Your failover cluster is now removed. Join Endpoint Manager Realm This option allows you to manage NNP centrally from a Norman Endpoint Manager console. To man- age this NNP centrally, you must enter the IP address, username and password for the Norman Endpoint Manager.

  • Page 46: Block And Exclude Settings

    Administration and configuration | Configure Figure 42: Join Endpoint Manager If the NNP is already a member of a Norman Endpoint Manager realm, then a notification is available. See the figure below: Figure 43: Join Endpoint Manager (already a member) Note Please refer to the document ‘Managing NNP from Norman Endpoint Manager’...
  • Page 47 Network Protection. Removing a MAC address from the block or exclude list Select one MAC address or more and click Remove selected. The MAC address can now transfer traffic through Network Protection. Copyright © 1990-2011 Norman ASA...

  • Page 48: Message Handling

    You must select this option to get access to the remaining options in this dialog. If you remove the check mark, you have turned the message logger off. Messages to send ● Locally generated messages. Copyright © 1990-2011 Norman ASA...
  • Page 49 Message routing Provides the option of sending messages to a central Norman Endpoint Manager. This option is reserved for future use and has not yet been activated. Figure 48: Message routing Messages to send ●...
  • Page 50 ○ This field is for a common, user-defined text, for example “Something went wrong with...”, or as an identifier for this specific application, for example “NNP at Production Level 2”. Email messaging Provides the option of sending emails about selected events. Copyright © 1990-2011 Norman ASA...
  • Page 51 ○ The server name or the IP address for the email server recipient of SMTP messages. Note If you enter the SMTP server name, make sure that the DNS settings are verified for the installed Copyright © 1990-2011 Norman ASA...

  • Page 52: Logging Options

    Network Protection in your network. Blocking This page provides options for notifying users when Network Protection blocks malware, files larger than the specified maximum size, or a URL. These options only apply to HTTP traffic. Copyright © 1990-2011 Norman ASA...

  • Page 53: Remote Access

    This option allows you to change or set the system time. You can either let the server use the internal clock alone or use the Network Time Protocol (NTP). By using NTP the server will always synchronize Copyright © 1990-2011 Norman ASA...

  • Page 54: Change Administrator Password

    This option allows you to change the license key. The key format is 5 times 5 characters. Example: xxxxx-yyyyy-xxxxx-yyyyy-xxxxx Figure 58: Change license key Setup Wizard The Setup Wizard can be run again at any time. Please refer to “Setup wizard” on page 17. Copyright © 1990-2011 Norman ASA...

  • Page 55: Install And Update

    Administration and configuration | Install and Update Install and Update Provides options to update the scanning engine and definition files on demand, or to configure the automatic update intervals for Norman Internet Update (NIU). Figure 59: Install and Update Note Only scanning engine and definition files are updated automatically without any downtime to the sys- tem.

  • Page 56: Critical Updates

    Allows you to configure the Norman Internet Update intervals. Figure 61: Select Update Method ○ Update manually • Norman Internet Update will never run. All updates must be carried out manually with the Update now option. ○ Automatically at set intervals •...
  • Page 57 Schedule this update By using this feature the installation can be done automatically at the date and time you prefer. For example, scheduling an automatic installation during the off-hours will prevent any downtime for the users. Copyright © 1990-2011 Norman ASA...

  • Page 58: Support Center

    Click this option to open a new browser window to the Support pages on Norman’s web. Contact information Select this option to open a new browser window to view information on how to contact Norman. Reset to factory defaults If you have lost track of your setup or simply want to start from scratch, this option allows you to reset all your settings to factory defaults.

  • Page 59: Starting And Stopping

    If you need to start or stop Network Protection for other reasons, use the scripts described below. Type in the following commands on the Debian console for the Network Protection application: /etc/init.d/nnpd.sh stop Stop Start /etc/init.d/nnpd.sh start Copyright © 1990-2011 Norman ASA...

  • Page 60: Troubleshooting

    Network Protection is connected to on the bridged interfaces. You can easily check the speed for your Network Interface Cards on the Network Protection application. ● Log into the console of Norman Network Protection (either remotely via SSH or on local console) ● Type ifconfig to see the Network Interface Card information ●...
  • Page 61 Protection web interface. ● Direct your browser to the Network Protection web interface and log in. ● Select Norman Network Protection > System Monitor. ● The System Monitor screen displays the CPU and memory use in addition to the Network Interface Card load.
  • Page 62 If Norman Network Protection continues with such behavior, you should contact your local vendor or nearest Norman office to remedy the situation. You may be asked to provide logs from the Norman Network Protection application to minimize the Support department’s time spent on troubleshooting. The support personnel will ask for specific logs, which reside in the .../opt/norman/logs directory on your Network Protection server.

  • Page 63: Accessing The Command Line Interface Console

    Appendix A: Accessing the Command Line Interface console Norman Network Protection can be accessed via a Command Line Interface (CLI) console. The CLI console provides many of the most commonly used commands that are provided in the web-based management interface.

  • Page 64: Appendix B: Using The Network Protection Console

    Appendix B: Using the Network Protection console Even though Norman Network Protection is a Linux-based application, all configuration and adminis- tration can be done from the web-based administration interface. If you’re more familiar with the Linux command shell, you can also use this to configure most of the application.
  • Page 65 Network Protection console. Traffic messages are broadcast to the entire net- work. Type code Description Information message Warning message Error message Virus alert message This column displays the message content. Copyright © 1990-2011 Norman ASA...

  • Page 66: Console Commands

    2011-01-18 13:43:44 0 TCPH:0 CON:2 Total connections: 3 show counters Displays the values of the counters. :>show counters 2011-01-18 14:04:13 0 CMD:0 CON:1 counter id value name 1 TCP_SESSIONS 16246 SENDQUEUE_PUSH 16246 SENDQUEUE_POP 4829 PACKET_WORKER_0_PUSH 4829 PACKET_WORKER_0_POP Copyright © 1990-2011 Norman ASA...
  • Page 67 Displays machine IP address, current user, name, workgroup and blocked state of each machine dis- covered from network traffic. :>show machines 2011-01-18 13:53:35 0 CMD:0 CON:1 ip user workgroup netbios name status 2011-01-18 13:53:35 0 CMD:0 CON:1 127.0.0.1 (noname) (noname) Copyright © 1990-2011 Norman ASA...
  • Page 68 2011-01-18 13:39:11 0 CMD:0 CON:2 hwbypass disabled 2011-01-18 13:39:11 0 CMD:0 CON:2 sizelimit 32 MB 2011-01-18 13:39:11 0 CMD:0 CON:2 log on show sizelimit Displays the set file size limit for file scanning. :>show sizelimit Copyright © 1990-2011 Norman ASA...

  • Page 69: Command Line Configuration

    Closes the Network Protection console session and shuts down operation of Network Protection by terminating all threads, then exits. Take great care when using this command to close a remote con- sole session, as it will terminate Network Protection as well. exit Closes the Network Protection console session. Copyright © 1990-2011 Norman ASA...

  • Page 70: Mac Block

    Starts the Norman Internet Update client to update the scanner engine and definition files. This is run automatically every day and does not need to be run manually, except when administrator have pur- posely disabled automatic updates.

  • Page 71: Cluster Commands And Parameters

    Mandatory arguments are one of the following: bind Binds cluster adapter. disable Disables cluster support. enable Enables cluster support. failover Failovers current node. info Displays cluster configuration and state. Sets cluster parameter. unbind Unbinds cluster adapter. Copyright © 1990-2011 Norman ASA...
  • Page 72 CLUSTER:0 CON:-1 1 20100716132104 unset cluster master, wait- ing for new master CLUSTER:0 CON:-1 1 20100716132106 changed cluster master node from 0 to 2 cluster info Display cluster state and configuration. :> cluster info cluster set Configures cluster parameters. Copyright © 1990-2011 Norman ASA...

  • Page 73: Using Port Mirror Mode

    Will remove the mirror port mode form the selected network interface The operation mode will remain in log only mode, but will be possible to change to any other operation mode by using the appropriate command line parameters or from the GUI Copyright © 1990-2011 Norman ASA...

  • Page 74: Url Blocking

    Adds URL pattern to display URL block list. Supported types are: • EXACT: exact match rule. This is equivalent to what Norman Network Protection does when- ever malware is detected in a data stream. • PREFIX: prefix match rule. This will make all URLs starting with this prefix match.
  • Page 75 Sandbox on|off enable/disable Sandbox scanning for this protocol decomp on|off enable/disable decomp of archive files on|off enable/disable all scan option for this protocol (except block) IMAP4 Copyright © 1990-2011 Norman ASA...
  • Page 76 Average is 15 minutes. set max_scanner_age number of seconds scanning of a file is permitted until it’s defined as too old set max_old_scanners number of old scanners allowed Copyright © 1990-2011 Norman ASA...

  • Page 77: Using Network Protection In Port Mirror Mode

    When you have selected Mirror mode you can no longer choose other operation modes in the Scanning settings. To return to another mode, please choose Bridge in the Mode column. Then you can choose the desired operation mode on the Scanner setting page. Copyright © 1990-2011 Norman ASA...

  • Page 78: Nonoperative Functions

    ● Cluster failover will not be available Custom URL block ● No URL/URI’s can be blocked in port mirror mode Block and exclude settings ● It is not possible to block IP-address, VLANs or MAC addresses in port mirror mode Copyright © 1990-2011 Norman ASA...
  • Page 79 Web: www.norman.com/ch Norman ASA is a world leading company within the field of data security, internet protection and analysis tools. Through its SandBox technology Norman offers a unique and pro active protection unlike any other competitor. While focusing on its proactive antivirus technology, the company has formed alliances which enable Norman to offer a complete range of data security services.

Table of Contents