How Norman Network Protection works

Norman Network Protection (NNP) is installed on a computer with three network interfaces and works as a black box performing real-time scans for malware in data traffic.

One network interface is reserved for alerts and remote configuration, while the other two collect network packets for scanning from the network segments they are connected to.

In a pair of connected interfaces, one interface provides an upstream or “open” network connection and the second the downstream or “protected” network connection. Both interfaces protect data streams from either direction. The network connections can be of any physical type that supports the TCP/IP protocol. 

In the figure above NNP runs eth1 in “omnivorous mode”. This means that all network packets from the open zone are received regardless of their destination address. Packets of the selected protocol type are then reassembled and passed on to the scanning engine that checks for malicious code. If the packet group does not contain malicious code, it is passed on to the protected zone via eth2. If the packets contain malicious code however, they are blocked from the protected zone and an alert is sent to the network via eth0.

Bridging brings speed and transparency

NNP machines can be placed anywhere within the network, and used in a number of ways to protect all or parts of the network. Norman Network Protection works at the data link layer of the OSI data transmission model. This allows NNP to operate on several protocols and offer more features than proxy solutions.

NNP receives raw Ethernet packets ‘off the cable’ on the Data Link layer. If the Ethernet frame contains an IP packet it will be sent upwards in the NNP hierarchy. Mac addresses are stored for future use.

Protocol scanning for malware

NNP’s protocol scanning is configurable and can be enabled and disabled in real time.

NNP can also be configured to block protocols, computers and network segments depending on the infections and threats in the network. In addition, NNP uses the Norman SandBox technology, which is able to stop new and undiscovered malicious code even before detection files with signatures for new malware have been distributed. NNP scans protocols with a high probability of hosting malicious traffic.

Multi-protocol support 

• HTTP – normal web content traffic including web mail 
• SMTP – incoming email traffic 
• POP3 – outgoing email traffic 
• RPC – remote procedure call traffic 
• FTP – file transfer protocol 
• TFTP – trivial file transfer protocol 
• CIFS/SMB – common internet file system for MS Windows-based computers 
• IRC - Internet Relay Chat, a chat system protocol

As each packet is received, it is sent to the appropriate protocol-scanning module. Each scanning module calls the scanning engine, which in turn requests portions of data from the packet or subsequent packets in the sequence. Alternatively, if Norman SandBox is enabled, the received packets are assembled in a virtual environment where the code’s behavior is analyzed. If malicious code is detected it is blocked from traveling any further in the network. NNP then broadcasts an alert based on the configuration.