Norman Network Protection Appliance in Security appliances

Despite their undeniable appeal over software security suites, Norman has preferred to merely dabble in appliance-based solutions. Its last attempt was with the NetProtector 3000 and now it has another stab with the Norman Network Protection (NNP) appliance.

The NNP differs radically from your common or garden security appliance as it focuses only on viruses and malware. It's totally transparent in operation and just needs to be dropped in between the two networks it's providing protection for. Deployment scenarios are extensive as the NNP could be used to protect two LAN segments from each other or used as a gateway security solution.

Either way, your clients won't even know it's there as it scans traffic at the data link layer. As packets pass through the NPP they are passed on to the client, and it takes a copy, locally assembles the data stream and scans it. The moment it finds anything malicious the remaining packets won't be passed on to the client and it can leave this right up to the last packet.

Three scan methods are used with signature-based detection first on the list. Next up is Norman's sandbox, which is quite unique. As soon as suspect packets are detected it creates a sandbox on demand in local protected memory, which emulates a Windows system complete with BIOS, boot sectors, registry, file systems and video card.

It allows the code to run in the sandbox and if it makes any requests to look for other systems then more sandboxes are created so the code thinks it's running in a real environment. Last up is Norman's DNA Matching, which inspects code to see if it has inherited or reused code from known malicious programs. If it finds any matches then it concludes it's malware and blocks it.

The appliance has a separate dual-port Gigabit adapter that allows the NNP to sit midstream but note it has no hardware bypass circuit. We installed the appliance in between two network segments in the lab with minimal interruption - no proxies are used so you don't need to reconfigure your client systems.

The web interface offers a quick start routine where you decide which protocols to scan and choices include HTTP, FTP, POP3, SMTP, FTP, SMB and CIFS. You can bypass each one, block all related traffic or apply one of four scan methods, which include sandboxes and archive scanning.

For performance testing we started with scanning disabled and copied a 2.52GB video file and a folder containing over 5,000 files between systems on each segment, which took 49 seconds and 74 seconds respectively.

We then set the NNP to maximum scan settings for all protocols, and with this in action these times increased to 57 seconds and 101 seconds, showing the scan process introducing noticeable overheads. We also copied a selection of files containing genuine viruses and although the copies appeared to complete, we saw on the recipient system that the files were either blocked completely or were of zero byte length.

Its total transparency makes the NNP a versatile security appliance, as it can protect one network segment from another or be used at the gateway. Scanning does produce a performance hit, but it's easy to deploy and it's tough on viruses and malware.

Author: Dave Mitchell