Norman Network Protection Appliance
Strengths: Installed with minimal disruption to services, invisible to users, strong mix of virus/malware scanning technologies
Weaknesses: No hardware bypass circuit, scanning process has some overheads
Verdict: A transparent solution for protecting network segments from viruses/malware, deployed in minutes
A major issue with many UTM security appliances is that they try to cover too many bases and end up being difficult to deploy and manage. The latest appliance from Norman is completely different, as it targets malware and viruses and is designed to be swift to deploy and simple to manage.
The Norman Network Protection (NNP) appliance doesn't just focus on gateway security duties but can be used to filter traffic between any two network segments.
This increases its appeal to organisations that may have multiple internal networks, which have traditionally been isolated from each other due to security concerns. The NNP can be dropped in between them, so allowing them to communicate securely with each other but without any significant changes to the network infrastructure.
The NNP functions by scanning network traffic at the data link layer. It simply takes copies of all packets as they pass through it, allowing it to reassemble the stream and scan it, but also allowing the data to flow interrupted to the client. At any stage in the scan process, the NNP can stop passing further packets to the client system if it finds malicious content and it can leave this right up to the last packet.
The NNP is delivered as a low-profile Dell PowerEdge 1U rack appliance equipped with a decent 1.8GHz 4300 Core 2 processor and 2GB of 800MHz DDR2 memory. A 250GB Sata hard disk looks after the Linux OS and management is handled by one of the embedded Gigabit ports.
All traffic scanning is dealt with by a separate dual-port Gigabit card that allows the appliance to be placed mid-stream between any two networks with minimum disruption. The low-level scanning method means the ports don't require IP addresses and so are virtually invisible to your clients. The only drawback is that the card doesn't have a hardware bypass circuit, so if the appliance fails, it will take the network links with it.
The NNP employs three scanning methods and Norman's sandbox technology makes it quite unique. When malicious traffic is spotted, it emulates a Windows system in protected memory and presents it to the code complete with system Bios, Windows registry, hard disk boot sectors, file systems and a video card. The code is allowed to run inside this, so the NNP can see what it is trying to do.
If the code exhibits worm-like behaviour, the NNP creates more sandboxes for it and when it is satisfied it is malicious, it blocks it. Norman's DNA-matching feature is another weapon in the NNP's arsenal and is designed to provide zero-day protection from fresh threats. It relies on the fact that much malware has similarities in its code. NNP inspects this and if it finds any matches, it deems it as malicious and blocks it. Last up is standard, signature-based detection and the appliance can update its database automatically and as often as every six hours.
Installation only took a few minutes and we placed the NNP in between two network segments, resulting in a brief interruption while we cabled it up. The web management interface is very basic, due to the limited number of features, and opens with a quick-start wizard that helps secure administrative access and choose the best scanning method for each supported protocol.
It offers options for HTTP, FTP, POP3, SMTP, TFTP, SMB, CIFS, RPC and IRC and you can decide how deep the scanning should be for each. Six choices are on offer and range from accepting or blocking all traffic for each protocol, simple signature-based scans or the full works, including the sandbox and archive scanning.
Access to websites found to have malicious content can be blocked permanently or for selected periods. Lists of IP addresses, MAC addresses and VLANs can be used to define systems that are either exempted from scanning or blocked completely and NNP can send out email and SNMP trap alerts when viruses are detected.
For performance testing, we copied a range of files between systems on each subnet to see what effect the scanning process had on throughput. We used a 2.52GB video clip and a large folder with more than 5,000 files and saw copies without the NNP in place taking 49 seconds and 74 seconds respectively. With the NNP in position, the same copies took 57 seconds and 101 seconds. We tried the copies with the minimal scan setting and saw no appreciable improvements.
We also copied a selection of files infected with genuine viruses between systems on each subnet. From the system initiating the copy, all appeared to complete satisfactorily but looking at the recipient showed that the files had either been blocked in their entirety or were of zero byte length and so no longer a threat.
The appliance kept a complete record of all these events, listing the systems involved and the type of threat detected.
The NNP fits a wide range of network scenarios and installation requires no changes to client systems or the network infrastructure. It offers a good range of strong scanning techniques and although these will introduce a small performance hit, its complete transparency makes for easy management.