Norman Network Protection Quick Setup Manual

1

Introduction to Norman Network Protection Appliance

The Norman Network Protection Appliance provides a front-end protection solution for your entire local area network or segment of your internal network.

Norman Network Protection is powered by Linux and provides additional security by using the Norman SandBox technology.

2

Checking the Package Contents

You will find the following items in your Network Protection Appliance package:

1. Norman Network Protection Appliance

2. A quick setup guide (this document)

3. An AC power cable

4. Two (2) category 6 ethernet standard cable (color “Green”)

5. One (1) category 6 ethernet standard cable (color ”Blue”)

6. A bootable USB memory stick containing recovery software

(Behind the frontbezel)

If an item is missing from the package, contact your reseller immediately.

3

Appliance Overview

The Norman Network Protection Appliance consists of three (3) Network Interface

Cards. The NICs (named “Eth1” and “Eth2”) are used for traffic inspection (inside and outside interfaces). These interfaces do not need any IP-address

The third interface (named “Eth0”) is used as an interface towards the Linux console, the NNP command line console and the web administration interface. This interface needs an IP-address.

Front R210

Front R610

1. Power-on indicator, power button

2. NMI button

3. USB connectors (2)

Back R610

4. Video connector

5. LCD menu buttons

6. LCD panel

7. System identification button

8. Hard drives (6)

9. Optical drive (optional)

10. System identification panel

1 Power-on indicator, power button

2 NMI button

3 Video connector

4 Hard drive activity indicator

5 Diagnostic indicator lights (4)

Back R210

6 System status indicator

7 System identification button

8 USB connectors (2)

9 System identification panel

10 Optical drive (optional)

1 iDRAC6 Enterprise port (optional)

2 VFlash media slot (optional)

3 Ethernet connectors (2)

4 serial connector

5 video connector

6 eSATA

7 USB connectors (2)

8 Ethernet connectors (2)

9 System status indicator light

10 System identification button

11 System identification connector

12 Power supply

13 Retention clip

4

1. iDRAC6 Enterprise port

(optional)

2. VFlash media slot

3. Serial connector

4. PCIe slot 1

5. Video connector

6. USB connectors (2)

7. PCIe slot 2

8. Ethernet connectors (4)

9. System status indicator connector

10. System status indicator

11. System identification button

12. Power supply 1 (PS1)

13. Power supply 2 (PS2)

Network Planning Worksheet

Host name:

Network Protection Primary IP address:

Network Protection subnet:

Default Gateway:

DNS Suffix:

DNS Server 1:

DNS Server 2:

Network speed:

Duplex (inside NIC):

Duplex (outside NIC):

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

5

Deployment Strategy

The Norman Network Protection Appliance can be deployed almost anywhere in your network. If you already know where to place the Norman Network

Protection Appliance please skip this part, and go on to chapter 6.

If you are uncertain where to deploy the Norman Network Protection Appliance please consider one of the below scenarios.

1. Scan traffic to/from the Internet

In this deployment scenario Norman Network Protection scans supported traffic to/from the Internet.

2. Scan traffic to/from an DMZ

In this deployment scenario Norman Network Protection scans supported traffic to/ from the DMZ from both the internal LAN and Internet.

3. Scan traffic between LANs or segments

In this deployment scenario Norman Network Protection scans supported traffic to/ from the Internet in addition to traffic to/from computers from different segments.

4. Scan traffic in one or more VLAN(s):

In this deployment scenario

Norman Network Protection scans supported traffic comming from VLAN computers marked with red, in addition to traffic going to/from segments on each side of the router.

Norman Network Protection

6

Power up your Network Protection Appliance

1. Connect the power cable from the power source (typically an UPS) to the power jack (while facing the back of the appliance). The power cable is included with the appliance packaging.

7

Basic Configuration for the Network Protection Appliance

IMPORTANT: Do not connect the in and out interfaces to your network before you have completed the configuration.

1. Connect a monitor and an USB-keyboard to the Network Protection Appliance.

2. Power up the Network Protection Appliance.

3. When the device has finished booting up follow the instructions as described below. When asked, use the details from your “Network Planning Worksheet” as described in chapter 4.

If you have been provided a newer NNP version as ISO image or on USB please follow the instructions provided.

Press 1 or Enter to start the installation.

Checking installation archives

The installer will check the integrity of the installation archive.

Admin interface setup

To be able to manage your NNP an IP-address is necessary. Now it’s time to use your Network

Planning Worksheet. Insert the details in the appropriate fields.

Keyboard layout

Select your keyboard layout, then click Next .

Installing files from archive

The installation will resume.

Click Details to see a more verbose output.

Root password

Enter your desired password. This password is the same for both the web based admin interface, and the Linux console, so please don’t lose it.

Timezone

Select your timezone by first selecting your continent, then your country.

Configuring the network cards

NNP appliance comes with four NICs, but only three will be used in this round. To assist you in identifying the NICs you can use the

When pressing this button the LEDs on the corresponding NIC will start blinking, correctly identifying the NIC to the ethx.

Identify function.

The default for NNP NIC configuration is one admin

NIC and two Bridge NICs.

Complete

Congratulations, your installation is done. Click Reboot and start your NNP.

to finish

5. After finishing the configuration wizard connect the device to the network as described in the next chapter

8

Completing the Web based Setup Wizard

IMPORTANT: Do not power up the appliance before connecting it to the network.

1. Connect only the Admin interface to the appropiate switch in your network. Make sure this is accessible from your network, and that it is not connected behind the “Eth1” interface.

2. From another computer connect to the IP-address of the appliance on port 2868.

Example: http://<Network Protection Appliance-IP>:2868

3. Your are now prompted for a username and password.

Username and password default settings

User: admin

Password: admin

Step 1: Start the setup wizard

Step 3: Providing the license key

The license key enables Network Protection to be updated with signature and scanner engine updates. The license key is provided to you by your local vendor. If a license key was not included when you purchased Network Protection, please contact your local vendor or your local Norman office.

Step 4: Configuring Network Protection operation mode

Scan

This is the most used option. By selecting this option all traffic on supported protocols will be scanned for malware.

Sites blocked will be blocked for

The period for which a URL is blocked can be changed with this option. The default value is 1 week. Select the desired value for the period a blocked URL/Path should remain blocked.

Note: This value can also be changed individually per blocked URL in the “Blocked

URL” menu.

Max. file size for scanning

This option allows you to change the default limit for the file sizes Network Protection Appliance should scan. The default value is 32MB. All files larger than the set value will not be scanned.

Block files larger than max size

Check this option to block files that are larger than the maximum allowed filesize.

Step 5: Configuring protocol scanning options

Step 2: Restricting access to the web interface

You can restrict access to the Norman Network Protection web-interface either to single IP-addresses or subnets. The syntax for entering IP-addresses is:

192.168.0.4/255.255.255.0

This entry will accept access from the single IP-address 192.168.0.4

192.168.0.0/255.255.255.0

This entry will accept access from the entire subnet 192.168.0.0

These setting will determine how NNP will operate. Please select the preferred mode.

Log only

This option will detect and log malware, but will not block it. Please use with caution.

Bypass

This option allows all traffic to be transferred through Norman Network Protection without being scanned. Using this option will result in no traffic or incident statistics.

Block

This option will effectively block all traffic from being transferred through Norman

Network Protection. This option is known as the “Panic button”.

Note:

Please use this option with care as absolutely all traffic in the segment/network where Network Protection Appliance is installed will be blocked.

Step 8: Handling messages Example:

If this option is selected and a computer creates a connection to a Citrix server, this will not be visible in the log because the ICA protocol is not supported for scan.

• Purge logs older than:

Provides an option to delete logs that are older than the value selected. This functionality can prevent your hard drive from being filled up with legacy logs.

Note:

Even though traffic logs are purged after 1 or 60 days, traffic statistics will still be available in the management interface. Norman Network Protection stores digests of all logs, enabling a digest traffic statistics, all the way back to the installation of Norman Network Protection in your network.

Step 7: How to inform users that they have been blocked

Provides options for how Norman Network Protection should notify users that are blocked from a network path. (This option applies only to HTTP traffic).

• Display the text below.

Insert the text you want to display to the users and use HTML-tags to format the text.

• Redirect to a customized HTML page on a reachable web server.

Provides, for example, the option of redirecting users to an HTML page on an internal web server. This enables you to create a very specific HTML page where the design, layout and text can be customized to your company colors and logo.

Provides the option of sending e-mail messages about selected events.

• Enable e-mail messages

Forward messages as e-mail.

Mail recipients

Enter the e-mail addresses for the notification recipients.

• Click Add to enter the e-mail address for a recipient.

• Select an address from the list and click Remove selected to delete an existing address

SMTP server settings

The SMTP server address, name or IP-address, for the e-mail server recipient of the

SMTP message.

Note:

If you insert the SMTP server name make sure that DNS settings are verified for the installed operating system. Otherwise please use the IP-address.

Port

The default SMTP port is 25, which is the correct value unless you explicitly have selected another port.

These settings decides how each protocol is handled. If you are not sure which scan setting to use for a certain protocol, set it to bypass for now. You can always change the scan settings later.

Note: Please set all protocols to “Bypass” before connecting the appliance to the network. When the appliance is connected to your network you can make the necessary changes for each protocol.

Protocol scanning options

Bypass Traffic on this protocol will pass through without being scanned.

Block Traffic on this protocol will not be allowed through NNP.

Minimal Scan Traffic will be scanned using traditional signature scanning.

Archive files are not scanned.

Sandbox is not used.

Medium scan Traffic will be scanned using traditional signature scanning.

Archive files are scanned.

Sandbox is not used.

Sandbox scan Traffic will be scanned using traditional signature scanning.

Archive files are not scanned.

Sandbox is used.

Full Scan Traffic will be scanned using traditional signature scanning.

Archive files are scanned.

Sandbox is used.

Step 6: Selecting logging options

Provides options for enabling and handling Norman Network Protection logs. The main logs are the Traffic log and the Incident logs. These log options only affect the

Traffic log.

• Enable logging/statistics

Select this option to log all traffic, meaning all connections transferred through Norman Network Protection are logged to a file. If not selected this option disables all traffic statistics.

• Log only supported protocols

Select this option to reduce the number of log entries. Only supported protocols are logged, and all other connections are disregarded. The supported protocols are:

HTTP, FTP, SMTP, POP3, TFTP, RPC, IRC, CIFS/SMB

Step 10: Reviewing the configuration Reply-to address

Enter the e-mail address that a recipient can reply to, for example the system administrator.

Mail message body

Subject

The title of the e-mail, for example “Message from NNP”.

Common appended text

Enter the text to include as the default e-mail footnote text.

Step 9: Setting Internet Update options

Step 9: Setting Internet Update options

Norman Internet Update will keep your definition files and sanner engine up to date.

The options for automatic updates are:

Update manually

Norman Internet Update will never run. All updates must be done manually with the

Update now option.

Automatic update at set intervals

Update intervals: 6 hours, 12 hours, 1 day.

Note:

It is recommended to set the Automatic update interval to 6 hours.

Once the setup wizard is done, Norman Network Protection is ready for use!

9

Connecting Norman Network Appliance to your network

Connect the interface named “Eth1” to the inside of your network, and the interface named “Eth2” to the outside of your network, based on the network scenario you selected in chapter 5.

Note:

Remember to schedule this installation to a time of day when interrupted network connections can be accepted.