Connected to protected network - on random days

NIS 2010
Windows XP Home
No home network, one computer with cable directly connecting to modem.

In the NIS Security History, under Firewall - Network and Connections, on seemingly random days, there are two log entries stating that we are connected to a protected network.  Most days these NIS Security History log entries do not occur; it only happens maybe 4 or 5 times a month. One entry deals with the Subnet Identifier, the other is Gateway Physical Address.  Also confusing is the fact that these entries, when they occur, show a different gateway address then what always shows when going through the Windows control panel and checking the status of the Local Area Connection in Network Connections; even when Norton is logging this different gateway address, the Local Area Connection shows the same gateway as on any other day.

I've read another similar topic on this issue found here:

http://community.norton.com/t5/Norton-Internet-Security-Norton/protected-or-shared-network/m-p/217919#M107198


But I was wondering if someone might explain or elaborate on what is causing this.  Why does it only happen on certain days and not others, when the computer hardware/connection setup is otherwise unchanged?  Why the different gateway address in Norton's Security History logs?

The other thing that is a little strange is under the NIS Network Settings, Advanced Settings, General Rules, there are a number of rules which are set to "allow" various types of communication for Shared Networks and then right under each of these rules is another rule (not for Shared Networks) which blocks that same type of communication.  The rule above apparently has priority and overrides the rule underneath.  What does NIS define as a Shared Network and why is it set to allow for these rules?  Other than the Local Area Connection through our ISP, I'm not aware of any other Shared Network that we are on.

 


dbrisendine wrote:

Before we continue, we need to have a little more information about your connection.

 

Is this a cable modem or a DSL modem?

Do you know if you have NAT functioning in the modem or not?

 

How often do you turn the computer off (or reboot) and how often do you turn the modem off (if ever)?


 

It is a cable modem, supplied by the cable company.  I don't know what NAT is or if it's functioning in the modem.  The computer is shut off daily, then rebooted the next day.  The modem is always on.

 

Any help/information would be appreciated.  Thanks.

Since my last post, I've done some reading about NAT - Network Address Translation.  From what I could understand, NAT seems to be used mostly for private networks, most often businesses with multiple computers, so that they can all connect to the public network (the internet) via a router while sharing a single IP address?  Is that right?

 

Would a local cable company use NAT for home users because there are not enough unique IP numbers to go around for everyone?  There is no business here or private network.  This is a private residence.

 

At this time, I'm not sure how to check if NAT is functioning.  If the local ISP is running some kind of transparent router, how would anyone even know this?

 


random2 wrote:

NIS 2010
Windows XP Home
No home network, one computer with cable directly connecting to modem.

In the NIS Security History, under Firewall - Network and Connections, on seemingly random days, there are two log entries stating that we are connected to a protected network.  Most days these NIS Security History log entries do not occur; it only happens maybe 4 or 5 times a month. One entry deals with the Subnet Identifier, the other is Gateway Physical Address.  Also confusing is the fact that these entries, when they occur, show a different gateway address then what always shows when going through the Windows control panel and checking the status of the Local Area Connection in Network Connections; even when Norton is logging this different gateway address, the Local Area Connection shows the same gateway as on any other day.

I've read another similar topic on this issue found here:

http://community.norton.com/t5/Norton-Internet-Security-Norton/protected-or-shared-network/m-p/217919#M107198


But I was wondering if someone might explain or elaborate on what is causing this.  Why does it only happen on certain days and not others, when the computer hardware/connection setup is otherwise unchanged?  Why the different gateway address in Norton's Security History logs?  Norton is actually looking at the total network connection, in this case, not just the physical one.  You actually have two "networks" you are connected to; the first one is the connection from your system to the modem (Windows / hardware reports this one in the Network Connections Center) and if you check the details on the Local Network Connection Status, this is what is reported [the actual connection details of the hardware attached to your system].  The second network your system is connected to is the one your ISP provides to you via the modem; Norton is reporting the changes to this connection which the ISP is doing periodically to keep you safe [a static IP that never changes would leave you more open to attacks than an changing IP does].  The modem acts as a "mini-filter" in this case; the outside world sees the address (and gateway) your ISP gives it so the world can communicate to it.  The modem than passes that information to your system via the "Local" physical network so you can see the information.  The Smart Firewall will detect all the networks you are connected to (no matter how) and monitor the status of these networks.

The other thing that is a little strange is under the NIS Network Settings, Advanced Settings, General Rules, there are a number of rules which are set to "allow" various types of communication for Shared Networks and then right under each of these rules is another rule (not for Shared Networks) which blocks that same type of communication.  The rule above apparently has priority and overrides the rule underneath.  What does NIS define as a Shared Network and why is it set to allow for these rules?  Other than the Local Area Connection through our ISP, I'm not aware of any other Shared Network that we are on.  A "Shared Network" is one that you trust AND allow "Printer & File Sharing" on.  The rules in the Firewall General Rules are applied from top down to the bottom until one of the rules matches.  If the network is a "Shared Network", then the rules with the Shared Network notations will be applied.  In a non-Shared Network, the rule for the "Shared Network" will not be applied (wrong network type).  The Smart Firewall Rules have been set up so that the majority of users will be protected with the least amount of modification needed.  The rules for the "Shared Networks" are designed to allow the Printer / File Sharing communications on the network.


I hope this helps.

 

Hi random2,

 

If you had two or more computers connected via a router they would form a local area network.  If you wanted to share files among them you would enable file and printer sharing in your operating system network settings.  Norton would see this and would set the Firewall's network trust level to "Shared."  This would allow the additional types of traffic, that are blocked under a "Protected" network, to let your computer communicate with others on the local network.  You are correct that a Firewall rule takes precedence over any rules below it, so the rules that apply to a "Protected" network are always applied unless a "Shared" network is in use, in which case the higher rule for "Shared" networks supersedes the more restrictive rule below it.

 

The connection having to do with the Subnet Identifier probably looks like this: 127.0.0.0/255.0.0.0  This is the loopback for communications that are internal to your computer.

 

 

Thanks dbrisendine and SendOfJive for all the information.  It's very much appreciated.

 


dbrisendine wrote:
Norton is actually looking at the total network connection, in this case, not just the physical one.  You actually have two "networks" you are connected to; the first one is the connection from your system to the modem (Windows / hardware reports this one in the Network Connections Center) and if you check the details on the Local Network Connection Status, this is what is reported [the actual connection details of the hardware attached to your system].  The second network your system is connected to is the one your ISP provides to you via the modem; Norton is reporting the changes to this connection which the ISP is doing periodically to keep you safe [a static IP that never changes would leave you more open to attacks than an changing IP does].  The modem acts as a "mini-filter" in this case; the outside world sees the address (and gateway) your ISP gives it so the world can communicate to it.  The modem than passes that information to your system via the "Local" physical network so you can see the information.  The Smart Firewall will detect all the networks you are connected to (no matter how) and monitor the status of these networks.

The two "networks" explanation makes sense.  Not sure why I didn't see this before but live and learn, I guess.

 

I've tried a website that tells you what your IP number (etc.) is, and I'm pretty sure it matched the static IP showing in Windows Network Connections.  I'll have to look into this some more, though.  If the ISP is changing the IP number for the outside world, then it seems a website will report back something different. (I don't think I tried this website on one of those "random days.")


dbrisendine wrote:
A "Shared Network" is one that you trust AND allow "Printer & File Sharing" on.  The rules in the Firewall General Rules are applied from top down to the bottom until one of the rules matches.  If the network is a "Shared Network", then the rules with the Shared Network notations will be applied.  In a non-Shared Network, the rule for the "Shared Network" will not be applied (wrong network type).  The Smart Firewall Rules have been set up so that the majority of users will be protected with the least amount of modification needed.  The rules for the "Shared Networks" are designed to allow the Printer / File Sharing communications on the network.

Also makes sense, thanks.  I had wondered if it might be a blanket set of rules covering bases for all users, and not just specific to our set up, as you suggest.

 


SendOfJive wrote:
The connection having to do with the Subnet Identifier probably looks like this: 127.0.0.0/255.0.0.0  This is the loopback for communications that are internal to your computer.

Yes, exactly right.  I was not aware of this either. Thanks.

 

To update:

 

A website that shows your IP number (etc.) shows the same static IP number for us even on those "random days" so it seems the ISP is not changing the the IP number for safety/privacy reasons on these days and thus triggering the log in Security History of NIS 2010, showing a different gateway address.  Unless I'm missing something...

 

An unchanging static IP number brings up whole other issues, but they're not Norton issues.  The question remains what is different about the connection on those random days then the connection on most other days when the log entry is not entered in Security History.

 

It may not be a Norton issue at all though, unless some kind of glitch is causing NIS to only randomly log something that is always there.

 

If anyone has anything to add, please do.  Otherwise there doesn't seem to be much else to pursue on this topic as would relate to NIS 2010.

random2, it's not entirely clear to me what is going on, but a thought just occurred to me. Are you seeing multiple 'connected to a protected network' messages within a few minutes of each other and that's your concern? If that is the case, it is probably due to a slow network server. Since the gateway address seems to be changing at the time of these problems, that gateway is probably slower than your usual gateway and your ISP has temporarily switched to that gateway for maintenance on your regular gateway.

 

NIS's determination of your network depends upon a variety of factors of varying importance. If NIS only detects a low importance factor, it will report the network based upon that factor. If, a few moments/minutes latter, it detects a higher importance factor it will now detect a 'new' network and report that detection. Usually, all of the factors are detected very quickly and only one detection is reported but when network servers are slow, you can see multiple detections of this nature.

 

This message rambled a bit. I hope that this is clear.

NIS 2010
Windows XP Home
No home network, one computer with cable directly connecting to modem.

In the NIS Security History, under Firewall - Network and Connections, on seemingly random days, there are two log entries stating that we are connected to a protected network.  Most days these NIS Security History log entries do not occur; it only happens maybe 4 or 5 times a month. One entry deals with the Subnet Identifier, the other is Gateway Physical Address.  Also confusing is the fact that these entries, when they occur, show a different gateway address then what always shows when going through the Windows control panel and checking the status of the Local Area Connection in Network Connections; even when Norton is logging this different gateway address, the Local Area Connection shows the same gateway as on any other day.

I've read another similar topic on this issue found here:

http://community.norton.com/t5/Norton-Internet-Security-Norton/protected-or-shared-network/m-p/217919#M107198


But I was wondering if someone might explain or elaborate on what is causing this.  Why does it only happen on certain days and not others, when the computer hardware/connection setup is otherwise unchanged?  Why the different gateway address in Norton's Security History logs?

The other thing that is a little strange is under the NIS Network Settings, Advanced Settings, General Rules, there are a number of rules which are set to "allow" various types of communication for Shared Networks and then right under each of these rules is another rule (not for Shared Networks) which blocks that same type of communication.  The rule above apparently has priority and overrides the rule underneath.  What does NIS define as a Shared Network and why is it set to allow for these rules?  Other than the Local Area Connection through our ISP, I'm not aware of any other Shared Network that we are on.

 


reese_anschultz wrote:

random2, it's not entirely clear to me what is going on, but a thought just occurred to me. Are you seeing multiple 'connected to a protected network' messages within a few minutes of each other and that's your concern? If that is the case, it is probably due to a slow network server. Since the gateway address seems to be changing at the time of these problems, that gateway is probably slower than your usual gateway and your ISP has temporarily switched to that gateway for maintenance on your regular gateway.


 

No, there aren't multiple 'connected to a protected network' messages within a few minutes of each other.

 

The computer is booted up each morning. Most days NIS reports nothing in regards to network connection.  Maybe 4 or 5 times a month, though, it posts a log entry in Security History that says we are "connected to a protected network."  The details reads "Your computer is currently protected from the local network. Etc..."  If the computer is then immediately rebooted, the message usually does not come back again.

 

When I look at Windows Network Connections and check the status of the connection, it shows a Physical Address.  On those "random" occasions 4 or 5 times a month, everything in Windows Network Connections remains the same as on any other day, but the NIS log entry shows a Gateway Physical Address that is different from the Physical Address in Windows Network Connections.  Is it normal that it would be different?  That thought did occur to me.

 

The question remains then: Why does NIS only detect and report this on these random days, maybe 4 or 5 times a month and the rest of the time it reports nothing in regards to network connection when the computer is booted up?  Aren't we protected from the local network on the other days?  Obviously NIS is always functioning regardless, in other respects; it's always blocking inbound TCP connections, checking for viruses, analyzing downloads, etc.

I can confirm that the logs only show "Connected to a protected network" on some boots, not all. Some boots it will just say "User logged in", but no messages about being connected to a certain type of network. I have verified this on several computers with NIS 2010 installed. I think it's just a logging issue, you still connect to that protected network even when it doesn't appear in the logs, something clicking on Network Security Map, then [Edit] below "Network details" will confirm, and full functionality remains.

 


Bombastus wrote:

I can confirm that the logs only show "Connected to a protected network" on some boots, not all. Some boots it will just say "User logged in", but no messages about being connected to a certain type of network. I have verified this on several computers with NIS 2010 installed. I think it's just a logging issue, you still connect to that protected network even when it doesn't appear in the logs, something clicking on Network Security Map, then [Edit] below "Network details" will confirm, and full functionality remains.


Thanks for confirming that.  I had wondered if it might be a logging issue, as you suggest..  I've now checked the Network Security Map and it does confirm the functionality and Gateway Physical Address (yes, it is different from the Physical Address shown in Windows Network Connection) even though there is no NIS log entry in Security History for the most recent reboot..

 

 

I'll have to see if we can reproduce this in-house but I am aware of at least one other case where some events are not logged during start-up and this may be another. In that other case it really is just a logging issue; the event occurs before the logging portion of the product has started up and therefore doesn't get reported.

I have seen this happen on all computers with NIS on I have checked; it should just take a few reboots to reproduce. At least 1 in 5 boots fail to produce the "Connected to a protected network" entry in the log. I have only checked computers with Windows 7 on , however, so I can't say anything about other OS:s.