Some Norton/Symantec Firewall Observations (Long!)

[noway]

My first firewall was AtGuard 3.22 and I bought it about 3 weeks before
WRQ sold the rights to Symantec. I liked AtGuard and used it on Win98SE
and Win2000 (pre-SP4) without any problems. AtGuard only checked applications
by path only, so when Tiny/Kerio came along, I moved from AtGuard to Tiny/
Kerio and happily used 2.1.5 for awhile and moved to XP and XPSP2. When I
heard reports about fragmented packet issues I tested it out for myself and
then decided to look around a bit for "supplements". I tried combining Kerio
2.1.5 with CHX-I 2.8.2 with no issues. Tried to combine it with CHX-I Beta
3 Oct 10 and got a BSOD, likewise BSOD when combined with one version of
Cfosspeed, while Cfosspeed 2.13.1059 worked ok. With mixed results on
combining Kerio 2.1.5 with something else, I concluded that it may not be
the greatest idea to run two firewalls at the same time. I know it can work.
But I've also seen it fail. I figured I was destined to use the solid Zonealarm
Plus 4.5.594, but I never liked it as much as AtGuard or Kerio or CHX-I. Then for
Christmas I increased my computer's memory and decided that it might be time to
revisit the Church of Symantec. I used a clean (no firewall ever installed) Drive
Image before each install and restored it after testing each firewall. Tests were
not extensive. I just tried them out until I found something that bugged me. For
testing, I deleted all the default rules right away and used my own rules instead.

First up. Symantec Client Security 2.0. Similar to Norton Internet Security, it
is more designed for business use and priced accordingly. I disabled the antivirus
services to test the firewall only. Firewall slowed my booting down by almost one
minute, although it worked okay after booting. Downloaded the latest software
update but still slow booting...even tried enabling antivirus with no change. So
with this boot slowdown, I scratched this one off the list. It was old anyway.

Next. Norton Internet Security 2004. Had an option to not install antivirus,
which I selected during install, since I don't need their antivirus. The firewall
has a vulnerability that normally needs LiveUpdate to patch and was also logging
invalid packet dropped entries all over the log. I patched it (without using LiveUpdate
...don't ask!) but the Network Driver Update had the unfortunate side effect of preventing
the intrusion detection module from turning on and off. This was fixable using LiveUpdate
but I don't want to use an internet security app that could be vulnerable while I go online to
fix it. I think they like this LiveUpdate because at any time they can turn it off for
your old version and force you into upgrading to a newer version, putting revenues at a
higher priority than online safety. I want it to work correctly out of the box, or have
downloadable patches for fixes. The export/import rules/settings didn't work correctly
either. I still needed to fiddle with some stuff after a restore. Strike that one off
the list.

Next was Norton Internet Security 2006. They have removed the option to install without
the antivirus so I had to disable that stuff first. After install I went to Options to
add Statistics (and Event Log) to the system tray right-click menu and the option was gone.
I never even found the Statistics on this version. I had found it useful in previous versions
if only for the Firewall Rules statistics, showing how many matches for each rule for the
session. Also, the one-button export/import rules/settings was missing as well. This version
was sure raising a lot of questions. I wasn't going to wait for any bugs to show up. Time to
use Drive Image again.

Next up was Symantec Client Security 3.0, another $$$ commercial version of Norton Internet
Security. I had to install the antivirus with it, but I disabled the antivirus services
and antivirus system tray icon after the install. Backup/restore settings worked fine.
There was a new tab for enabling various "extended" protocols (stuff other than TCP, UDP, ICMP,
IGMP)which were never part of Symantec options in the past. It ran very stable. No crashes.
Used about 40 MB when GUI closed, about 60 MB with it open. Found a couple of minor bugs with the
firewall rule logging and reported them to Symantec. They could have a really nice firewall
here if they fix these logging bugs and allow the possibility of configuring rules for "extended"
protocols using the rules dialog itself, rather than having just on/off switches for "extended"
protocols on one tab. I used it for over a month but due to the logging bugs, I restored
my old drive image.

Finally we come to Norton Personal Firewall 2005. Thankfully it's just a firewall, so no
antivirus to disable in addition to the stuff I normally disable, like Ad Blocking, Privacy,
Intrusion Detection and Automatic Program Control. No export/import settings, but I can
backup/restore the firewall rules easily using the file "firewall.rul", restoring it after
first shutting down all the Norton processes using Task Manager. Uses about 32 MB with GUI
closed. No slowdowns, no crashes no logging issues. Access to Statistics and Event Logs
are accessible easily from the system tray icon and logging is excellent. I can even get
it to log all the DHCP rules at boot, something some other firewalls have trouble doing that
early. This is a standalone desktop computer, so I turned off the firewall's Network Detector
and have the rules in one location zone (default) only. I needed a rule for svchost to Broadcast
for DHCP and Norton firewalls don't allow using 255.255.255.255 as an address in the rules, so
for this rule I used IP 255.255.255.254 and Mask 255.255.255.254 which will match for the
address 255.255.255.255. So far, the firewall is working for me without issues. The
cost of the product, the (lack of) quality of support, additional features, leaktest
performance (within reason)and memory use (within reason)were not the most important
considerations for me. I won't be using LiveUpdate on it, since I've seen too many
other people have problems just from letting Symantec update their
software this way. If I find a serious bug or future inbound vulnerability, off it goes.

Although they are marketed as mass market products, I think these Norton/Symantec firewalls
are best suited for users with some firewall experience. If they wanted a mass market product,
Symantec probably should have bought the rights for Zonealarm instead of AtGuard.