Some Norton/Symantec Firewall Observations (Long!)

Discussion in 'other firewalls' started by noway, Feb 20, 2006.

Thread Status:
Not open for further replies.
  1. noway
    Offline

    noway Registered Member

    My first firewall was AtGuard 3.22 and I bought it about 3 weeks before
    WRQ sold the rights to Symantec. I liked AtGuard and used it on Win98SE
    and Win2000 (pre-SP4) without any problems. AtGuard only checked applications
    by path only, so when Tiny/Kerio came along, I moved from AtGuard to Tiny/
    Kerio and happily used 2.1.5 for awhile and moved to XP and XPSP2. When I
    heard reports about fragmented packet issues I tested it out for myself and
    then decided to look around a bit for "supplements". I tried combining Kerio
    2.1.5 with CHX-I 2.8.2 with no issues. Tried to combine it with CHX-I Beta
    3 Oct 10 and got a BSOD, likewise BSOD when combined with one version of
    Cfosspeed, while Cfosspeed 2.13.1059 worked ok. With mixed results on
    combining Kerio 2.1.5 with something else, I concluded that it may not be
    the greatest idea to run two firewalls at the same time. I know it can work.
    But I've also seen it fail. I figured I was destined to use the solid Zonealarm
    Plus 4.5.594, but I never liked it as much as AtGuard or Kerio or CHX-I. Then for
    Christmas I increased my computer's memory and decided that it might be time to
    revisit the Church of Symantec. I used a clean (no firewall ever installed) Drive
    Image before each install and restored it after testing each firewall. Tests were
    not extensive. I just tried them out until I found something that bugged me. For
    testing, I deleted all the default rules right away and used my own rules instead.

    First up. Symantec Client Security 2.0. Similar to Norton Internet Security, it
    is more designed for business use and priced accordingly. I disabled the antivirus
    services to test the firewall only. Firewall slowed my booting down by almost one
    minute, although it worked okay after booting. Downloaded the latest software
    update but still slow booting...even tried enabling antivirus with no change. So
    with this boot slowdown, I scratched this one off the list. It was old anyway.

    Next. Norton Internet Security 2004. Had an option to not install antivirus,
    which I selected during install, since I don't need their antivirus. The firewall
    has a vulnerability that normally needs LiveUpdate to patch and was also logging
    invalid packet dropped entries all over the log. I patched it (without using LiveUpdate
    ...don't ask!) but the Network Driver Update had the unfortunate side effect of preventing
    the intrusion detection module from turning on and off. This was fixable using LiveUpdate
    but I don't want to use an internet security app that could be vulnerable while I go online to
    fix it. I think they like this LiveUpdate because at any time they can turn it off for
    your old version and force you into upgrading to a newer version, putting revenues at a
    higher priority than online safety. I want it to work correctly out of the box, or have
    downloadable patches for fixes. The export/import rules/settings didn't work correctly
    either. I still needed to fiddle with some stuff after a restore. Strike that one off
    the list.

    Next was Norton Internet Security 2006. They have removed the option to install without
    the antivirus so I had to disable that stuff first. After install I went to Options to
    add Statistics (and Event Log) to the system tray right-click menu and the option was gone.
    I never even found the Statistics on this version. I had found it useful in previous versions
    if only for the Firewall Rules statistics, showing how many matches for each rule for the
    session. Also, the one-button export/import rules/settings was missing as well. This version
    was sure raising a lot of questions. I wasn't going to wait for any bugs to show up. Time to
    use Drive Image again.

    Next up was Symantec Client Security 3.0, another $$$ commercial version of Norton Internet
    Security. I had to install the antivirus with it, but I disabled the antivirus services
    and antivirus system tray icon after the install. Backup/restore settings worked fine.
    There was a new tab for enabling various "extended" protocols (stuff other than TCP, UDP, ICMP,
    IGMP)which were never part of Symantec options in the past. It ran very stable. No crashes.
    Used about 40 MB when GUI closed, about 60 MB with it open. Found a couple of minor bugs with the
    firewall rule logging and reported them to Symantec. They could have a really nice firewall
    here if they fix these logging bugs and allow the possibility of configuring rules for "extended"
    protocols using the rules dialog itself, rather than having just on/off switches for "extended"
    protocols on one tab. I used it for over a month but due to the logging bugs, I restored
    my old drive image.

    Finally we come to Norton Personal Firewall 2005. Thankfully it's just a firewall, so no
    antivirus to disable in addition to the stuff I normally disable, like Ad Blocking, Privacy,
    Intrusion Detection and Automatic Program Control. No export/import settings, but I can
    backup/restore the firewall rules easily using the file "firewall.rul", restoring it after
    first shutting down all the Norton processes using Task Manager. Uses about 32 MB with GUI
    closed. No slowdowns, no crashes no logging issues. Access to Statistics and Event Logs
    are accessible easily from the system tray icon and logging is excellent. I can even get
    it to log all the DHCP rules at boot, something some other firewalls have trouble doing that
    early. This is a standalone desktop computer, so I turned off the firewall's Network Detector
    and have the rules in one location zone (default) only. I needed a rule for svchost to Broadcast
    for DHCP and Norton firewalls don't allow using 255.255.255.255 as an address in the rules, so
    for this rule I used IP 255.255.255.254 and Mask 255.255.255.254 which will match for the
    address 255.255.255.255. So far, the firewall is working for me without issues. The
    cost of the product, the (lack of) quality of support, additional features, leaktest
    performance (within reason)and memory use (within reason)were not the most important
    considerations for me. I won't be using LiveUpdate on it, since I've seen too many
    other people have problems just from letting Symantec update their
    software this way. If I find a serious bug or future inbound vulnerability, off it goes.

    Although they are marketed as mass market products, I think these Norton/Symantec firewalls
    are best suited for users with some firewall experience. If they wanted a mass market product,
    Symantec probably should have bought the rights for Zonealarm instead of AtGuard.
Thread Status:
Not open for further replies.