Norton Internet Security 2011 firewall

Discussion in 'other firewalls' started by vincenzo, Dec 6, 2010.

Thread Status:
Not open for further replies.
  1. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    The NIS 2011 firewall never asks me for permission regarding outgoing communication, apparently because it is updated with info on what is safe or not.

    Is this level of protection less secure than other firewalls?

    Thanks
     
  2. LODBROK

    LODBROK Guest

    It never asks as you're using apps and connectivity considered trusted and safe by NIS as you deduced.

    I have my firewall set to allow only port 80 and 443 TCP connectivity and to ask for anything else.
    This is why I get alerts when this kind of stuff happens when browsing (edited entries from the log file):
    nn/nn/2010 16:59:38 c:\program files\... Access network TCP [Local host : 5690] -> [nnn.136.nnn.241 : 843]
    nn/nn/2010 16:59:40 c:\program files\... Access network TCP [Local host : 5698] -> [nnn.136.nnn.241 : 5050]
    nn/nn/2010 10:11:26 c:\program files\... Access network TCP [Local host : 1957] -> [nnn.185.nnn.185 : 8080]


    Nor will you most likely ever see alerts for activity associated with the local proxy:
    nn/nn/2010 11:05:31 c:\program files\... Access network TCP [Local host : 7190] -> [127.0.0.1 : 7189]

    I don't engage is risky surfing (warez, pr0n, public P2P, etc.) and I see CONSIDERABLE AMOUNTS of this non-standard port activity. I am firm in my belief there is absolutely no reason whatsoever for an Internet app to use any ports other than 80 and 443.

    Similarly, any non-network app I run that wants to "phone home" for whatever reason will evoke an alert.

    In ask mode, I can block or allow as I determine while I also have rules to persistently block ports. Like 1935 for Flash RTMP.

    Rules for other networking are also pretty hard, i.e. port 53 UDP only for my two DNS servers. I don't have a current entry in my logs but I have actually blocked port 53 TCP and UDP browser connections to servers other than my configured two.

    Submitting to ultimate paranoia, I have ask set for all ports and all protocols for explorer.exe.

    I'm not sure if NIS allows this level of granularity in its firewall; in my recollection, it does not. Nor do almost all current mainstream suite firewalls as they are designed (wisely) to relieve the user of such tedious and obscure configuration and decision making. In the case of that connection to port 843 I logged, any malicious activity as a result of NIS (or any AV suite) allowing it would require nabbing the bad stuff with its downstream components (signatures, heuristics, behavior blocking...).

    "Is this level of protection less secure than other firewalls?"
    Limiting the discussion to firewalls, it is less secure in the opinion of some one with my level of expertise in this arena.
    Of course, the real answer lies at the end of much heated debate. ;)
     
  3. phaser

    phaser Registered Member

    Joined:
    May 28, 2010
    Posts:
    35
    From what I've seen, NIS 2011 allows "outgoing communication" for any program (unless it finds it to be malware), which is not safe at all.
    You should disable "Automatic Program Control" (in Network Settings / Smart Firewall > Advanced Settings) in order to be notified when a program tries to access the internet.
     
  4. ALookingInView

    ALookingInView Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    365
    Bingo.
     
  5. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    Thanks for the replies.

    From poking around in Norton's rules, it does indeed seem to allow outbound for all applications. Does it have any way of knowing if malware modifies a program so that the program does the malware's bidding?
     
  6. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I've never used Norton so I can't say for sure but my understanding from what I've read is that all of the components of the suite work together to determine the status of each program and hence the appropriate course of action to take. This involves the use of whitelisting, blacklisting, and reputation scoring to determine the status of each program.

    Programs that are determined to be good are simply allowed outbound access by the firewall; programs that are determined to be bad are automatically disallowed outbound access and quarantined as necessary; programs whose status is unknown are allowed outbound access but kept under supervision and subjected to behavioural monitoring in order to assign a credit rating, at which time the appropriate action will be taken if bad behaviour starts to occur.

    Please forgive me if I've got any of the details wrong, but I think that's the general idea.
     
  7. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    OK, thanks to all for the info.
     
  8. dbrisendine

    dbrisendine Registered Member

    Joined:
    Jul 15, 2006
    Posts:
    51
    Location:
    BC, Canada

    Yes, NIS2009 versions and forward (NIS2009 -> NIS2011) do monitor application files for modifications and re-act accordingly. Since the changed application no longer matches the 'original' file used to create the firewall rule, a new judgment of the modified file and its network traffic is produced.
     
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,135
    Location:
    USA
    This is the pivotal point. If you want/need the suite to make the decisions then I think NIS brings to bear quite a lot of technology. If you're smart enough to make the choices yourself and don't mind doing so you can probably do a better job than the software AI. I managed my software firewalls for years, but eventually grew tired of it. Now I let NIS handle it. We're always striking a balance between what we do and what we delegate :)
     
Loading...
Thread Status:
Not open for further replies.