Norton Internet Security Provides
a Total Solution for the Home

During the last week of January, I attended the ComNet show in Washington, D.C. to give a couple of talks (one on small office and home security, as it happens). A local ISP provided connections to the conference rooms. I jacked in to get some last minute information and within 5 minutes was being slammed with all sorts of SNMP (Simple Network Management Protocol) discovery messages and port probes. Within 10 minutes, someone did a SubSeven port probe.

The problem of bad guys out there on the Internet looking for any system with any vulnerability that can be possibly exploited is real. Keeping oneself off of the 'Net is not the right solution. But as long as you're on the Internet, you're exposed to a mass of port scans, the probing of your system by individuals looking for exposures in your system. Windows platforms default to binding file and print sharing to TCP/IP, meaning that your files and even your printer may be visible to anyone who is looking. Downloads from some sites may result in your obtaining a Trojan horse. E-mails often contain viruses. What's a person to do?

Symantec's Internet Security products are targeted at perhaps the most vulnerable population on the Internet — "non-professional" home users — although their software firewall products contain some features that are aimed right at the security-savvy power user.

Overview

The Norton Internet Security products are aimed at the home market and users employing Windows 9x, ME, NT 4.0 Workstation, or Windows 2000 Professional Workstation. The security product suite has three products that differ only in depth of features (and, of course, price).

The first product is the Norton Personal Firewall (NPF) which provides basic personal firewall and privacy controls. The company's philosophy is that complete Internet security requires both firewall and anti-virus software on the system, and NPF is targeted at those customers who already have Norton Anti-Virus (NAV) software.

For users who don't have NAV already installed, the recommended product is Norton Internet Security (NIS). NIS includes NPF and NAV, and adds advertisement blocking as well. For users who wish to add parental content control and support for multiple users of the same computer, then NIS Family Edition has the right set of features.

Symantec sent me a CD with what the readme file said was a pre-alpha version of NIS 2001 3.0, the next version of the software scheduled to hit the streets. I installed it on an 800-MHz Pentium III running Windows ME. In the spirit of full disclosure, I am a current user of Norton Anti-Virus and have been using anti-virus and other software from Norton for over ten years. In this case, I installed only the firewall and allowed it to "integrate" with the NAV software that was already in place.

Like most software today, installation was via an installation wizard that walked me though the entire process. Installation, as is often the case, also included product registration which caused me two problems. First, registration included a survey that ostensibly has nine questions (I only got two questions but they were listed as numbers 1 and 2 "of 9".) Second, I couldn't register because the software is very tied to Internet Explorer and IE's ability to find an Internet connection. Since I don't use IE, it wasn't properly configured and the software couldn't find my modem, probably because I don't have one and the software couldn't find my Internet connection via the LAN card. As a result, when I tried Live Update to get the latest firewall rules, the update failed. As of this writing, I don't know whether my product is registered or not and there's no option within the program to tell. Live Update — a wonderful feature of Norton products — does work but it only seems to want to download anti-virus signatures for my bona fide, already-owned NAV software. In any case, the registration and survey process took significantly longer than installing the base software.

Configuration

True to its aim at the home user, NIS pretty much auto-configures itself. It then brings up the Security Assistant, which allows the user to step through the many features that allows the user to examine and modify the current configuration (Figure 1).

FIGURE 1: The Security Assistant dialogue box is used to configure the NIS firewall.

The first set of items that the user can configure is listed under Configure Norton Internet Security. Personal Firewall settings allow the user to set a security level. By default, NIS runs at a "medium" level which automatically blocks access unless permitted by the user and protects the system with occasional alert messages. A "high" level provides more alerts and the "minimal" level provides little protection and no alerts. You can also create a custom level and specifically configure handling of Java and ActiveX.

Privacy Control is a very nice feature that allows a user to mark certain information — such as a name, home or e-mail address, bank account or credit card number, or social security number — as private. Before any of this information is sent from the computer, the user will be notified and asked it if is ok to send.

FIGURE 2: The Internet Access Control is used to control applications through the firewall.

Application Control is another nice feature that tries to balance varying levels of user control with varying levels of user sophistication. When NIS installs itself, it automatically recognizes some applications that, if installed, should be allowed to access the Internet without obtaining the user's permission; my system, for example, allows IE, Navigator, FTP, Eudora, Outlook Express, Telnet, etc. to have such access. It also allows programs that I wouldn't have guessed to access the Internet, such as Excel, PowerPoint, Word, and Windows Explorer (Figure 2). The user can alter what programs access the Internet later, but this is a good first pass, particularly for the typical user. The philosophy of this product is that if every application asked the user for explicit access permission, the user would eventually just automatically click OK and not distinguish netscape.exe sending to port 80 from server.exe listening on port 27374 (which happens to be the SubSeven Trojan server and is a Bad Thing). Part of the Live Update process includes a set of acceptable default programs; all others require explicit user permission.

Home Networking is where users can configure trusted and untrusted systems. In my case, there are several hosts to which I connect regularly, such as my ISP's Web and e-mail servers, that scan for an open port on my system and try to authenticate me before allowing a connection. Since these events are normal and expected rather than attacks, I list those hosts as "trusted" and I don't get alerts when I connect with those hosts and applications.

The Norton Antivirus section is where I can configure NAV features. Ad Blocking blocks incoming advertisements from Web sites. NIS also provides a mechanism so that IE users that get ads that are displayed using non-standard means can also have those blocked.

The next section is titled Learn About Internet Security and these are primarily informational. Under Internet Status, in particular, the user can see the security status (e.g., whether NIS is running or not, and statistics on last attack, number of recent attacks, and most frequent recent attacker) and reporting level (high, medium, or minimal).

The Program

One of the important options of the program, naturally, is the ability to see what's going on and this is the function of the Event Log. The Options menu in the main NIS console (see Figure 2) allows the user to manage the firewall or the NAV software. Firewall management (Figure 3) provides access to the event log, statistics, and advanced options.

FIGURE 3: The Internet Security Options dialogue box provides access to many of the reporting features.

FIGURE 4: The NIS Event Log connections tab shows everywhere your browser has been.

The Event Log can provide an exhaustive amount of information; the Connections tab, for example, displays every remote connection and includes the local hosts port number, duration of the connection, and the number of bytes sent and received (Figure 4). The Firewall tab displays all invocations of any firewall rule. A more interesting and useful display is that of the Alerts tab which lists every attempted rule violation and where users can really see any attempted attacks (Figure 5).

FIGURE 5: The NIS Event Log alerts tab shows all of the security events that have occurred.

A large amount of TCP, UDP, and IP statistics are also available through this option although, unfortunately, the Event Log and Statistics are only viewable when NIS is enabled. If you disable the firewall, you lose the ability to view the log or stats. Advanced options allow the user to more precisely define ad blocking, privacy, and active content parameters.

To test the firewall capabilities of the software, I went to http://grc.com. Prior to installing NIS, a GRC port scan to my system found TCP port 21 (FTP) to be invisible (stealth mode); ports 23 (Telnet), 25 (SMTP), 79 (finger), 80 (HTTP), 110 (POP3), 113 (AUTH), 143 (IMAP), and 443 (SSL) visible but closed; and port 139 (NetBIOS session) open (although no connection could be made to my computer on that port). After installing NIS and using default settings, all of the above ports were invisible to the port scan which is, of course, the desired outcome.

NIS did well on another GRC test. Leaktest is a program that checks outbound communication. Most personal firewall software only blocks inbound connections and protects you from external attack. But if a Trojan such as SubSeven, NetBus, or BackOrifice does get planted on your system, it can be detected by a firewall that also checks outbound connections. To date, few firewalls pass the Leaktest; NIS is one that does. And according to the folks at Symantec, there's a lot more going on under the hood that the user doesn't even see such as automatic blocking of malicious scripts that might contain viruses, where the blocking is based upon heuristics in the absence of a specific attack signature.

Unfortunately, I also found a heavy cost to using NIS in terms of performance. I went to several sites to test my throughput with and without NIS enabled and found a 25-30% decrease in throughput while NIS was running. This performance hit wasn't particularly fatal since I'm running on a cable modem but it would be far more noticeable on a 56 kbps modem.

According to the documentation, there are some circumstances where files on the system running NIS can't be shared with other computers on a home network because NetBIOS is blocked. Instructions come with NIS telling users how to allow file sharing (although the instructions I received didn't match the software I had), including the caveat that the computer's NetBIOS name is now accessible from the Internet. Although file sharing is still protected, this is minor consolation; I should be able to allow NetBIOS to only be used on the trusted internal network and blocked otherwise.

CONCLUSION

I basically liked this software but am very sorry that Symantec supplied Information Security Magazine with a pre-alpha release of the software. I found the software to have a number of bugs and annoyances that I hope were due to its pre-release nature. I also found the program itself to be slow, where I would sometimes click on a menu item and it would take several seconds for a submenu or display item to appear.

In many ways, this software provides an outstanding tool with enterprise-quality features that has been crammed into a consumer product. The features and capabilities are almost too much for "normal" home user although, to its credit, it comes out of the box ready to go.

Bottom-line: If you don't have any protection and are interested in a firewall, anti-virus software, and content filtering, this software is probably well worth the $80 price tag. But if you already have anti-virus software and only want basic firewall protection, it is hard to resist at least considering a high-quality free package such a ZoneAlarm.

About the Author: Gary C. Kessler is an Assistant Professor and program coordinator of the Computer Networking major at Champlain College in Burlington, Vermont, and an independent consultant and writer. His e-mail address is kumquat@sover.net.