Linksys BEFSR41
SonicWall SOHO
Belkin OmniCube
Cybex SwitchView


Symantec Firewall/VPN 100 Price: $299



Ease of Use:

Rating: 1

Pros: Firewall and VPN in one package for a reasonable price.
Cons: Yellow? And maybe a little too costly for some home users.


Symantec Firewall/VPN 100 

The Symantec Firewall/VPN 100 is an OEM version of the Nexland Pro 800 with a couple of changes. First off, they’ve replaced the 8-port switch with a 4-port version in an effort to reduce the cost. Next, they painted it yellow, the standard Symantec color, and the management pages have also gotten the yellow treatment. The most important change, though, is the addition of VPN support. The Nexland model supports IPSec pass-through, while the Symantec model can actually be an end-point. 

This box is a little bigger than the other router/firewalls I’ve looked at. At almost 11” wide, it’s over three inches wider than both the Linksys and Sonicwall box. Also, the RJ-45 ports are in the front of the unit rather than in the back. This may cause some unsightly wiring, but isn’t a big issue. The back of the unit holds the power connector, a reset button, power switch, a serial port and 4 dipswitches… 

Configuration of the unit is fairly simple. By default, the DHCP server is enabled, so there’s no messing with IP configuration of your computer (assuming most people with existing cable connections are using DHCP anyways). It is possible to change the MAC address of the WAN interface, so if your service uses the MAC address for IP address assignment, there’s no need to spend 30 minutes on hold with the ISP to register a new MAC address. Simply write down the MAC address, and change it on the Symantec box. After the changes have been saved, the firewall should obtain an IP address from the ISP. 

The box has most features you would expect for such a box (for such a price). Virtual servers, DMZ host, port translation, access filters and IP grouping. Virtual server allows you to host a web server, mail server or other kinds of servers on your LAN and let people on the Internet get access to these servers. There are a few pre-defined services that make it easier to get started. Simply check of the “enable” box, and type in the IP address of the server. Once the changes are saved, you’re hosting. You can also add your own services and define which port(s) to forward and to what IP address and port to forward it to. Although FTP servers are supported, there is only support for active ftp. The DMZ host feature is similar to that of similar product. It allows for one computer to be exposed to the Internet. The Symantec firewall also does port translation, which means you can allow a connection to the firewall on one port, but host it on something completely different on the server. 

You can reserve IP addresses with the DHCP server, which makes it easier to deal with servers. These reservations are based on MAC address of the PC, and computers that are given such reservations can be assigned to IP groups, which again can be used to grant/restrict access to the Internet. By default, the group “Everyone” has full access to the Internet. This can easily be changed, and access can be restricted to about a dozen default services, or to a number of custom services that you can define. 

I’m not too impressed with the logging feature. In addition to an internal log, it can also log to a syslog server. By entering SMTP server info and an e-mail address you can have the logs e-mailed to you when it fills up. This all sounds very good. Unfortunately, the logging isn’t very good. I did a security scan using Symantec’s own web site. The result was all stealth (which is good), but the log only showed attempts on port 21 (ftp) and port 31. The Symantec probe apparently tested more than that. No NetBIOS activity was logged, nor PcAnywhere, telnet or pop3 probes. 

The IPSec VPN feature works, too. I’ve managed to establish a VPN connection between the Symantec Firewall/VPN and a Raptor firewall. Throughput appears to be limited by bandwidth rather than encryption speed. I haven’t had a chance to test the IPSec pass-through feature yet, but I hope to have a chance to test that sometime soon (expect an update here). 

Unlike the Nexland models, the Symantec units does not support the TZO Dynamic DNS, but I hope this will be added in a firmware upgrade some time soon. OEMs usually lag behind with firmware upgrades, and since this model is different, I expect even longer delays. 

Over all, this is a very good product. It’s easy to set up and configure. The web interface is fairly good, however, some of the more advanced stuff may not be as self-explanatory as it could. The manual comes on as a PDF file on a CD, and it too has some problems explaining some of the advanced features. Although I’ve only had the unit for a short while, I have not experienced any issues with it. No resets required, no freezes nor hiccups.   

There's been a couple of comments regarding this firewall responding to ICMP echo requests (pings), and that this cannot be disabled. The fact that this firewall responds to pings does not in any way make it less secure than any other firewall. There is absolutely no security benefit in your firewall not responding to pings, so this is really a non-issue. Also see my piece on stealth.