100 Price: $299
Ease of Use:
Pros: Firewall and VPN in one package for a reasonable
Cons: Yellow? And maybe a little too costly for some home users.
The Symantec Firewall/VPN 100 is an OEM
version of the Nexland Pro 800 with a couple of changes. First
off, they’ve replaced the 8-port switch with a 4-port
version in an effort to reduce the cost. Next, they painted it
yellow, the standard Symantec color, and the management pages
have also gotten the yellow treatment. The most important
change, though, is the addition of VPN support. The Nexland
model supports IPSec pass-through, while the Symantec model
can actually be an end-point.
This box is a little bigger than the
other router/firewalls I’ve looked at. At almost 11” wide,
it’s over three inches wider than both the Linksys and
Sonicwall box. Also, the RJ-45 ports are in the front of the
unit rather than in the back. This may cause some unsightly
wiring, but isn’t a big issue. The back of the unit holds
the power connector, a reset button, power switch, a serial
port and 4 dipswitches…
Configuration of the unit is fairly
simple. By default, the DHCP server is enabled, so there’s
no messing with IP configuration of your computer (assuming
most people with existing cable connections are using DHCP
anyways). It is possible to change the MAC address of the WAN
interface, so if your service uses the MAC address for IP
address assignment, there’s no need to spend 30 minutes on
hold with the ISP to register a new MAC address. Simply write
down the MAC address, and change it on the Symantec box. After
the changes have been saved, the firewall should obtain an IP
address from the ISP.
The box has most features you would
expect for such a box (for such a price). Virtual servers, DMZ
host, port translation, access filters and IP grouping.
Virtual server allows you to host a web server, mail server or
other kinds of servers on your LAN and let people on the
Internet get access to these servers. There are a few
pre-defined services that make it easier to get started.
Simply check of the “enable” box, and type in the IP
address of the server. Once the changes are saved, you’re
hosting. You can also add your own services and define which
port(s) to forward and to what IP address and port to forward
it to. Although FTP servers are supported, there is only
support for active ftp. The DMZ host feature is similar to
that of similar product. It allows for one computer to be
exposed to the Internet. The Symantec firewall also does port
translation, which means you can allow a connection to the
firewall on one port, but host it on something completely
different on the server.
You can reserve IP addresses with the
DHCP server, which makes it easier to deal with servers. These
reservations are based on MAC address of the PC, and computers
that are given such reservations can be assigned to IP groups,
which again can be used to grant/restrict access to the
Internet. By default, the group “Everyone” has full access
to the Internet. This can easily be changed, and access can be
restricted to about a dozen default services, or to a number
of custom services that you can define.
I’m not too impressed with the logging
feature. In addition to an internal log, it can also log to a
syslog server. By entering SMTP server info and an e-mail
address you can have the logs e-mailed to you when it fills
up. This all sounds very good. Unfortunately, the logging
isn’t very good. I did a security scan using Symantec’s
own web site. The result was all stealth (which is good), but
the log only showed attempts on port 21 (ftp) and port 31. The
Symantec probe apparently tested more than that. No NetBIOS
activity was logged, nor PcAnywhere, telnet or pop3 probes.
The IPSec VPN feature works, too. I’ve
managed to establish a VPN connection between the Symantec
Firewall/VPN and a Raptor firewall. Throughput appears to be
limited by bandwidth rather than encryption speed. I haven’t
had a chance to test the IPSec pass-through feature yet, but I
hope to have a chance to test that sometime soon (expect an
Unlike the Nexland models, the Symantec
units does not support the TZO Dynamic DNS, but I hope this
will be added in a firmware upgrade some time soon. OEMs
usually lag behind with firmware upgrades, and since this
model is different, I expect even longer delays.
Over all, this is a very good product.
It’s easy to set up and configure. The web interface is
fairly good, however, some of the more advanced stuff may not
be as self-explanatory as it could. The manual comes on as a
PDF file on a CD, and it too has some problems explaining some
of the advanced features. Although I’ve only had the unit
for a short while, I have not experienced any issues with it.
No resets required, no freezes nor hiccups.
been a couple of comments regarding this firewall responding
to ICMP echo requests (pings), and that this cannot be
disabled. The fact that this firewall responds to pings does
not in any way make it less secure than any other firewall.
There is absolutely no security benefit in your firewall not
responding to pings, so this is really a non-issue. Also see
my piece on stealth.
© 2002 HansenOnline.net