Symantec continues to polish and enhance its flagship Norton Internet Security suite. The 2008 edition adds full-scale password and identity management, and its new BrowserDefender technology offers even stronger defense against Web-based attacks. Borrowing a page from Norton 360's playbook, NIS 2008 now offers a built-in, multilayered help system. For the multicomputer home, it now includes a network map and optional remote monitoring of other NIS 2008 installations. Antispam and parental controls remain second-class citizens, present only if you install the optional Add-On Pack.

Organizationally, the main screen is little different from that of NIS 2007, though it has traded its cheerful blue background for a tougher-looking patterned black. You still get an overview of all the security modules and a great big icon that reflects overall status. If it's anything but the green check mark that means fully protected, just click Fix Now to set everything right.

Fabulous Firewall

The suite's firewall puts all ports in stealth mode, making them invisible to hackers—that almost goes without saying with modern firewalls. The NIS 2008 firewall blocked all my Web-based tests; in several cases it reported a port-scan attack and blocked the "attacker" for half an hour. As in previous versions of NIS, the latest firewall is armor-plated against attack by malware. I couldn't find any way to disable it programmatically (and believe me, I tried). Panda's firewall was also pretty tough, but it gave way to my last-resort attack using fake mouse clicks—NIS resisted even that attack. And BitDefender Total Security 2008? Well, I showed that a malicious program could turn off that suite's protection by disabling essential services—it needs to get tough, like the other two!

Symantec was an early proponent of the rising trend to put responsibility for security decisions where it belongs—with the security software. Like Panda's firewall, NIS 2008's never asks you whether this or that program should be allowed access to the Internet. If the firewall recognizes known bad programs, it just removes or disables the threats; there's no question of allowing them Internet access. The firewall graciously allows known good programs to connect at will. Using its SONAR (Symantec Online Network for Advanced Response) technology, NIS 2008 watches unknown programs for signs of malicious behavior, and as long as they play nice it lets them access the Net.

I usually run a set of "leak test" utilities to check whether the firewall can handle malware that tries to evade normal program control. In the past, NIS hasn't detected these because they have no malicious payload—which is completely reasonable. This version, however, did block all but two of a dozen samples, identifying them with generic names such as "Trojan Horse," "Hack Tool," and "Downloader." This probably doesn't make users any more secure, but it gives us security testers a warm, fuzzy feeling.

For this review I added a new tool to my testing arsenal: Core Impact. Among many other features, this penetration tool automatically generates exploits to probe a system's defenses. Working across the virtual network I unleashed over a dozen client-side exploits on the NIS-protected system. This type of exploit gets into your system when you click a link in an e-mail message or visit a hacked (or deliberately malicious) Web site. In addition to a number of Internet Explorer exploits, I managed to unleash one aimed at Firefox and some that go straight for Windows itself through various vulnerabilities. A few failed simply because the test system's browser and operating system were fully updated. NIS's Intrusion Prevention System recognized and blocked all but one of those that got past that initial hurdle. The one that wasn't recognized still couldn't actually do anything harmful because it was stopped by Norton's suite. Going forward, I'll be challenging other security suites and firewalls in the same way.