Analysis Shows Firewalls Fail to Deliver as Promised

Tuesday, April 12, 2011



UPDATE: Fortinet has issued a statement critical of the NSS Labs firewall study, stating "NSS Labs tested the FortiGate-3950B platform using equipment supplied by a NSS customer and not configured by Fortinet. While we were not given the opportunity to work NSS Labs on the testing, we have been working diligently with NSS Labs over the last month to remediate any issues raised in the test.  NSS Labs makes several incorrect claims regarding Fortinet, including that Fortinet does not currently provide customers with protection against a TCP split handshake." The complete Fortinet statement can be found HERE.

*   *   *

Security author George V. Hulme has a great writeup on an independent review of several leading firewall offerings conducted by NSS Labs which reveals the network security systems may not be all they are chalked up to be.

Firewalls are generally the primary line of defense in protecting information systems from a wide variety of maladies including malware, unauthorized access, and a host of network attacks. If a firewall fails to perform as expected, the result could be devastating.

The products examined by NSS Labs included:

  • Check Point Power-1 11065
  • Cisco ASA 5585
  • Fortinet Fortigate 3950, Juniper SRX 5800
  • Palo Alto Networks PA-4020
  • Sonicwall E8500.

Hulme writes that "what the company found would likely startle any existing or potential customers: three of the six firewalls failed to stay operational when subjected to stability tests, five out of six didn't handle what is known as the 'Sneak ACK attack,' that would enable attackers to side-step the firewall itself. Finally, according to NSS Labs, the performance claims presented in the vendor datasheets 'are generally grossly overstated'."

NSS identified several major problems common to the majority of the firewalls tested, particularly noting problems with the stability of the software when faced with a simulated external attack.

"Two major issues were discovered affecting a significant number of firewalls. The first is a stability problem, meaning that an attacker can disrupt communications by sending certain sequences of content to a firewall's external interface, causing it to crash. This cannot only cause productivity loss, but can be a precursor to a larger, more effective penetration of the corporate network. Attackers can develop working exploits from these types of code flaws," according to the NSS Labs report.

A marketing department's tendency to over-emphasize the performance of a product in the absence of rigorous contextual parameters is less than surprising, but the failure of these primary defense systems to perform reasonably well when challenged by the types of tactical situations they were developed to endure with some measurable level of success does not inspire client confidence.

While the results of the study should in no way be considered a call to abandon firewalls, those who deal with the most sensitive of information or expect to be the target of more sophisticated attacks need to look beyond the firewall product marketing text and vendor assurances to develop security programs that take the NSS lab findings into consideration.

Enterprises and organizations need layered defenses with multiple redundancies designed with the knowledge that any one component of the system could and probably will fail when faced with a skillful targeted attack.

"You have to design your architectures with failure and high availability in mind. You need to build systems with failover capabilities and go in assuming that devices are individually vulnerable to various forms of attacks. You have to segment your networks and put intrusion detection sensors on the wire," Spire Security's Pete Lindstrom told Hulme.


Possibly Related Articles:
Firewalls Attacks Headlines report Network Security Analysis ACK Attack
Post Rating I Like this!
Jock Breitwieser In their report, NSS Labs lists SonicWALL as one of the five firewall vendors susceptible to the TCP Split Handshake attack. This claim is not correct since SonicOS has had the referenced TCP Split Handshake Spoof protection since SonicOS 3.0 released in 2004. Regrettably, NSS chose not to enable it for their testing despite our insistence on it being enabled for proper results.

While NSS specifically omitted mentioning the SonicWALL protection against TCP Split Handshake attacks, they acknowledged in its remediation report that SonicWALL DOES indeed have this protection as part of its firmware. SonicWALL is one of two vendors that does not require a software patch to address the issue since the current version of SonicOS already has the ability to prevent this attack.

NSS Labs even displayed a screenshot of the checkbox in the SonicWALL user interface, demonstrating they’re well aware of the presence of this capability in SonicOS.

Our customers are able to select whether they want this feature enabled or disabled based on a users' requirements and network environments.
SonicWALL clearly documents the feature in its Administration Guide.

Contrary to the claims made by NSS Labs, there is no performance impact on the firewall with this feature enabled.

In fact, today posted a 1:05min. (unsolicited) video that shows how simple this is:
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.