Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Firewall security issue raised in report ignites vendors' ire

A test by NSS Labs that found firewalls from five vendors are subject in one way or another to remote exploit by hackers has ignited furious response from vendors Fortinet and SonicWall.

Hacker "handshake" hole found in common firewalls

That NSS Labs study, released this week, says that independent security testing of six separate vendor firewalls showed five of them to be vulnerable to what's known as the "TCP Split Handshake Attack" that lets a hacker fool the firewall into thinking an IP connection is a trusted one behind a firewall.

Firewalls from Cisco, Fortinet, Juniper , Palo Alto Networks and SonicWall had products that were criticized in the NSS Labs report (only a Check Point firewall escaped criticism about the ability to prevent the hacker "TCP Split handshake" attack). Now, two of the vendors, Fortinet and Sonicwall, are firing back at NSS Lab about how their firewall products were critiqued.

"NSS Labs tested the Fortigate-3950B platform using equipment supplied by a NSS customer and not configured by Fortinet," said Patrick Bedwell, vice president of marketing at Fortinet, in a prepared statement. Bedwell's remarks go on to say that Fortinet was "not given the opportunity to work with NSS Labs on the testing" but that "we have been working diligently with NSS Labs over the last month to remediate any issues raised in the test."

The Fortinet statement says "the FortiGate platforms are not susceptible to split handshake attacks when AV [antivirus] and IPS [intrusion-prevention system] engines are enabled, which was suggested to NSS as the initial solution. In addition, following guidance received from NSS' CTO, Fortinet developed new IPS signatures to explicitly block the handshake, which are available today to all customers. Lastly, Fortinet agreed to implement changes in our firewall functionality to explicitly block the split handshake after learning that NSS didn't consider IPS signatures as a valid response for this particular test."

Fortinet adds that while the majority of its customers use integrated firewall and IPS, "for those few customers who are using standalone firewall, we are finalizing the release of a firmware upgrade, to explicitly prevent the split handshake, which we plan to make available shortly."

Fortinet also said "the IPS signature is a short-term work around to the split handshake, and provides immediate protection against this issue. Customers can enable a single IPS signature if they are not running the IPS feature that is included in the FortiGate consolidated security platform."

NSS Labs President Rick Moy says in response to Fortinet's remarks that 'they were invited to the test but refused, which is why we had to use a client's firewall that Fortinet had configured, which was default."

Moy, who says he doesn't believe the NSS Labs CTO provided them with advice about signatures, adds that Fortinet does "admit the firewall has some issues and they are releasing a patch." He also questions whether they fully understand the TCP split handshake attack.

SonicWall is the second vendor with its hackles raised by the NSS Labs report . The report says the SonicWall NSA E8500 firewall doesn't provide protection against the attack by default.

"They said we failed the test," says Dmitri Ayrapetov, SonicWall's product manager for network security, explaining why SonicWall is upset with the report from NSS Labs. He adds SonicWall has a checkbox-activated feature that can be turned on to address the TCP split handshake security issue, and that SonicWall repeatedly "asked them to turn it on" and change the box from the default setting. The NSS Labs report does point out the existence of this SonicWall checkbox-activated feature.

Ayrapetov acknowledges the protection against the TCP split handshake attack isn't turned on by default in the SonicWall firewall, but SonicWall is considering changing that. One main thing under review, however, is that turning it on by default may cause operational problems. It can "cause interference issues when you turn it on," Ayrapetov says. The reasons for this can be complex, but the interference generally occurs because of an impact on network performance, he says.

Moy says in his view, the protection mechanism should be turned on by default in firewall products. "Why is it not on by default?"

"It can be done," he adds, noting Check Point made it through the test to show that, Juniper has come back with a fix and Palo Alto is also working to make a fix they have permanent in their product.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Check Point, Cisco, Fortinet, IPS, Juniper, Juniper Networks, LAN, NSA, Palo Alto Networks, SonicWall
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Firewall & UTM, Fortinet, NSS Labs, palo alto networks, security, sonicwall
Latest Blog Posts
Whitepapers
  • High Availability with Oracle Database 11g Release 2
    In this paper, we review the common causes of application downtime and discuss how technologies available in the Oracle Database can help avoid costly downtime and enable rapid recovery from unplanned failures and also minimize impact from planned outages. We also highlight new technologies introduced in Oracle Database 11g Release 2 that enable businesses to make their IT infrastructure even more robust and fault tolerant, maximize their return on investment on high availability infrastructure, and provide better quality of service to users.
    Learn more »
  • Workshifting: How IT is Changing the Way Business is Done
    While workshifting delivers powerful benefits, from increased productivity and improved cost-efficiency for both business and IT, to improved recruitment and retention, to business continuity and security, it also poses significant challenges for IT. The following discussion examines the forces driving the rapid rise of workshifting, the forms it can take, the IT challenges that must be addressed to enable it, the technologies now available to unlock its full value and the resulting benefits for the business.
    Learn more »
  • Unified Monitoring™ A Business Perspective
    The enterprise computing landscape has changed dramatically. Virtualisation, outsourcing, SaaS, and cloud computing are creating fundamental changes, and ushering in an era in which enterprises distribute increasingly critical IT assets and applications across multiple service providers.This paper explores today’s computing trends and their monitoring implications in detail. In addition, it reveals how a new monitoring paradigm architecture, that uniquely addresses the monitoring realities of today’s and tomorrow’s enterprises—whether they rely on internal platforms, external service providers, or a combination of both.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments