NSS Labs Inc., an independent testing firm that tests a variety of security products, has found a number of traditional network firewalls are failing stability tests and contain a programming error that enables an attacker to easily bypass them.
The discoveries are significant in that they undermine the false sense of confidence that organizations have had in their firewalls.
Rick Moy, president and CEO, NSS Labs Inc.
Network firewalls are often the first layer of defense located at the perimeter of most organizations. The devices are designed to permit or deny network traffic based on a set of rules programmed by network administrators. The goal of the device is to provide a layer of protection against an attacker attempting to gain access to an enterprise network.
“The discoveries are significant in that they undermine the false sense of confidence that organizations have had in their firewalls,” Rick Moy, president and CEO of NSS Labs, said in a press briefing Monday. “We discovered the issues in January and started working with vendors. It’s been slow going and we have not gotten the best support from vendors to remediate this issue.”
The firm conducted standardized tests against six network firewalls: Check Point Power-1 11065, Cisco ASA 5585, Fortinet Fortigate 3950, Juniper SRX 5800, Palo Alto Networks PA-4020 and Sonicwall E8500. The tests measured security effectiveness, evasion and performance, and the resulting reports calculated the cost of performance and manageability.
Three out of six firewalls failed to remain operational when subjected to the NSS Labs’ stability tests. Moy called the firewall failures alarming. All of the firewalls tested had ICSA Labs and Common Criteria certifications, he said.
“In addition to a denial-of-service, it could potentially open up a hole and allow an attacker to get in,” Moy said. “One of the firewalls – when it crashed – gave the attacker inside root access without requiring password to the firewall.”
Five out of six vendors failed to correctly handle a TCP Split Handshake or Sneak ACK attack. The attack is similar to IP spoofing. The technique is well known in the hacking community and enables an attacker to bypass a firewall, rarely being detected.
Moy said the attack would go unnoticed by most organizations. The only way to view an attack in progress is to set up an intrusion detection system in front of the firewall, he said. The testing firm said all testing was conducted independently and was not paid for by any vendor. NSS Labs is selling its reports on each firewall, but has made two firewall remediation reports available for free. All but Check Point Power-111065 failed the ACK spoofing test. “The issue lies with the fact that the default policy has protection from this type of spoofing attack disabled,” the testing firm said in its report. “In other cases, the product simply does not provide protection and a patch is being developed to address this issue.”
The NSS Labs findings should not be a surprise to anyone in the security community, said Pete Lindstrom, research director with Spire Security. Enterprises serious about security typically layer on security technologies, he said. IDS systems and other network detection tools often stand between the perimeter and other firewalls protecting sensitive servers.
“To whatever extent anyone is over relying on any single component in their security architecture they’re in trouble,” Lindstrom said. “The firewall is rarely an impediment to black hat hackers today.”
Attackers often find open ports or move up the stack and target the application layer to exploit and gain access to sensitive data.
In addition, the testing firm also found that RFC-2544, a benchmarking methodology maintained by the Internet Engineering Task Force (IETF), doesn’t provide an accurate representation of how a firewall will perform in a real-world environment.