NSS Labs Firewall Report creates a lot of noise

The Network Firewall Group Test Q2 2011 by NSS Labs has created a lot of noise this week; and rightfully so.  I encourage you to check out the results yourself.  However, I will warn you that there is a lot of misinformation floating around, mostly related to the TCP Split Handshake vulnerability.  NSS Labs deserves a lot of credit for producing an in-depth report on the firewall.  In their words: “Over the past 25 years, firewalls have become the foundation of perimeter security and are considered to be commodity products. However, our test results point towards the need for a much higher level of  continuous testing of network firewalls to ensure they are delivering appropriate and reliable security.”

First, a word on the flaw that has gotten so much attention (PCWorld, Network Computing, Forbes just to name a few).  The headlines state things like, “bypass firewalls” and “lets attacker appear as trusted host”.  Some of these articles and statements are misleading, others are just downright wrong.  For a very technical background, you should check out The TCP Split Handshake: Practical Effect on Modern Network Equipment.  This is a great document that outlines the attack and the implications from it.  However, I think one of the best responses to the NSS Labs report and a great description about the attack comes from Watchguard Security (not included in the report): What is the TCP Split-Handshake Attack and Does IT Affect Me?

In short, the attack is something the firewalls should prevent as an abuse of the TCP protocol, similar to other protocol attacks it can prevent such as SYN floods.  However, this attack is in no way bypassing the firewall.  However, it does allow an attacker (after a user first initiates a connection to the attacking server) to craft a response that will fool and evade other security technologies in-line such as an IPS.  This is a serious issue and should not be dismissed, but it is a far cry from rending the firewall useless.

I completely agree with NSS Labs and their assessment that the firewall is part of the foundation of enterprise security and should not be taken for granted.  The reaction from the press, analyst and experts in the field reinforces this sentiment.  The responses from the vendors that “failed” the test is also enlightening.  In particular, the vendors that have quickly responded that if configured correctly they would block the attack (I know a tool that could help with this :) ).

Interesting to me, while this breach in the firewall is worthy of note and attention, it is far less of a security risk than the more basic, much less technical issue plaguing most firewalls: poor configurations.  The best firewall in this test can be rendered completely useless if configured incorrectly.  Even with the smartest engineers managing firewalls, without the right tools, they can become too complex to avoid making mistakes.  This is a topic that is extremely well understood in the trenches; with those security engineers responsible for effectively securing the network.  While not as sexy as uncovering a “serious flaw” in the technology, it is a far greater threat to enterprise security than the TCP Split-Handshake vulnerability.

Posted in Firewall Management, Firewall Management and Security News | Leave a reply

About Jody Brazil

As Founder and CTO of FireMon, Jody Brazil is a seasoned entrepreneur with more than two decades of executive management experience and deep domain expertise in all aspects of networking, including network security design, network security assessment, and security product implementation. Before joining FireMon in 2004, Brazil spent eight years at FishNet Security, serving as Chief Technology Officer, where he was responsible for providing direction for solutions to their customers. Previously, he was president and founder of Beta Technologies, a Network Services and Internet Application Development company. A few of Brazil’s major accomplishments include his implementation of the first load balanced deployment of Check Point firewall software in 1997. A year later he engineered the security solution that allowed, for the first time, the transfer of criminal history data over the Internet as approved by the FBI. Brazil then released the first ever graphical firewall policy change view in 2001 and the first ever firewall rule usage analysis application in 2004.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>