The Network Firewall Group Test Q2 2011 by NSS Labs has created a lot of noise this week; and rightfully so. I encourage you to check out the results yourself. However, I will warn you that there is a lot of misinformation floating around, mostly related to the TCP Split Handshake vulnerability. NSS Labs deserves a lot of credit for producing an in-depth report on the firewall. In their words: “Over the past 25 years, firewalls have become the foundation of perimeter security and are considered to be commodity products. However, our test results point towards the need for a much higher level of continuous testing of network firewalls to ensure they are delivering appropriate and reliable security.”
First, a word on the flaw that has gotten so much attention (PCWorld, Network Computing, Forbes just to name a few). The headlines state things like, “bypass firewalls” and “lets attacker appear as trusted host”. Some of these articles and statements are misleading, others are just downright wrong. For a very technical background, you should check out The TCP Split Handshake: Practical Effect on Modern Network Equipment. This is a great document that outlines the attack and the implications from it. However, I think one of the best responses to the NSS Labs report and a great description about the attack comes from Watchguard Security (not included in the report): What is the TCP Split-Handshake Attack and Does IT Affect Me?
In short, the attack is something the firewalls should prevent as an abuse of the TCP protocol, similar to other protocol attacks it can prevent such as SYN floods. However, this attack is in no way bypassing the firewall. However, it does allow an attacker (after a user first initiates a connection to the attacking server) to craft a response that will fool and evade other security technologies in-line such as an IPS. This is a serious issue and should not be dismissed, but it is a far cry from rending the firewall useless.
I completely agree with NSS Labs and their assessment that the firewall is part of the foundation of enterprise security and should not be taken for granted. The reaction from the press, analyst and experts in the field reinforces this sentiment. The responses from the vendors that “failed” the test is also enlightening. In particular, the vendors that have quickly responded that if configured correctly they would block the attack (I know a tool that could help with this ).
Interesting to me, while this breach in the firewall is worthy of note and attention, it is far less of a security risk than the more basic, much less technical issue plaguing most firewalls: poor configurations. The best firewall in this test can be rendered completely useless if configured incorrectly. Even with the smartest engineers managing firewalls, without the right tools, they can become too complex to avoid making mistakes. This is a topic that is extremely well understood in the trenches; with those security engineers responsible for effectively securing the network. While not as sexy as uncovering a “serious flaw” in the technology, it is a far greater threat to enterprise security than the TCP Split-Handshake vulnerability.