Testing Lab Exposes Major Flaws in Industry Leading Firewalls

A new report from independent security testing organization NSS Labs, warns of two major flaws affecting industry leading firewalls, including a sneak attack that can go unnoticed by most organizations.

In its Network Firewall Comparative Group Test Report for Q1 of 2011, NSS Labs said it discovered two serious flaws in industry leading firewalls, despite their certification by two other major certification bodies.

1. Stability Problem – By sending certain sequences of content to a firewall’s external interface, an attacker can cause it to crash, essentially creating a denial of service condition. On one firewall that NSS tested, when it crashed, it gave attacker outside root access to the firewall without requiring a password.

2. TCP Split Handshake Attack – NSS says this attack is the TCP Equivalent of IP Spoofing. The issue permits an external attacker to trick the firewall into allowing access inside the firewall as a trusted client. This TCP split handshake attack has been publicly known for over a year, and all firewalls should defend against it, but this isn’t the case. In fact, 5 of the 6 firewalls tested FAILED to detect and block the TCP Split Handshake Attack.

Products tested in the report include:

• Check Point Power-1 11065

• Cisco ASA 5585

• Fortinet Fortigate 3950

• Juniper SRX 5800

• Palo Alto Networks PA-4020

• Sonicwall E8500

According to Rick Moy, President of NSS Labs, this is important news. “The discoveries that we made in our testing are quite significant. They undermine the false sense of confidence that organizations have had in their firewalls. I think that’s pretty timely considering the number of breaches that been picked up in the media over the last couple weeks.”

Moy also said these types of attacks are difficult to monitor and while technically they can be detected, realistically, it’s quite challenging. “In order to detect the attacks, one would have to have some kind of IDS device on the outside of the firewall looking at low level tcp handshaking in order to establish the session,” Moy said. “Most of the logging done by firewalls and other security devices is done at a high level, so it’s really a sneak attack than would go unnoticed by most organizations.”

“This is by no means a zero day vulnerability, it’s something that’s been documented and publicized in the community for at least a year. We were quite surprised that it wasn’t address by the leading manufacturers,” Moy said. The only firewall tested that passed the TCP split handshake attack was the Check Point Power-1 11065.

NSS Labs said the discoveries surrounding the issues were made in January, and that it planned to release the news at the RSA Conference in February. After working with vendors and giving what it thinks was plenty of time to remediate the issues, NSS is coming forward with its report. “More than sixtry days later, we figured the news is out and the bad guys have known about the attacks for some cases years.  Its important to let the good guys who have these firewalls know bout the problem in their devices so they can remediate themselves and or so they can put pressure on the vendors to release fixes,” Moy told SecurityWeek.

Key findings from the report show:

• Three out of six firewall products failed to remain operational when subjected to our stability tests. This lack of resiliency is alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.

• Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall.

• Measuring performance based upon RFC-2544 (UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.

Firewalls are the main barriers between an organization’s internal and external networks. Over the past 25 years, they have become the foundation of perimeter security and are considered to be commodity products.

What should a user do if they have a firewall affected by this issue?

According to Moy, it really depends on which firewall you have. “Some of them have remediation steps that a firewall admin can take to close the hole,” Moy said. But Moy also warns to be cautious when making such adjustments to the firewalls configurations. “These may have repercussions on their network performance or ability to communicate with certain types of devices, so we recommend that they perform some type of testing internally before implementing.”

Two devices don’t have remediation at this time.

“IT organizations worldwide have relied on third-party testing and been misled,” said Vik Phatak, CTO, NSS Labs. “These test results point towards the need for a much higher level of continuous testing of network firewalls to ensure they are delivering appropriate security and reliability.”

NSS Labs said that all leading network firewall vendors were invited to participate in the test at no cost. All testing was conducted independently and was not paid for by any vendor.