Even firewalls have holes

Firewalls are the main barriers between an organization’s internal and external networks. Over the past 25 years, they have become the foundation of perimeter security and there are those that consider them commodity products.

04/26/2011


Firewalls are the main barriers between an organization’s internal and external networks. Over the past 25 years, they have become the foundation of perimeter security and there are those that consider them commodity products.

Now as another generation of firewall technology is taking hold, NSS Labs started testing traditional network firewalls and next generation firewalls. NSS Labs engineers have discovered serious flaws in these products, despite the maturity of the market and their certification by two other major certification bodies.

Researchers found:

  • Three out of six firewall products failed to remain operational when subjected to stability tests. This lack of resiliency is alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.
  • Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall.
  • Measuring performance based upon RFC-2544 (UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.

“IT organizations worldwide have relied on third-party testing and been misled,” said Vik Phatak, CTO, NSS Labs. “These test results point toward the need for a much higher level of continuous testing of network firewalls to ensure they are delivering appropriate security and reliability.”

All leading network firewall vendors were able to participate in the test at no cost. All testing occurred in an independent environment and no vendor paid for testing. Products tested include:

  • Check Point Power-1 11065
  • Cisco ASA 5585
  • Fortinet Fortigate 3950
  • Juniper SRX 5800
  • Palo Alto Networks PA-4020
  • Sonicwall E8500

Click here for the Network Firewall Comparative Group Test Report.



No comments
Consulting-Specifying Engineer's Product of the Year (POY) contest is the premier award for new products in the HVAC, fire, electrical, and...
Consulting-Specifying Engineer magazine is dedicated to encouraging and recognizing the most talented young individuals...
The MEP Giants program lists the top mechanical, electrical, plumbing, and fire protection engineering firms in the United States.
Water use efficiency: Diminishing water quality, escalating costs; Lowering building energy use; Power for fire pumps
Building envelope and integration; Manufacturing industrial Q&A; NFPA 99; Testing fire systems
Labs and research facilities: Q&A with the experts; Water heating systems; Smart building integration; 40 Under 40 winners
Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Protecting standby generators for mission critical facilities; Selecting energy-efficient transformers; Integrating power monitoring systems; Mitigating harmonics in electrical systems
Commissioning electrical systems in mission critical facilities; Anticipating the Smart Grid; Mitigating arc flash hazards in medium-voltage switchgear; Comparing generator sizing software
As brand protection manager for Eaton’s Electrical Sector, Tom Grace oversees counterfeit awareness...
Amara Rozgus is chief editor and content manager of Consulting-Specifier Engineer magazine.
IEEE power industry experts bring their combined experience in the electrical power industry...
Michael Heinsdorf, P.E., LEED AP, CDT is an Engineering Specification Writer at ARCOM MasterSpec.