April 13, 2011, 3:53 PM — Security software and security blankets have one thing in common: as long as the owner believes firmly enough in them, they provide complete security, until they're tested.
Security research from NSS Labs has blown that sense of security for owners of six leading firewalls.
Three of the six kept crashing during stability tests; five out of six couldn't stop a relatively simple "TCP Split Handshake Attack" that gets around the firewall by convincing it the attacker is on the inside of the network rather than the outside. (NSS refers to the exploit as a "Split ACK Attack," but the handshake reference seems to be more commonly accepted.)
None of the firewalls were able to live up to the "grossly overstated" promises about their performance and abilities, the NSS Labs report found.
The tests, which weren't paid for by vendors, included:
- Check Point Power-1 11065
- Cisco ASA 5585
- Fortinet Fortigate 3950
- Juniper SRX 5800
- Palo Alto Networks PA-4020
- Sonicwall E8500
Fortinet refuted at least part of the report in an announcement today complaining that NSS hadn't followed its advice about configuring the firewall. Fortinet includes anti-virus and intrusion protection modules as part of its recommended solution. With both running, the refutation read, Fortinet's firewall isn't vulnerable to the split handshake attack.
NSS was only testing firewalls, not add-ons as well, however, in order to get an apples-to-apples comparison.
Fortinet has already posted a new signature for its IPS module to block split handshakes, and will distribute updates to its firewall firmware "shortly."
The argument may be true, but it's irrelevant.
Fortinet and the other five largely failed a set of tests they should have passed with at least a gentleman's C.
Any security product is going to be beaten by something. If you can't come close to performing at the level you promise, let attacks get by you and have trouble avoiding a crash at the first sign of trouble, you're not really doing any part of the job you're supposed to do.
Issuing a patch afterward doesn't count. You can't be secure by promising to stop tomorrow an attack that got by you today.
Security doesn't work retroactively.
Given these results, there's a good chance it doesn't work at all.