Firewalls are supposed to be the first line of protection from anything bad getting on to the network or a computer. We trust that the firewall is doing its job.
However, a new study from NSS Labs said that firewalls aren't as sturdy as we think.
According to its report, "Network Firewall Comparative Group Test Report for the Q1 of 2011," NSS Labs tested six leading firewalls and the results weren't very encouraging. Some of the reports key findings included:
Eight Layers of Security Every Computer Should Have
From using the latest version of your favorite browser to ensuring that your network has monitoring tools in place that send up red flags when they see unusual behaviors, be protected.
Three out of six firewall products failed to remain operational when subjected to our stability tests. This lack of resiliency is alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.
Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall.
Measuring performance based upon RFC-2544 (UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.
The firewalls were all certified by outside parties. Vik Phatak, CTO of NSS Labs said:
IT organizations worldwide have relied on third-party testing and been misled. These test results point towards the need for a much higher level of continuous testing of network firewalls to ensure they are delivering appropriate security and reliability.
Not surprisingly, the firewall companies are speaking out on the NSS Labs results. For example, Fortinet responded on its blog:
FortiGate platforms are not susceptible to split handshake attacks when AV and IPS engines are enabled, which was suggested to NSS as the initial solution. In addition, following guidance received from NSS' CTO, Fortinet developed new IPS signatures to explicitly block the handshake, which are available today to all customers. Lastly, Fortinet agreed to implement changes in our firewall functionality to explicitly block the split handshake after learning that NSS didn't consider IPS signatures as a valid response for this particular test.
If nothing else, the NSS Labs study is just more proof of the importance of making sure security is multi-layered. You always need the second, third and fourth levels of protection in case the first one doesn't work.