Firewall vendors challenge findings of NSS Labs report

Firewall vendors take exception to claims by NSS Labs that their firewalls can't guard against a common TCP attack.

Apparently, NSS Labs struck a nerve. NSS Labs revealed that almost all of the firewalls it tested for a recent report are susceptible to crash or compromise using common attacks. The firewall vendors in question, though, beg to differ and take exception to the claims made by NSS Labs.

The main point of contention seems to be the assertion by NSS Labs that five of the six firewalls tested can not protect the network against a TCP Split Handshake spoof attack (a.k.a. Sneak ACK attack). Both SonicWALL and Fortinet contacted me to refute the claims made by NSS Labs, yet when asked about the dispute NSS Labs said that it stands behind its findings 100 percent.

Jock Breitwieser, director of PR at SonicWALL, emailed me to explain that, contrary to the NSS Labs report, its firewall does provide protection against the TCP Split Handshake attack, and has since SonicOS 3.0 was released in 2004. It's just not enabled by default.

SonicWALL claims that it stressed to NSS Labs that this feature must be enabled to get an accurate result for SonicWALL's effectiveness against the TCP Split Handshake spoof, but NSS Labs chose not to do so. Breitwieser also has an issue with NSS Labs' claim that enabling the feature results in a performance impact on the firewall.

Meanwhile, Patrick Bedwell, VP of product marketing for Fortinet, also emailed me to address misconceptions Fortinet feels are propagated by the NSS Labs report. Bedwell explained that the Fortinet firewall tested by NSS Labs was supplied by a customer rather than being configured by Fortinet specifically for the NSS Labs tests.

Like SonicWALL, Fortinet also asserts that its firewall can successfully defend against a TCP Split Handshake attack. However, Fortinet's approach involves the integration of AV and IPS elements rather than just flipping a switch in the firewall configuration.

Bedwell stated, "We feel strongly that integrated protection is the best approach for blocking this issue, as customers that have IPS working with their firewall are better protected against a wider range of threats." He also clarified that the majority of Fortinet customers rely on the combined protection of the integrated whole rather than the firewall alone.

Still, Fortinet developed an IPS signature designed to explicitly block the TCP Split Handshake attack as a temporary protective measure, and it is in the process of developing a firmware upgrade that will prevent the spoof attack even on the standalone firewall.

In response to the claims from the firewall vendors, an NSS Labs spokesperson responded, "We've clarified our remediation brief to show that both Juniper and Sonicwall have protection, but it's not on by default."

NSS Labs has some issues of its own, though, with claims made in a Fortinet blog post regarding the NSS Labs testing. NSS Labs says that Fortinet was invited to participate in the testing process, but chose not to. NSS Labs did use a Fortinet firewall from a customer, but that the firewall had been configured by Fortinet for the customer using default settings. Since that is the way customers likely have the firewall configured in the real-world, NSS Labs chose to test based on that configuration.

Finally, the NSS Labs spokesperson told me, "[Fortinet's] arguments about IPS and AV show they don't understand the attack. Those technologies do not address the TCP issue, period."

Obviously, there is some disagreement between NSS Labs and the firewall vendors -- particularly Fortinet -- over the standalone firewall vs. a more holistic, integrated network defense. In NSS Labs defense, though, it was a firewall test specifically, so it seems fair to limit the results based on what the firewall alone is capable of.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersfirewallsNSS LabsFortinetsecuritymobile securitywireless securitymalware

More about etworkFortinetInc.IPSJuniperJuniperSonicWall

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place