Apparently, NSS Labs struck a nerve. NSS Labs revealed that almost all of the firewalls it tested for a recent report are susceptible to crash or compromise using common attacks. The firewall vendors in question, though, beg to differ and take exception to the claims made by NSS Labs.
The main point of contention seems to be the assertion by NSS Labs that five of the six firewalls tested can not protect the network against a TCP Split Handshake spoof attack (a.k.a. Sneak ACK attack). Both SonicWALL and Fortinet contacted me to refute the claims made by NSS Labs, yet when asked about the dispute NSS Labs said that it stands behind its findings 100 percent.
Jock Breitwieser, director of PR at SonicWALL, emailed me to explain that, contrary to the NSS Labs report, its firewall does provide protection against the TCP Split Handshake attack, and has since SonicOS 3.0 was released in 2004. It's just not enabled by default.
SonicWALL claims that it stressed to NSS Labs that this feature must be enabled to get an accurate result for SonicWALL's effectiveness against the TCP Split Handshake spoof, but NSS Labs chose not to do so. Breitwieser also has an issue with NSS Labs' claim that enabling the feature results in a performance impact on the firewall.
Meanwhile, Patrick Bedwell, VP of product marketing for Fortinet, also emailed me to address misconceptions Fortinet feels are propagated by the NSS Labs report. Bedwell explained that the Fortinet firewall tested by NSS Labs was supplied by a customer rather than being configured by Fortinet specifically for the NSS Labs tests.
Like SonicWALL, Fortinet also asserts that its firewall can successfully defend against a TCP Split Handshake attack. However, Fortinet's approach involves the integration of AV and IPS elements rather than just flipping a switch in the firewall configuration.
Bedwell stated, "We feel strongly that integrated protection is the best approach for blocking this issue, as customers that have IPS working with their firewall are better protected against a wider range of threats." He also clarified that the majority of Fortinet customers rely on the combined protection of the integrated whole rather than the firewall alone.
Still, Fortinet developed an IPS signature designed to explicitly block the TCP Split Handshake attack as a temporary protective measure, and it is in the process of developing a firmware upgrade that will prevent the spoof attack even on the standalone firewall.
In response to the claims from the firewall vendors, an NSS Labs spokesperson responded, "We've clarified our remediation brief to show that both Juniper and Sonicwall have protection, but it's not on by default."
NSS Labs has some issues of its own, though, with claims made in a Fortinet blog post regarding the NSS Labs testing. NSS Labs says that Fortinet was invited to participate in the testing process, but chose not to. NSS Labs did use a Fortinet firewall from a customer, but that the firewall had been configured by Fortinet for the customer using default settings. Since that is the way customers likely have the firewall configured in the real-world, NSS Labs chose to test based on that configuration.
Finally, the NSS Labs spokesperson told me, "[Fortinet's] arguments about IPS and AV show they don't understand the attack. Those technologies do not address the TCP issue, period."
Obviously, there is some disagreement between NSS Labs and the firewall vendors -- particularly Fortinet -- over the standalone firewall vs. a more holistic, integrated network defense. In NSS Labs defense, though, it was a firewall test specifically, so it seems fair to limit the results based on what the firewall alone is capable of.