Five of six firewalls exploitable
NSS Labs are a well established testing organisation conducting research in the security space. In an industry staggering under the weight of it’s own magazine opinions, vendor sponsored research and trend analysts their continued existence is a comfort to seekers of truth.
On April 12th they released an independent report into firewalls, specifically uncovering problems in how all but one of the tested vendors handle TCP split handshake attacks. Of the six vendors who volunteered for the testing only Checkpoint came through with a clean bill of health. As many of you will know we mostly choose to use the GNATBox range of firewalls from Global Technology Associates Inc., who were not in the test.
A link to the report is here, but it costs US$3500.00
Vendors tested were:
Checkpoint
Cisco
Fortinet
Juniper
Palo Alto Networks
Sonicwall
I do not pretend to know the details of the exploits NSS achieved through TCP split handshaking and have not read their specific report. However, many will be familiar with the three way TCP handshake to establish TCP sessions as follows:
Client SYN –->
<–- Server SYN-ACK
Client ACK –->
Some may think this the only legal way to initiate a TCP handshake, but that would be wrong. There is also a little known, but legal technique called “simultaneous-open”; from which researchers discovered a third way they dubbed “split-handshake”. This third method blends the three way method with the simultaneous-open method and is supported by popular TCP stack implementations in standard Microsoft, Apple, and Linux builds.
What NSS Labs have done is to apply rigorous testing methodologies to this third method and discovered five of the six firewalls tested do not handle the traffic correctly and therefore fail at their primary purpose of network traffic control. According to NSS Labs attack code for this exploit has been in the wild for a least a year. So it is worth noting then this testing is current, using the latest vendor firmware versions, meaning five of the six vendors products lines have been carrying exploits for a year now.
WebSecure has been using GTA firewalls as a preferred security tools for many years now. From the auditing side of our business we have seen every brand of poorly made or badly implemented firewall in Australia. In addition research subscriptions from e-secure-it provide a vast library of accurate historical vulnerabilities and exploits on vendors and products. Because of this experience and hard research data we have stayed the course with GTA products.
At varying times over the years the weather has changed to this brand or that. Checkpoint was once the king in Australia but others such have Cisco have taken the market size crown whilst we have seen the Fortinets, Junipers and Sonicwalls all gather fan boys of various enthusiasm. Palo Alto have recently arrived to revive the ancient game of application level firewalls while claiming to have reinvented the world. Through it all we have remained largely unmoved.
We use GTA products for two reasons. Because of excellence in engineering and for the high quality of technical support we receive. As expected, TCP split handshaking testing of the current firmware of GNATBox products shows no vulnerabilities. Those who believe Cisco firewalls are more secure because that’s what they were told by a salesman or in a Cisco seminar would be well served in checking into the fact of the matter. And all owners of the above brands, except our old stalwart Checkpoint, would be well advised to get an upgrade immediately.
Comments
Post new comment