Apr 13, 2011

Enterprise Network Firewalls Leak

NSS Labs released yet another hard-hitting test report, not on the latest security innovations, but rather on decades old technology: network firewalls. They've been around long enough to take for granted and are starting to be replaced by next generation firewalls.

In our testing, five out of six, or 83%, of the enterprise network firewalls we tested in January leaked traffic using the default settings that the vendor ships to customers, letting external attackers become trusted insiders. Yes, let that sink in for a minute as there is no way to understate the importance of this. Several currently deployed enterprise firewalls are leaking traffic. And half are also failing stability testing, which jeopardizes integrity and continuity of operations. Everything is well documented in our Enterprise Network Firewall Group Test Report (client access required), FAQ, and Remediation Brief (free to registered users). Tested firewalls include: Check Point, Cisco, Fortinet, Juniper, Palo Alto Networks, Sonicwall.

This is not some new vulnerability. Rather, it's a well-known problem for which papers have been written, and attack code is available on the net. The bad guys have the info already. But apparently most of the vendors, and probably nearly all their customers who rely on firewall protection either don't know or have prioritized performance over security. Recognizing the widespread importance of the issue, we notified vendors immediately in January and February, and at considerable expense to us, worked with them for two months to explain the issues and solicit workarounds and fixes. Half the vendors could have protected customers, but did not, having shipped their firewalls with the protection off by default— leaving enterprise networks vulnerable out of the box. There are reasons, but no good ones in our opinion. An analogy is that of a car having the airbag disabled by default (but no warning). This is Job #1 for a firewall.

Bottom line: Your network firewall may not be protecting you, despite having multiple certifications from test labs. In fairness, these types of certifications were designed as minimum bars vendors must pass in order for the US government to purchase them, and not comprehensive assurance. Why? Because they don't test all the things we at NSS Labs do with the same rigor or as they're actually deployed at customer sites (like hackers do).


To be clear, claims that IPS or AV can stop a TCP split handshake attack are not accurate. Those are workarounds for trying to find malicious activity after the intruder has already gained access inside the firewall. It's like saying a metal detector will catch somebody who stole an employee ID card to get in the building. Only if they're carrying a gun or knife, but they could still roam freely and steal critical information if they stay under the radar.


Now, the only way for an enterprise to know it's firewall is blocking the attack is to check the configuration and/or test it against the specific attack. Given the market deployments of firewalls, millions of deployed firewalls need to be checked for this flaw in the field. As a public service, we've made a FAQ and remediation steps for the affected products that have TCP workarounds available on our site at no cost. We encourage anyone with a firewall to test their firewalls immediately for the issues described in detail in our full network firewall group test report. Also covered in the report: security effectiveness; evasion, performance, pricing and TCO test results. We utilized the BreakingPointSystems equipment for the testing, and special thanks to Tod Beardsley for the research (see paper).

Testing is not exactly straight forward, and many people are trying to come to terms with it, so if you have questions or need help, contact one of our security analysts. Given the number of firewalls out there, we all have a lot of work to do.