Firewall vendors challenge findings of NSS Labs report

Firewall vendors take exception to claims by NSS Labs that their firewalls can't guard against a common TCP attack.

Apparently, NSS Labs struck a nerve. NSS Labs revealed that almost all of the firewalls it tested for a recent report are susceptible to crash or compromise using common attacks. The firewall vendors in question, though, beg to differ and take exception to the claims made by NSS Labs.

The main point of contention seems to be the assertion by NSS Labs that five of the six firewalls tested can not protect the network against a TCP Split Handshake spoof attack (a.k.a. Sneak ACK attack). Both SonicWALL and Fortinet contacted me to refute the claims made by NSS Labs, yet when asked about the dispute NSS Labs said that it stands behind its findings 100 percent.

Jock Breitwieser, director of PR at SonicWALL, emailed me to explain that, contrary to the NSS Labs report, its firewall does provide protection against the TCP Split Handshake attack, and has since SonicOS 3.0 was released in 2004. It's just not enabled by default.

SonicWALL claims that it stressed to NSS Labs that this feature must be enabled to get an accurate result for SonicWALL's effectiveness against the TCP Split Handshake spoof, but NSS Labs chose not to do so. Breitwieser also has an issue with NSS Labs' claim that enabling the feature results in a performance impact on the firewall.

Meanwhile, Patrick Bedwell, VP of product marketing for Fortinet, also emailed me to address misconceptions Fortinet feels are propagated by the NSS Labs report. Bedwell explained that the Fortinet firewall tested by NSS Labs was supplied by a customer rather than being configured by Fortinet specifically for the NSS Labs tests.

Like SonicWALL, Fortinet also asserts that its firewall can successfully defend against a TCP Split Handshake attack. However, Fortinet's approach involves the integration of AV and IPS elements rather than just flipping a switch in the firewall configuration.

Bedwell stated, "We feel strongly that integrated protection is the best approach for blocking this issue, as customers that have IPS working with their firewall are better protected against a wider range of threats." He also clarified that the majority of Fortinet customers rely on the combined protection of the integrated whole rather than the firewall alone.

Still, Fortinet developed an IPS signature designed to explicitly block the TCP Split Handshake attack as a temporary protective measure, and it is in the process of developing a firmware upgrade that will prevent the spoof attack even on the standalone firewall.

In response to the claims from the firewall vendors, an NSS Labs spokesperson responded, "We've clarified our remediation brief to show that both Juniper and Sonicwall have protection, but it's not on by default."

NSS Labs has some issues of its own, though, with claims made in a Fortinet blog post regarding the NSS Labs testing. NSS Labs says that Fortinet was invited to participate in the testing process, but chose not to. NSS Labs did use a Fortinet firewall from a customer, but that the firewall had been configured by Fortinet for the customer using default settings. Since that is the way customers likely have the firewall configured in the real-world, NSS Labs chose to test based on that configuration.

Finally, the NSS Labs spokesperson told me, "[Fortinet's] arguments about IPS and AV show they don't understand the attack. Those technologies do not address the TCP issue, period."

Obviously, there is some disagreement between NSS Labs and the firewall vendors -- particularly Fortinet -- over the standalone firewall vs. a more holistic, integrated network defense. In NSS Labs defense, though, it was a firewall test specifically, so it seems fair to limit the results based on what the firewall alone is capable of.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags NSS LabsfirewallshackersFortinetsecuritymobile securitymalwarewireless security

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?