A new report was released yesterday by independent security research firm, NSS Labs. The report detailed the apparent lack of basic security by firewall makers, and the results are shaking the security community this week. At minimum, organizations need to do a risk assessment of the effectiveness of their current gateway security systems. Most organizations rely upon their firewall as a critical element in a layered approach to digital security.
Key findings from the NSS Labs report:
- Three out of six firewall products failed to remain operational when subjected to NSS’s stability tests. NSS called this lack of resiliency “…alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.”
- Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall protection from basic “outside to inside” attack.
- Measuring performance based upon the Benchmarking Methodology for Network Interconnect Devices (RFC-2544 for UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.
The vulnerabilities that NSS Labs uncovered could allow an intruder to come into the business network, and compromise highly sensitive business data, customer records, intellectual property, and more. Most privacy and security regulations/mandates like HIPAA HITECH, GLBA, PCI-DSS, and state data protection laws like Nevada’s landmark 603A, assume that the network behind the firewall is a private network, and not accessable from the outside, publc network. These findings could threaten that assumption. (Disclosure: this blogger was an advisor and subject matter expert to the Nevada Legislature on NRS 603A).
For the last 18 months or so, major and minor hardware firewall makers have been pushing so-called “Next Generation Firewalls.” Many of the presentaions at trade-shows and conferences have be focused on using these devices to improve operational efficency and security for the enterprise.
For example: Employees might need access to Facebook to keep in touch with customers and prospects, but should posting an update on one’s Wall take priority over an order from the web site? And, just because the organization gives access to Facebook, does that mean it should allow access to Facebook apps like Farmville? In a similar vien, the marketing department might need access to YouTube, but do they access to YouTube in HD? Next Gen Firewalls can segment this traffic, and, in part, give greater granular control and security to specific cloud applications.
Some of the vendors have pitched the web application firewall (WAF) features in their Next Generation firewalls. Web application attackers by-pass a firewall’s DMZ (semi-public zone) to gain access to web servers. They do this, in many cases, to deliver malware via the cloud, to the visitors of those sites. Many of these attacks are the so-called drive-by download attacks. WAFs can provide an important function to detect these attacks before they compromise the server. Web site owners can better protect their customers, and their reputation by deploying a WAF. But, all these new features obviously do not negate the basic reason why an organization deploys a firewall in the first place: To protect from more direct outside threats coming into the private network from the public network.
It appears that some firewall vendors may have lost focus on this key element. It’s time for your information security staff or advisor to contact your firewall vendor and get specific answers to the following questions:
- How exactly does the hardware we have protect against the “TCP Split Handshake Attack” that NSS Labs used in their tests? The vendor should provide a detailed answer, not just spin.
- If your vendor does not have protection against this attack now, when will they provide an update?
- How will they alert you about the update?
- What is the mitigation the vendor will offer until an update is available?
- What measures is your software vendor taking to improve testing to prevent this problem in the future?
On a related note: Many organizations still lump together Information Technology(IT) and Information Security. This is yet another case that highlights the differences between the two. Many Chief Information Officers (CIOs) may downplay this risk, since “our firealls are working fine, and no one is complaining.” A good Chief Information Security Officer (CISO) will measure the risk, provide options for protection and a summary report to the CFO or CEO. Hopefully, the CIO is NOT the boss for the CISO. Alas, that is still the case for far to many organizations, and this report is yet another reason why that organizational structure is not recommended experts at The SANS Institute, and others. If your organization still relys upon IT for security, this would be a good time to seek outside help from qualified information security professionals.
The NSS Labs report is available for a fee, here. CyberJungle Radio will have more on this story as it develops, in the next episode, schedule to post Monday morning, April 18th.
by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor .