The firewall is the line of defense separating the internal network or endpoint PC from all of the malicious bad stuff "out there". A new report from NSS Labs, though, finds that a majority of network firewalls are susceptible to attack or compromise.
Imagine other safety or security measures. What if there was a 50-50 chance that the brakes on your car would fail each time you press the pedal? How dangerous would it be if there was a five out of six chance that your parachute would not open when skydiving? That is about how much protection your firewall may be providing based on the results in the NSS Labs report.
"IT organizations worldwide have relied on third-party testing and been misled," said Vik Phatak, CTO of NSS Labs. "These test results point towards the need for a much higher level of continuous testing of network firewalls to ensure they are delivering appropriate security and reliability."
We're not talking about some low-budget shareware firewalls, either. The NSS Labs study examined the stability and integrity of flagship firewalls from leading vendors: Check Point, Cisco, Fortinet, Juniper, Palo Alto Networks, SonicWALL. This list is the cream of the crop--the all-stars of network firewalls.
NSS Labs tested firewalls that have passed the standard industry certifications. These firewalls are all ICSA Labs and Common Criteria certified, yet most were found susceptible to crashing or vulnerable to attack--rendering them essentially useless for their intended purpose.
The firewall testing found:
• Half of the firewalls tested could not survive the stability tests and lacked the resiliency to remain operational.
• Virtually all of the firewalls--five out of six--were found susceptible to a TCP Split Handshake spoof attack (a.k.a. Sneak ACK attack) that can be used to circumvent the firewall.
The NSS Labs testing indicates serious issues with these top-of-the-line flagship firewall products. Despite the maturity of the firewall market, and the fact that these firewalls passed standard industry certifications, most fail at the basic function of keeping the malicious bad stuff "out there".
The full Network Firewall Comparative Group Test Report--which includes remediation guidance to improve protection--is available to NSS Labs subscribers.