We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Cisco and NSS Labs still arguing firewall vulnerability test results

NSS Labs today is expected to say four out of five vendors -- Palo Alto Networks, Juniper, Fortinet and SonicWall -- whose firewall equipment it said was vulnerable to a hacker exploit have corrected the problem. The fifth, Cisco, maintains its ASA firewall isn't susceptible to the exploit known as the "TCP Split Handshake," which lets an attacker remotely fool the firewall into thinking an IP connection is a trusted one behind the firewall.

The discrepancy with Cisco was generated by a NSS Labs report last month that said five firewalls, including one from Cisco, were susceptible to the TCP Split Handshake attack. NSS Labs today will indicate that Cisco has, in its view, failed to remediate its ASA firewall for protection against TCP Split Handshake by default.

REPORT: Hacker 'handshake' hole found in common firewalls

Cisco, which from the start has denied NSS Labs' findings, says via a Cisco spokesman that its position "remains unchanged." Cisco does not believe the ASA device is susceptible to the TCP Split Handshake issue, including in its default configuration. Cisco said it is sharing the results of its internal investigations with customers wanting it. Cisco is the leading provider of firewalls on the market today.

"They spent two days in our lab and we showed them everything," says Rick Moy, president of NSS Labs, alluding to two separate visits that Cisco engineers made to work together with NSS Labs staff to test a few different types of ASA firewalls, one provided by Cisco and one bought by NSS Labs. "Their engineers agreed something was going on."

Vik Phatak, NSS Labs chief technology officer, says the crux of the matter, in his view, is that Cisco's approach to having ASA block the TCP Split Handshake relies on "using access-control lists to stop it in some cases. They're relying on customers following their best practices." But Phatak says there are "dozens if not hundreds of use cases" and Cisco ASA is "not stopping the handshake issue by default."

Phatak says setting up the firewall access-control lists in the way Cisco envisions to prevent this attack is not necessarily the type of configuration that would work for all enterprise customers. "It's a workaround," Phatak says about Cisco's approach to the TCP Split Handshake issue.

NSS Labs is expected to detail in its research update how Palo Alto Networks, Juniper, Fortinet and SonicWall have made changes, such as through patching, to prevent the attack by default. Phatak notes that NSS Labs may proceed in the future with more extensive testing of firewalls to determine whether there are any performance issues that arise because of the remediation.

Read more about wide area network in Network World's Wide Area Network section.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model