Cisco and NSS Labs Still Arguing Firewall Vulnerability Test Results
NSS Labs today is expected to say four out of five vendors -- Palo Alto Networks, Juniper, Fortinet and SonicWall -- whose firewall equipment it said was vulnerable to a hacker exploit have corrected the problem. The fifth, Cisco, maintains its ASA firewall isn't susceptible to the exploit known as the "TCP Split Handshake," which lets an attacker remotely fool the firewall into thinking an IP connection is a trusted one behind the firewall.
The discrepancy with Cisco was generated by a NSS Labs report last month that said five firewalls, including one from Cisco, were susceptible to the TCP Split Handshake attack. NSS Labs today will indicate that Cisco has, in its view, failed to remediate its ASA firewall for protection against TCP Split Handshake by default.
Cisco, which from the start has denied NSS Labs' findings, says via a Cisco spokesman that its position "remains unchanged." Cisco does not believe the ASA device is susceptible to the TCP Split Handshake issue, including in its default configuration. Cisco said it is sharing the results of its internal investigations with customers wanting it. Cisco is the leading provider of firewalls on the market today.
"They spent two days in our lab and we showed them everything," says Rick Moy, president of NSS Labs, alluding to two separate visits that Cisco engineers made to work together with NSS Labs staff to test a few different types of ASA firewalls, one provided by Cisco and one bought by NSS Labs. "Their engineers agreed something was going on."
Vik Phatak, NSS Labs chief technology officer, says the crux of the matter, in his view, is that Cisco's approach to having ASA block the TCP Split Handshake relies on "using access-control lists to stop it in some cases. They're relying on customers following their best practices." But Phatak says there are "dozens if not hundreds of use cases" and Cisco ASA is "not stopping the handshake issue by default."
Phatak says setting up the firewall access-control lists in the way Cisco envisions to prevent this attack is not necessarily the type of configuration that would work for all enterprise customers. "It's a workaround," Phatak says about Cisco's approach to the TCP Split Handshake issue.
NSS Labs is expected to detail in its research update how Palo Alto Networks, Juniper, Fortinet and SonicWall have made changes, such as through patching, to prevent the attack by default. Phatak notes that NSS Labs may proceed in the future with more extensive testing of firewalls to determine whether there are any performance issues that arise because of the remediation.
Read more about wide area network in Network World's Wide Area Network section.