One of the most important aspects of choosing a hardware or software vendor is the customer service relationship, and the confidence that the vendor will be there to support you when the need arises. The response from vendors to the recent NSS Labs firewall report illustrates the stark differences in how vendors address and resolve issues.
NSS Labs is an independent third-party firm that provides research and analysis for its customers. It is not trying to sell a competing product or service, and its ability to get and keep customers depends on the accuracy of its report findings and remediation advice. In a nutshell, NSS Labs does not have an axe to grind, and it would be a very poor business model to exaggerate issues just to grab headlines.
With that being said, the way that firewall vendors responded to the reported issue that almost all of the tested firewalls were found vulnerable to a TCP Split Handshake spoof attack may reveal something about the customer service philosophy of those vendors. Do you want to do business with a vendor that tries to understand the issue and resolve it as quickly as possible, or do you want to do business with a vendor that tries to convince you that there is no issue or that you're just doing it wrong?
I spoke with Vik Phatak, CTO of NSS Labs, who explained that all of the vendors tested by NSS Labs were invited to participate in the process at no cost to them. Most didn't. He also told me that NSS Labs originally planned to release the report in February at the RSA Security Conference, but it held off to give vendors more time to respond to and address the findings. Phatak said that NSS Labs did not want to issue a report pointing out problems without also being able to provide workable mitigation guidance.
While SonicWALL and Fortinet were quick to address the news with a public relations blitz painting the report as either unfair, wrong, or both, Palo Alto Networks addressed the NSS Labs findings by engaging its engineering team and fixing the problem.
The result is that Palo Alto Networks was able to fix the problem and pass the NSS Labs tests--including the TCP Split Handshake test--to receive a revised "Recommended" rating from NSS Labs.
Phatak is quoted in the Palo Alto Networks press release saying, "NSS Labs commends Palo Alto Networks for taking the steps to protect their customers. We are impressed with Palo Alto Networks' responsiveness and collaboration during the retesting process and are happy to recommend them."
Meanwhile, other vendors such as SonicWALL, Fortinet, and Cisco have resorted to marketing spin and public relations to explain away the results rather than addressing them. These vendors are working on solutions, and they are working with NSS Labs, but reluctantly, and more or less under duress rather than cooperatively.
I think Rene Bonvanie, vice president of marketing for Palo Alto Networks, summed up the difference in philosophy nicely. Bonvanie explained to me that Palo Alto Networks operates from the perspective that perception is reality and the customer is always right. If a customer had discovered the TCP Split Handshake issue and brought it to these vendors, would the vendor take the issue seriously and resolve it with expedience, or would the vendor tell the customer they're doing it wrong and try to spin it as a non-issue?
The features and capabilities of the hardware and software companies use obviously matter. The cost for those goods and services are also crucial. But, where the rubber meets the road once the product or service is implemented, the customer service philosophy and support relationship are critical to the overall value it provides.