April 12, 2011
Frequently Asked Questions:
NETWORK FIREWALL GROUP TEST 2011
1. What issues were discovered with network firewalls in the NSS Labs test?
A: Two major issues were discovered affecting a significant number of firewalls. The first is a stability problem,
meaning that an attacker can disrupt communications by sending certain sequences of content to a firewall’s external
interface, causing it to crash. This cannot only cause productivity loss, but can be a precursor to a larger, more
effective penetration of the corporate network. Attackers can develop working exploits from these types of code
The second major issue permits an external attacker to trick the firewall into allowing him inside the firewall as a
trusted client. This TCP split handshake attack has been publicly known for over a year, and all firewalls should
defend against it.
2. How do I know if my organization’s firewall is affected?
A: As a public service, NSS Labs has made a list of affected firewalls available at no cost at www.nsslabs.com/
research/network-security/firewall-ngfw/. Currently affected devices include: Cisco ASA, Fortinet Fortigate, Juniper
SRX, Palo Alto Networks, and Sonicwall.
3. If we have an affected firewall, what can we do?
A: NSS Labs has been working with affected vendors for the past two months to ensure fixes are available to customers.
As a public service, NSS Labs is making some basic remediation guidance available to organizations with
affected devices at no cost (as an excerpt from our paid network security subscriber services). Consult the Network
Firewall Remediation Brief for further assistance (registration required). Firewall administrators may also wish to
consult their firewall vendor support organization. NSS Labs can provide further assistance to clients upon request.
4. Is there a way to monitor or detect the attacks referenced in the test report?
A: Detecting the attacks is very difficult and depends on whether the appropriate monitoring systems are in place
outside the firewall. While some specially crafted IDS signatures may detect the attacks, very few organizations
have deployed IDS outside the firewall.
5. My firewall is ‘certified’. Why isn’t this good enough?
A: As this and many other test reports demonstrate, certifications are inadequate predictors of quality. Certifications
in general are not as thorough or rigorous as they need to be and do not adequately reflect current attacks. Rather,
they are designed (often by vendor consortiums) to demonstrate that products meet a “minimum level” of functionality,
and not a “necessary level” of functionality. By design, these validation reports show what a product can do,
not what it should do but cannot do.
NSS Labs believes security products should be tested for the same conditions they’re designed to withstand in the
field; aggressively and comprehensively. Thus, we test products like hackers attack them in order to identify the
holes, so they can be plugged.
6. Who is NSS Labs and why was this test performed?
A: NSS Labs is an independent security research and testing firm. We exist in order to provide IT buyers with the
uncensored information needed to cost-effectively secure their networks and data. Our expert information services
help IT organizations make better purchasing decisions, as well as optimize existing defenses. NSS Labs engineers
regularly evaluate security products (firewalls, antivirus, IDS/IPS, etc.) as part of our information services subscriptions
to our clients.
7. How can I learn more about firewall effectiveness?
A: NSS Labs clients can access the full Network Firewall Group Test report. Non-clients may purchase a corporate
license and submit inquiries to our advisory services team.
8. Why does NSS Labs charge for its reports?
A: NSS Labs does not charge vendors to be included in our group tests as a matter of independence. We believe
that when buyers pay for the reports, they can be assured that the tests and analysis reflect their interests.
Independent Security Research and Testing
2888 Loker Avenue East, Suite 206 • Carlsbad, CA 92010 • 760.412.4627 • www.nsslabs.com