NSS study finds five out of six firewalls defective

Five out of six popular firewalls fail to protect enterprises against common attacks such as TCP/IP protocol exploits, according to the latest research from independent testing organisation NSS Labs.

The group undertook a study of leading firewalls at the start of the year and found that all of the systems tested with the exception of Check Point's failed on stability grounds or were unable to handle a TCP Split Handshake spoof attack.

"The TCP/IP attack is the equivalent of IP spoofing," said Vik Phatak, chief technology officer of NSS Labs. "This is very much the twin sister or twin brother."

The failing firewalls included Cisco's ASA 5585, Fortinet's Fortigate 3950B, Juniper's SRX 5800, Palo Alto Networks' PA-4020 and Sonicwall's E8500. Three of the six were vulnerable to crashing, and five out of six failed to detect TCP Split Handshake attacks.

Rick Moy, president of NSS Labs, said during a press conference that the tests showed worrying flaws in a basic internet security technology.

"For the past 25 years firewalls have been a backstop for the industry, a positive security filter in wide use," he said.

"The discoveries in testing are quite significant, and undermine the false sense of confidence organisations have had in their firewalls."

Moy added that the company had contacted all vendors concerned after the study was complete, but had found little interest in fixing the flaws. After 60 days of consultation, NSS Labs had decided to go public with its results.