SOURCE: NSS Labs

NSS Labs

April 12, 2011 13:52 ET

NSS Labs Finds Holes in Majority of Leading Network Firewalls

Five out of Six Firewalls Certified by Other Labs Let External Hackers In

CARLSBAD, CA--(Marketwire - Apr 12, 2011) - NSS Labs, Inc., the leading independent security testing organization, today announced the release of its Network Firewall Comparative Group Test Report for the Q1 of 2011.

Key findings from the report show:

  • Three out of six firewall products failed to remain operational when subjected to our stability tests. This lack of resiliency is alarming, especially considering the tested firewalls were ICSA Labs and Common Criteria certified.
  • Five out of six vendors failed to correctly handle the TCP Split Handshake spoof (aka Sneak ACK attack), thus allowing an attacker to bypass the firewall.
  • Measuring performance based upon RFC-2544 (UDP) does not provide an accurate representation of how the firewall will perform in live real-world environments.

Firewalls are well understood as the main barriers between an organization's internal and external networks. Over the past 25 years, they have become the foundation of perimeter security and are considered to be commodity products. Now as another generation of firewall technology is taking hold, NSS Labs has begun testing both traditional network firewalls and so-called next generation firewalls. Known for its rigorous testing that mimics modern cyber criminals, NSS Labs engineers have discovered serious flaws in these products, despite the maturity of the market and their certification by two other major certification bodies.

"IT organizations worldwide have relied on third-party testing and been misled," said Vik Phatak, CTO, NSS Labs. "These test results point towards the need for a much higher level of continuous testing of network firewalls to ensure they are delivering appropriate security and reliability."

All leading network firewall vendors were invited to participate in the test at no cost. All testing was conducted independently and was not paid for by any vendor. Products tested in the report include:

  • Check Point Power-1 11065
  • Cisco ASA 5585
  • Fortinet Fortigate 3950
  • Juniper SRX 5800
  • Palo Alto Networks PA-4020
  • Sonicwall E8500

The Network Firewall Comparative Group Test Report, along with specific remediation advice, will be available to NSS Labs' subscribers on Tuesday, April 12, 2011. View more information at Link above boiler should be: http://www.nsslabs.com/research/network-security/firewall-ngfw/.

About NSS Labs, Inc.

NSS Labs, Inc. is the leading independent, information security research and testing organization. Its expert analyses provide information technology professionals with the unbiased data they need to select and maintain complex security products for their organizations. Pioneering intrusion detection and prevention system testing with the publication of the first such test criteria in 1999, NSS Labs evaluates firewall, unified threat management, anti-malware, encryption, web application firewall, and other technologies on a regular basis. The firm's real-world test methodology is the only one to assess security products against live Internet threats. NSS Labs tests are considered the most aggressive in the industry. Founded in 1991, the company has offices in Carlsbad, California and Austin, Texas. For more information, visit www.nsslabs.com.

© 2011 NSS Labs, Inc. All rights reserved. All brand, product and service names are the trademarks, registered trademarks, or service marks of their respective owners.

Contact Information