Analysis Brief: Network Firewall Remediation for TCP Split Handshake
During Q1 2011, NSS Labs performed the industry’s most rigorous test of leading firewall solutions and discovered a serious problem involving the way many firewalls handle TCP. In some cases, the issue lies with the fact that the default policy has protection from this type of spoofing attack disabled. In other cases, the product simply does not provide protection and a patch is being developed to address this issue.
This document chronicles the recommended fixes and remediation steps that enterprises should take to mitigate the effects of the TCP Split handshake attack for the following products:
- CISCO ASA 5585
- FORTINET FORTIGATE 3950*
- JUNIPER SRX 5800*
- PALO ALTO NETWORKS PA-4020*
- SONICWALL E8500*
There are numerous other firewalls that have not yet been tested by NSS Labs. Thus, it would be unwise to assume that only the firewalls mentioned in this advisory are affected.
For more detail about the problem, see the full Network Firewall Group Test report. Also be sure to read the Network Firewall FAQ for answers to common questions.
* These vendors have updated their products based on our testing. Further information is found in this Remediation brief.
Topics: remediation, TCP
Product Type: Network/Data Center - Firewall
Report Type: none
Report Length: N/A
Vendors Tested: Cisco, Fortinet, Juniper, Palo Alto Networks, SonicWALL
Products Tested: ASA 5585, Fortigate 3950, SRX 5800, PA-4020, E8500
April 12, 2011
