In my previous blog about the Palo Alto Networks results in our recent NGFW test I expressed the hope that “Palo Alto Network executives will take this issue seriously and move quickly to protect their customers."
Well, they did. Both NSS and Palo Alto Networks worked together to verify the issues and fix the problems, and that fix has been rolled out this morning, This code was tested in our labs over the past few days (on our dime) to verify that it addresses all of the major evasion issues identified in the recent NGFW tests. While the Split Handshake turned out to be an issue with our configuration of the device, the layered TCP segmentation/IP fragmentation and RPC evasion problems were proven to be valid issues with PAN-OS that have now been rectified. The fixes for those specific issues have been tested and verified to be effective in our labs.
Note that a FULL test of the product is now underway to ensure that these fixes have not adversely affected the product in other ways, and a new Product Analysis Report (PAR) will be published in due course.
I would like to express my thanks to Mark McLaughlin for reaching out to make sure this happened, and to all the Palo Alto Networks engineers who worked hard in our labs this week with NSS engineers to get to the bottom of the problems. At the end of the day it was important to all involved that customer security was placed ahead of all other concerns.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.