Firewall software open to TCP handshake hack

A new report from NSS shows that out of 6 common firewalls, 5 were vulnerable to a "TCP Split Handshake Attack", an attack that allows a hacker to trick the firewall in to thinking an IP connections is a trusted one from behind the firewall. Checkpoint was the only vendor that was not vulnerable. The other vendors tested included Cisco, Juniper, Palo Alto Networks, Fortinet and SonicWall, which were found to be vulnerable.

NSS Labs independently tested the Check Point Power-1 11065, the Cisco ASA 5585-40, the Fortinet Fortigate 3950, the Juniper SRX 5800, the Palo Alto Networks PA-4020 and the SonicWall NSA E8500.

Many of these firewalls also offer web security, an offering similar to what secure web gateways and proxies offer, generally with a lower level of anti-malware protection. This report is a good reminder on why it's a better practice to keep different security products on different platforms, rather than go for a UTM (unified threat management) device that tries to do everything in one box. You don't want a vulnerability in one box to affect all your security. Typically email and web security should be kept on separate devices, not only to keep any vulnerabilities separate, but also because each can easily have a load that overwhelms any single device that would cause other security to be compromised.