Cisco sends NSS Labs another firewall

Cisco has sought to defend the security of its firewall products in the wake of a potentially damaging report by NSS Labs this week.

NSS Labs had claimed that five out of six enterprise network firewalls it tested in January "leaked traffic using the default settings that the vendor ships to customers".

The labs offered affected customers a free "remediation brief" – although reading the full report cost US$3,500.

Cisco's security research and operations director Russ Smoak claimed the NSS report "incorrectly lists the Cisco ASA as vulnerable to [a] TCP Split Handshake attack".

"Following an investigation over the course of several months, involving well over a dozen Cisco engineers from various teams and working in conjunction with NSS Labs, no vulnerability of this nature has been observed on Cisco products," Smoak said.

Smoak alleged that although NSS had provided Cisco with test scripts in January, they "did not collect or provide Cisco any configuration information or packet captures to demonstrate the behaviour they observed".

"Once we set to work trying to reproduce the issue on the ASA, we began freely exchanging our lab configuration and testing results with NSS and asking for any additional guidance they could provide," Smoak said.

"To date, Cisco has tested using numerous configuration, software and platform combinations, and all of the aforementioned products have blocked the TCP split handshake negotiation correctly.

"Fast-forward to April, and we're still unable to reproduce the TCP split handshake issue. Last week we sent NSS Labs a Cisco ASA in the hopes that they can gather some evidence of their claims and we are awaiting their test results."

Smoak noted several initiatives he said would increase "transparency" on any potential issues with the company's firewall systems.

NSS chief Rick Moy accused vendors in an earlier blog post of ignorance or prioritisation of "performance over security" when it came to their network firewalls.

He confirmed that vendors had been notified of NSS' results "immediately in January and February".

"At considerable expense to us, [we] worked with them for two months to explain the issues and solicit workarounds and fixes," Moy said.

"Half the vendors could have protected customers, but did not, having shipped their firewalls with the protection off by default— leaving enterprise networks vulnerable out of the box.

"There are reasons, but no good ones in our opinion. An analogy is that of a car having the airbag disabled by default (but no warning). This is Job #1 for a firewall."