How much should you trust your hardware vendor?

Late last year, firewall vendor Juniper discovered a troubling backdoor in its Netscreen product range, quickly issuing an alert that prompted customers to patch their devices as soon as possible.

In January 2016, rival security company Fortinet came under fire because of a similar issue in its firewall product FortiGate’s operating system. Now we see Dell make headlines as researchers announce a range of vulnerabilities in the SonicWall Global Management System, which includes a hidden backdoor.

The question is, can we trust a single security vendor to provide infallible security systems or should we take additional measures to diminish these sorts of threats?

Working for the UK government back in the 90s, I keenly remember that our architecture teams were forbidden from relying on a single-vendor firewall implementation, even from the perspective of national policy.

The risks posed by unknown security flaws in firewall operating systems would subsequently put the entire DMZ architecture at risk, so the inner firewall would always be sourced from a different vendor. 

We were guided by the mantra of defence in depth, which drove all of our decision making. Trust was scarce and risk management was at the heart of every architecture. Today, however, the world has moved on, where more and more I’m hearing the argument that single-vendor is better for the following reasons:

• Cheaper: managing one contract with one vendor for all your network security services gives you more buying power and access to better discounts.
• Simplifies management: from a network administration point of view, teams only need to be trained in one technology, thus less mistakes will occur and outcomes are more consistent.
• Integration: Many modern firewall products provide numerous security functions unified in the same (virtual or physical) box. This can include malware scanning, intrusion prevention, content filtering, as well as all of the firewall modes you would expect, such as packet filtering, stateful inspection and proxying.

Companies such as Fortinet and CheckPoint now specialise in a new breed of security product, known as unified threat management (UTM) systems.

Their value proposition is that these once disparate security technologies can now work together, communicating threat intelligence and indicators of compromise across the security componentry so that each layer of the security onionskin knows what’s going on, from perimeter to endpoint.

The contemporary viewpoint is that the days of sandwiching DMZ systems between the bread of two different, largely unconnected firewalls, is gone. Instead, we must buy from one vendor, employing all of these different, yet integrated, functions together - positioning DMZ systems off to the side, with a conviction that attackers simply don’t attack firewalls, they’re after the juicy data flying in and out of open ports and protocols.

In light of three of the world’s biggest security vendors all having serious backdoors discovered in their firewall technology, can we simply trust that we are better off with a single vendor? 

Product evaluations are one place to start. Assurance levels, such as those awarded by Common Criteria (CC) or the Australian Signals Directorate (ASD) via the evaluated products list (EPL), are two such organisations that provide independent testing of security products.

Looking on the CC website, for example, you can see that Fortinet’s FortiGate UTM appliance, running FortiOS 5.0 Patch Release 10, has been assessed as meeting the requirements of the network devices protection profile [pdf].

This means that you get certain assurances from CC that this device has been independently tested to meet their requirements, but what this does not do is give you an assurance that the code sitting behind the functionality is free from bugs.

However, if you look at ASD’s EPL, the majority of products listed on there, especially in the lower categories of assurance, have been tested elsewhere, in most cases from CC. The Fortinet Fortios 4.0 MR3 assessment shows that the scope of the Cryptographic Evaluation includes correct implementation of the IPsec protocol, secure encryption key generation, and secure certificate generation

So, based on this evaluation, security architects can rest assured that an independent lab has tested this functionality and proven the product works as intended.

In fact, because it’s awarded an evaluation assurance level of EAL4+, known as an augmented EAL4 certification, this means the product exceeds the assurance requirements of the base assurance level of EAL4, which can only be a good thing, right?

However, the questions remain: what do you take for granted? What level of assurance can be placed in these independent tests? And does this evidence mean you can simply trust your vendor and forget about defence in depth?

Do your homework. Consider that no vendor is infallible, and avoid building architectures on marketing documentation.

Use threat modelling to figure out what risks need to be considered, including technical, cost, supply chain, ease of management, reputation and most importantly, the value of the networks and information you are protecting, before you jump into design.

There will always be a place for a multi-firewall architecture. But the rise in popularity of the single-vendor approach begs the question: is cheaper and simpler worth the security risk?