by RSS Patrick Bedwell  |  Apr 12, 2011  |  Filed in: Security Research

UPDATED Apr 17 with new information

Today NSS Labs, an independent security testing organization, issued a report which states it found holes in five of six network firewalls. Fortinet was named as one of these firewalls, and we want to address some misperceptions around this report.

NSS Labs tested the FortiGate-3950B platform using equipment supplied by an NSS customer. We have been working with NSS Labs over the last two months to remediate the issues raised in the test. NSS Labs incorrectly states that Fortinet does not currently provide customers with protection against a TCP split handshake.

In fact, FortiGate platforms are not susceptible to split handshake attacks when AV and IPS engines are enabled. Approximately 85% of our customers implement our product using multiple security components within one appliance. Not only does this test support our premise that relying on a single technology can be less effective, it also supports the need to aggregate multiple security functions in an easy to use, low TCO product to provide the best protection.

We have been protecting our customers from split handshake attacks since 2006, when Fortinet developed an IPS signature (TCP.Stealth.Activity) that blocks the malicious activity related to the split handshake. This signature continues to protect customers today. Fortinet is creating a new IPS signature (TCP.Split.Handshake) to explicitly block the split handshake stealth approach, and will be available to all customers next week. Customers can enable a single IPS signature if they are not currently running the IPS feature that is included in the FortiGate consolidated security platform. Fortinet is also creating a patch for our firewall module to address the TCP split handshake issue, and we expect it will be available by the end of next week.

We feel strongly that integrated protection from multiple layers of security technology is the best approach for blocking this issue, and customers that have IPS working with their firewall are better protected against a wider range of threats. The majority of our customers recognize the benefit of deploying integrated functions, and thus are using firewall and IPS, as well as other security features.

Overall, we believe that the true threat lies in the exploits that can be passed over the established connection, and not the ability to establish a split handshake itself. During internal testing our researchers found that that the split handshake cannot be established when using FortiGate unified threat management functionality, and the attack cannot proceed.


  • We have been protecting customers for years with an existing IPS signature that blocks threats which could be passed along connections established via split handshake

  • A new IPS signature will be available next week to customers to prevent establishing a TCP split handshake

  • A firmware update for our firewall module for both FortiOS 4.0 MR2 and MR3 is in progress; we anticipate it being released by the end of next week

by RSS Patrick Bedwell  |  Apr 12, 2011  |  Filed in: Security Research