It’s a fact: Today’s threats have made the threats of yesterday a vision in the rear-view mirror, along with the security counterparts developed to tackle them. It’s also quite known that the legacy firewall is easily circumvented by modern threats. For example, botnets frequently communicate over common ports like HTTP to do their dirty work – sending stolen information and receiving tasks to carry out. Thus, one could deduce that TCP port 80 is a security threat and, on the strongest countermeasure, should be blocked.

However, in today’s day and age, we need to observe threats on a deeper level for practical mitigation and several questions must be asked. What activity is occurring over that channel? Are there anomalies? What data is in transit? Is it malicious by nature or simply some text being delivered to the browser? What URL/Server is the data in transit from — have they been red flagged?

The list goes on, and these are the questions we face here in FortiGuard Labs on an hourly basis, having to react and push out dynamic threat definitions. You can get an idea of how often this happens with our latest service report.

To that end, there are many industry tests performed on a regular basis against particular security functions — firewall, antivirus, antispam, web filtering, intrusion prevention (IPS), and so forth, all of which rely on varying degrees of environments and configuration parameters.

Take, for example, the latest test made public today by NSS Labs (more about this here) regarding TCP split-handshakes. The lab provided a test in which, to get a pass, the *firewall* must be able to block a split-handshake. That’s it. Other important environmental considerations, such as antivirus and intrusion prevention, were not taken into consideration. The critical questions I posed earlier are then negated since antivirus and deep packet inspection are also not enabled. The problem is that this tests an outdated firewall concept.  Many qualified research firms, from Gartner to IDC to Frost & Sullivan, all support an integrated security approach for enterprises for many reasons. The main reason, of course, is that is what customers are requiring.

Before going further, it’s important to share a little bit of detail about the split handshake concept. The most common TCP handshake is the 3-way handshake (SYN, SYN-ACK, ACK). Less common is the simultaneous open handshake, where both devices act as clients trying to reach each other: using an active OPEN state, they both send SYNs and await ACK responses from each other before establishing connection. The split-handshake combines both of these methods, using stages (like the simultaneous open connection) but effectively reversing the direction of client-server flow once the connection is established.

Therein lies the problem, since inspection logic may be fooled. It should be noted that threats we see today traverse through normal (3-way handshake) established TCP connections using attacks higher than layer 4 (transport), in particular layer 7 (application). Stopping this particular split-handshake attack alone will not guarantee you protection against the vast majority of real-world attack scenarios we observe in our labs.

In the particular case of the NSS test, FortiGuard Labs released an IPS signature to inspect and detect/block split-handshake traffic before a connection is established, dynamically available to all customers through Fortinet’s Distribution Network.  This is the same process we use to push out hot signatures on breaking threats such as software vulnerabilities and botnets – no downtime, no immediate firmware update required.  It’s a flexible, real-time approach to modern threats. We also apply this beyond IPS, from antivirus to web content filtering rating for the latest web sites serving malware. This is where UTM truly separates itself from both legacy and point product solutions. Any devices with IPS enabled now have the benefit of identifying split-handshake traffic, AND all other malicious traffic such as vulnerability exploitation or botnet communication.

As mentioned in our previous blog post, our development team has worked in parallel on a firmware fix purely for the firewall itself. Though, as I mentioned, fewer and fewer companies are relying on standalone firewall without multi-function protection, because integrated security remains the best approach for protecting against a wide range of threats.

UPDATED Apr 17 with new information

Today NSS Labs, an independent security testing organization, issued a report which states it found holes in five of six network firewalls. Fortinet was named as one of these firewalls, and we want to address some misperceptions around this report.

NSS Labs tested the FortiGate-3950B platform using equipment supplied by an NSS customer. We have been working with NSS Labs over the last two months to remediate the issues raised in the test. NSS Labs incorrectly states that Fortinet does not currently provide customers with protection against a TCP split handshake.

In fact, FortiGate platforms are not susceptible to split handshake attacks when AV and IPS engines are enabled. Approximately 85% of our customers implement our product using multiple security components within one appliance.  Not only does this test support our premise that relying on a single technology can be less effective, it also supports the need to aggregate multiple security functions in an easy to use, low TCO product to provide the best protection.

We have been protecting our customers from split handshake attacks since 2006, when Fortinet developed an IPS signature (TCP.Stealth.Activity) that blocks the malicious activity related to the split handshake. This signature continues to protect customers today. Fortinet is creating a new IPS signature (TCP.Split.Handshake) to explicitly block the split handshake stealth approach, and will be available to all customers next week. Customers can enable a single IPS signature if they are not currently running the IPS feature that is included in the FortiGate consolidated security platform. Fortinet is also creating a patch for our firewall module to address the TCP split handshake issue, and we expect it will be available by the end of next week.

We feel strongly that integrated protection from multiple layers of security technology is the best approach for blocking this issue, and customers that have IPS working with their firewall are better protected against a wider range of threats. The majority of our customers recognize the benefit of deploying integrated functions, and thus are using firewall and IPS, as well as other security features.

Overall, we believe that the true threat lies in the exploits that can be passed over the established connection, and not the ability to establish a split handshake itself. During internal testing our researchers found that that the split handshake cannot be established when using FortiGate unified threat management functionality, and the attack cannot proceed.

Summary:

• We have been protecting customers for years with an existing IPS signature that blocks threats which could be passed along connections established via split handshake
• A new IPS signature will be available next week to customers to prevent establishing a TCP split handshake
• A firmware update for our firewall module for both FortiOS 4.0 MR2 and MR3 is in progress; we anticipate it being released by the end of next week

Earlier this week, independent analyst Richard Stiennon posted a video interview he did with Michael Xie. From Stiennon’s blog post:

Michael Xie is CTO of Fortinet and drives all of their development of true “Next Generation” security appliances. Hear him describe his views on speeds and feeds, routing and switching in the firewall, and cost per secure megabit.

Take a look and listen (click the picture to jump to video):

This is the topic of an Interop panel featuring Anthony James, Fortinet vice president of products, and folks from Juniper Networks, Palo Alto Networks and Ashton, Metzler & Associates. The panel will be at 11:30 a.m. tomorrow at Mandalay Bay, Breakers E room.

Here’s the overview:

The traditional wide-area network (WAN) firewall makes two flawed assumptions. One assumption is that the information contained in the first packet in a connection is sufficient to identify the application. The second assumption is that the transmission control protocol (TCP) and user datagram protocol (UDP) well-known port numbers are always used as intended. These are just two of the issues that suggest that the traditional WAN firewall cannot effectively support the current environment. In this session, the panelists will describe the limitations of the traditional WAN firewall, and identify what functionality firewalls need to implement to overcome these limitations.

According to the Wide Area Networking Alert from Jim Metzler and Steve Taylor, all presenters have been seriously discouraged from turning this into a “death by PowerPoint” session, ensuring an informative time.

“In particular, the speakers have been tasked with being very specific about what works today, and what does not work and identify why. They have also been tasked to be specific in terms of their company’s approaches to implementing a WAN firewall so that the attendees come to understand where they agree on an approach, and where they don’t.”

More information can be found on the Interop site.