Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
/

Many NT firewalls flunk basic security tests, group says

"Rush to market" blamed.

Today's breaking news
Send to a friendFeedback

Advertisement:
Today's breaking news
Send to a friendFeedback

Advertisement:

By Ellen Messmer
Network World Fusion, 3/26/98

Carlisle, Pa. - Releasing the lab results of its firewall-testing program today, the International Computer Security Association warned that it has seen a sharp rise in the number of firewalls that flunk the certification tests.

In particular, the newer NT-based firewalls often did not stand up to the hacker-style stress test the ICSA labs methodically delivered in its most recent round of evaluation tests, said Pete Cafarcio, ICSA firewall program manager. He blamed the sharp decline in passing grades over the last year to vendors' "rush to market, with a resulting lack of due diligence."

"It's sell, sell, sell" because the firewall market is so hot, said Cafarcio. "Over the past year, only 38% of products we tested passed without having to be fixed or get a patch. And 6% couldn't pass at all."

ICSA tests firewalls to ensure they can be properly configured to withstand hacker attacks on FTP, SMTP, HTTP, telnet, DNS, SSL and S-HTTP. In addition, ICSA now also tests for each firewall's ability to cope with denial-of-service attacks.

Not all NT-based firewalls had detected vulnerabilities, though. The latest lab results, available online at the ICSA Web site, show that eight NT-based firewalls, including those from Cisco Systems, Inc, Check Point Software Technologies, Inc., Raptor Systems, Inc. and Secure Computing, Inc. made the grade.

However, Microsoft's firewall and Web-caching product, the Proxy Server 2.0, does not appear on the latest ICSA list even though Microsoft is an ICSA member.

Cafarcio said he was not at liberty to discuss specific products that didn't make the grade, but he noted that the ICSA's testing showed that it's harder to build a good firewall on top of NT than Unixd or proprietary operating systems.

"The fact is, for NT, you need to lock more things down," Cafarcio said.

In the good-news department, ICSA said it will be adding Cisco's IOS firewall to the "pass" list. The Cisco IOS firewall lets managers set up access lists, encryption, TACACS, Radius and router-to-router authorization for Cisco's 1600 and 2500 series routers.

The routers, which can handle blocking of Java code based on IP address, are now also certified under ICSA testing to appropriately detect and prevent certain denial-of-service attacks.

However, Cisco won't be adding this trype of security-management and reporting support to its central 'config maker interface console' until July, said Jocelyn Okrent, IOS firewall product manager.

"There's a bit of a lag," she acknowledged, but added that the IOS firewall security logs can be converted into easily readable format today using Open Systems Solutions, Inc. product, PrivateI.

RELATED LINKS

Contact Senior Editor Ellen Messmer

ICSA firewall certification program

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.