Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
/

Some firewalls fail security test

4/06/98

By Ellen Messmer

Carlisle, Pa.

Not all firewalls are created equal, at least according to test results recently released by the International Computer Security Association (ICSA).

In fact, the association warned of a sharp rise in the number of firewalls that flunk the organizations certification tests.

In particular, newer NT-based firewalls often did not stand up to the hacker-style stress test methodically delivered by ICSA labs in the most recent round of evaluation tests, said Pete Cafarcio, ICSA firewall program manager. He blamed the sharp decline in passing grades over the past year on vendors' "rush to market, with a resulting lack of due diligence."

Its a sellers market

"It's sell, sell, sell" because the firewall market is so hot, Cafarcio said. "Over the past year, only 38% of products we tested passed without having to be fixed or [given] a patch. And 6% couldn't pass at all," he said. ICSA tests firewalls to ensure they can be properly configured to withstand hacker attacks via File Transfer Protocol, Simple Mail Transfer Protocol, HTTP, telnet, Domain Name System, Secure Sockets Layer and Secure Hypertext Transfer Protocol. In addition, ICSA now tests for each fire-wall's ability to cope with denial-of-service attacks. Not all NT-based firewalls proved to be vulnerable, though. The latest lab results, available online at the ICSA Web site, show that eight NT-based firewalls, including those from Cisco Systems, Inc., Check Point Software Technologies, Inc., Raptor Systems, Inc. and Secure Computing, Inc. made the grade. However, Microsoft Corp.'s firewall and Web-caching product, Proxy Server 2.0, does not appear on the latest ICSA list - even though Microsoft is an ICSA member.

Cafarcio said he was not at liberty to discuss specific products that didn't make the grade, but he noted that the ICSA's testing showed it's harder to build a good firewall on top of NT than on Unix or proprietary operating systems. "The fact is, for NT you need to lock more things down," Cafarcio said. Cisco passes test

The good news is ICSA said it will be adding Cisco's IOS firewall to the "pass" list. The Cisco IOS firewall lets managers set up access lists, encryption, TACACS, Remote Au- thentication Dial-In User Service and router-to-router authorization for Cisco's 1600 and 2500 series routers. The routers, which can handle blocking of Java code based on IP address, now are certified under the guidelines of ICSA testing to appropriately detect and prevent certain denial-of-service attacks.

However, Cisco won't be adding this type of security-management and reporting support to its central configuration console until July, said Jocelyn Okrent, IOS firewall product manager. "There's a bit of a lag," she acknowledged, but added that the IOS firewall security logs can be converted into an easily readable format today using Open Systems Solutions, Inc.'s product, PrivateI.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.