Three out of six firewalls failed to remain operational when subjected to the NSS Labs’ stability tests. Moy called the firewall failures alarming. All of the firewalls tested had ICSA Labs and Common Criteria certifications, he said.
“In addition to a denial-of-service, it could potentially open up a hole and allow an attacker to get in,” Moy said. “One of the firewalls – when it crashed – gave the attacker inside root access without requiring password to the firewall.”
Five out of six vendors failed to correctly handle a TCP Split Handshake or Sneak ACK attack. The attack is similar to IP spoofing. The technique is well known in the hacking community and enables an attacker to bypass a firewall, rarely being detected.
Even the mighty security firm Barracuda was hacked through the simplest, well-known, and commonly-used exploits.
Barracuda’s firewall was accidentally put into passive monitoring mode, which means it lets all the traffic through without doing any analysis or blocking and was essentially doing nothing since late evening April 8. This gave the attacker sufficient time to poke around via an automated script to crawl the site.
It took approximately two hours of “nonstop” probing before the intruder discovered a SQL injection flaw in a PHP script used to display customer case studies. That error allowed the attacker entry into the database used for marketing programs and sales lead development efforts. The customer case study database was on the same system as the one used for marketing programs.
Do you have a way of monitoring the status of your firewall? Are internal apps as hardened as external applications?