Three out of six firewalls failed to remain operational when subjected to the NSS Labs’ stability tests. Moy called the firewall failures alarming. All of the firewalls tested had ICSA Labs and Common Criteria certifications, he said.
“In addition to a denial-of-service, it could potentially open up a hole and allow an attacker to get in,” Moy said. “One of the firewalls – when it crashed – gave the attacker inside root access without requiring password to the firewall.”
Five out of six vendors failed to correctly handle a TCP Split Handshake or Sneak ACK attack. The attack is similar to IP spoofing. The technique is well known in the hacking community and enables an attacker to bypass a firewall, rarely being detected.