Computerworld

Many NT firewalls flunk basic security tests, group says

Releasing the lab results of its firewall-testing program last week, the International Computer Security Association (ICSA) warned that it has seen a sharp rise in the number of firewalls that flunk the certification tests.

In particular, the newer NT-based firewalls often did not stand up to the hacker-style stress test the ICSA labs methodically delivered in the most recent round of evaluation tests, said Pete Cafarcio, ICSA firewall program manager. He blamed the sharp decline in passing grades over the last year to vendors' "rush to market, with a resulting lack of due diligence".

"It's sell, sell, sell because the firewall market is so hot", said Cafarcio. "Over the past year, only 38 per cent of products we tested passed without having to be fixed or get a patch. And 6 per cent couldn't pass at all."

ICSA tests firewalls to ensure they can be properly configured to withstand hacker attacks on FTP, SMTP, HTTP, telnet, DNS, SSL and S-HTTP. In addition, ICSA now also tests for each firewall's ability to cope with denial-of-service attacks.

Not all NT-based firewalls had detected vulnerabilities, though. The latest lab results, available online at the ICSA Web site (www.ncsa.com), show that eight NT-based firewalls, including those from Cisco, Check Point Software Technologies, and Secure Computing made the grade.

However, Microsoft's firewall and Web-caching product, the Proxy Server 2.0, does not appear on the latest ICSA list even though Microsoft is an ICSA member.

Cafarcio said he was not at liberty to discuss specific products that didn't make the grade, but he noted that the ICSA's testing showed that it's harder to build a good firewall on top of NT than Unix or proprietary operating systems.

"The fact is, for NT, you need to lock more things down," Cafarcio said.

In the good news department, ICSA said it will be adding Cisco's IOS firewall to the "pass" list. The Cisco IOS firewall lets managers set up access lists, encryption, TACACS, Radius and router-to-router authorisation for Cisco's 1600 and 2500 series routers.