Working With NSS Labs, Palo Alto Networks Fixes Security Weakness

Palo Alto Networks issued a security update to its next generation firewall, adding protection against common attack techniques that had rendered the appliance ineffective and caused it to perform poorly against competitors in a recent test conducted by NSS Labs..

The Santa Clara, Calif.-based networking security vendor said the security update enables its next generation firewalls to defend against against two common evasion techniques used by attackers to bypass network firewalls. The company is now cooperating with NSS Labs, according to Lee Klarich, senior vice president of product management at Palo Alto Networks.

"Through our own testing efforts and through working with NSS, we were able to replicate the two issues and focused immediately on a fix, which has been completed and is now available," Klarich said in an update to customers. "We would like to thank NSS for their assistance in this matter and greatly appreciate the professional and collaborative manner in which this occurred. Given that new attack methods are being developed at all times, any input that assists in identifying and blocking them is helpful as demonstrated in this case, and we plan to proactively engage in future tests to ensure we benefit from all input."

[Related: Palo Alto Networks Appliance Vulnerable To Evasion, Was Tested Thoroughly, Says NSS Labs]

Austin, Texas-based NSS Labs tested and verified that the fixes remediate the security weaknesses and is currently conducting a full test of the appliance. The independent testing firm will also produce a new product analysis report, said Bob Walder, founder and chief research officer at NSS Labs.

Security experts, including some longtime Palo Alto Networks partners, told CRN that the failure to defend against some evasion techniques was a "serious" lapse that may have been introduced in previous versions of the PAN OS software. It effectively renders a networking appliance useless, allowing a cybercriminal to use exploits against systems protected by the firewall. Protection against certain evasion techniques also wasn't enabled by default, requiring a configuration change, according to the NSS Labs test results.

In a security advisory issued by Palo Alto Networks Thursday, the company said the fix incorporates the ability to defend against a layered TCP/IP evasion, which gave attackers the ability to bypass threat signature matching and a RPC fragmentation evasion, which enabled an attacker to use malicious remote procedure call packets to evade the appliance's RPC signature protections. The security update requires no configuration change, the company said.

The NSS Labs test pitted Palo Alto's PA-3020 appliance against networking security gear from Check Point Software Technologies, Cisco Systems, Dell, Sophos' Cyberroam, Fortinet, Intel Security (formerly McAfee) and WatchGuard. Failing to detect the evasion techniques gave the company's appliance a 60.9 percent security effectiveness score, a below-average total cost of ownership score and the only "caution" rating in the report.

The closest vendor was Sophos' Cyberroam appliance, which got an 88.2 percent security effectiveness score and an above-average total cost of ownership rating, earning it a neutral designation from NSS Labs.

PUBLISHED OCT. 10, 2014