Tag: Cisco

SDxCentral: Palo Alto Networks and Fortinet given all clear after firewall hiccups

Posted on by CyberRatings.org

Palo Alto Networks and Fortinet have received a clean bill of health for their firewall protections, while the jury is still out on current Cisco defenses.

CyberRatings.org recommended both Palo Alto and Fortinet after new tests confirmed they had patched evasions previously discovered by the security testing firm.

In tests carried out at the start of the month by CyberRatings’ testing partner NSS Labs, researchers found they were able to bypass protection using Layer 4 TCP evasions in both Palo Alto’s PAN-OS (version 11.2.8-c537) and Fortinet’s IPS (v7.01154), as well as evading Layer 3 IP in the Palo Alto operating system.

Both firms reacted quickly, with Palo Alto developing an updated PAN-OS firmware package (PAN-OS 11.2.10-c37) and Fortinet deploying an updated IPS package (v7.01165 (33.00064) to fix the vulnerabilities.

Read the full article here.

SDxCentral: SSE protection found uneven across major vendors

Posted on by CyberRatings.org

Researchers reported major disparity in security effectiveness of security service edge (SSE) protection across major vendors.

Non-profit cyberratings.org/ (CyberRatings) found security effectiveness ranged from less than 3% to 100% in its testing of vendor products, with only Fortinet, Palo Alto Networks, Versa Networks, and Zscaler earning a “recommended” rating.

In contrast, SSE products from Cisco, Cloudflare, and Skyhigh were tagged with a “caution” label, indicating “below-average” security effectiveness with the recommendation that end users “should consider seeking other solutions.” The ratings were put down due to “failures in critical tests.”

Read the full article here.

CyberRatings.org Test Results Reveal Critical Failures in SSE

Posted on by CyberRatings.org

Austin, TX – July 16, 2025 – CyberRatings.org (CyberRatings), the non-profit organization dedicated to providing insight into the capabilities of cybersecurity products and services through independent testing, today announced the comparative results of its latest Security Service Edge (SSE) evaluation. The findings expose a striking disparity in product performance: Security Effectiveness ranged from 2.95% to 100%, underscoring just how uneven SSE protection remains across vendors.

Only Fortinet, Palo Alto Networks, Versa Networks, and Zscaler earned a Recommended rating, while products from Cisco, Cloudflare, and Skyhigh were rated Caution due to failures in critical tests.

Despite meeting our inclusion criteria and high market interest, we were unable to include Cato Networks and Netskope in this test. Netskope’s high entry level licensing cost and their lack of responsiveness to our inquiries to purchase their product rendered it inaccessible. Cato was explicit in their refusal to engage with us or allow us to procure licensing for any form of independent third-party validation.

“With cloud-delivered products rapidly evolving through continuous integration and deployment, customers have little visibility into what changes under the hood,” said Vikram Phatak, CEO of CyberRatings.org. “Only by conducting regular independent testing can enterprises ensure they’re not left vulnerable to silent failures that could go unnoticed for months.”

Of all the SSE test criteria, blocking evasions had the most impact on security effectiveness. Evasion techniques are used by threat actors to disguise or modify attacks, so they slip past defenses. While most products excelled at blocking known malware and exploits, three failed to stop evasions — exposing organizations to entire classes of undetected attacks.

These independent tests uniquely stress real-world evasion techniques that standard evaluations often overlook — the techniques cybercriminals rely on to bypass security measures.

The SSE evaluation was designed to reflect modern, adversarial conditions and covered:

  • Malware: 6,184 malware samples in active use by global threat actors.
  • Exploits: 205 exploits of known vulnerabilities.
  • Evasions: 1,154 evasions spanning 37 categories of techniques.
  • False Positives: 1,514 legitimate files and applications, verifying security measures do not impact users and operations.
  • TLS/SSL: Encrypted attacks using cipher suites that represent ~97% of real-world HTTPS traffic.

Security Service Edge is inherently complex — a multi-layered technology stacked atop ever-changing cloud environments. Customers typically have minimal visibility into how these systems operate and testing them independently is challenging. This double-layered opacity makes third-party validation essential to diagnose performance issues, fine-tune policy enforcement, and ensure real security outcomes. CyberRatings strongly urges organizations to adopt periodic or ongoing third-party testing to ensure consistent protection and compliance.

NSS Labs is the Official Testing Partner of CyberRatings. Keysight’s CyPerf tool was used for performance and TLS/SSL functionality, and TeraPackets Threat Replayer tool was used for exploit replay validation.

CyberRatings.org Announces Test Results for Cisco Umbrella and Palo Alto Networks Prisma Access

Posted on by CyberRatings.org

Austin, TX – May 15, 2025 – cyberratings.org/ (CyberRatings), the non-profit organization dedicated to providing insight into the capabilities of cybersecurity products and services through independent testing, has released additional results from its Security Service Edge (SSE) testing. These latest tests focused on two leading products: Cisco Umbrella and Palo Alto Networks Prisma Access.

Palo Alto Networks Prisma achieved a Security Effectiveness score of 98.89%, successfully blocking 100% of evasions. In contrast, Cisco Umbrella scored 12.44%, primarily due to its failure to detect evasive threats. Full test reports detail product performance across multiple threat categories, with scoring weighted by attack severity.

The evaluation covered:

  • TLS/SSL: Top 5 Ciphers used (accounts for ~97% of HTTPS traffic).
  • Malware: 6,184 attack samples sourced from current malware campaigns.
  • Exploits: 205 attack samples from widely exploited vulnerabilities in enterprise environments.
  • Evasions: 1,154 attacks spanning 37 evasion techniques.
  • False Positives: 1,514 samples from various business-critical files and applications, ensuring security measures did not disrupt legitimate traffic.

Evasion techniques are used by attackers to disguise or obfuscate attacks so that they bypass detection. SSE products must not be tricked by evasions—failure exposes organizations to entire classes of (undetected) threats.

“Missing just one type of evasion allows attackers to use entire categories of malware or exploits undetected,” said Vikram Phatak, CEO of cyberratings.org/.

Security Service Edge is a complex multi-layered security technology built on top of complex, ever-changing cloud technologies. Customers have minimal visibility into their operation and architecture, and testing is challenging. This double-layered opacity limits an organization’s ability to diagnose performance issues, fine-tune policy enforcement, or validate security outcomes.

“These are closed systems—what I think of as a black box in a black box—that force executives to make risk decisions based on trust rather than evidence,” Phatak added. “That’s why it is critical that independent testing provides evidence-based data on which executives can make decisions.”

CyberRatings is on track to test several other SSE vendors for Threat Protection along with a Comparative Report to be published this summer.

In addition to in-house testing technologies, CyberRatings used Keysight’s CyPerf tool to test performance and TLS/SSL functionality as well as TeraPackets Threat Replayer tool for exploit packet capture replay.

Futuriom: Cloud Firewalls Have Gaping Holes

Posted on by CyberRatings.org

In the release of remarkable firewall test results today, independent nonprofit testing firm CyberRatings.org revealed wild variability in network and cloud firewall efficacy, with special concerns about the firewall instances running in the major public clouds, which seemed not to work very well at all.

In the release of the CyberRatings Q1 2025 Comparative Test Report on Cloud Network Firewalls (CNFWs), many traditional firewalls performed quite well with efficacy ranging at almost 100%. Third-party firewalls from Check Point, Fortinet, Juniper Networks, Palo Alto Networks, and Versa Networks demonstrated the highest security effectiveness blocking exploits and evasion tactics. Results ranged from 99.61% to 100%.

But move into the public cloud, and you get a different story. Some native firewalls from Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure received a 0% Security Effectiveness score as they allowed attacks to bypass existing defenses. In addition, Cisco’s Secure Firewall Defense didn’t receive high ratings, with a 54.5% effectiveness rating and the highest costs per bit of traffic in the bunch.

Read the full article here.

CyberScoop: Independent tests show why orgs should use third-party cloud security services

Posted on by CyberRatings.org

Businesses don’t always get what they pay for in cybersecurity. Some of the most expensive cloud network firewall vendors are among the worst performers against exploits and evasions, according to the most comprehensive, independent testing CyberRatings.org has conducted to date.

Cisco, by far the most expensive cloud network firewall offering across the top 10 vendors on price per megabits per second, ranked seventh with an overall security effectiveness score of 53.5%, according to CyberRatings.org research released Wednesday.

The trio of big cloud providers — Amazon Web Services, Microsoft Azure and Google Cloud Platform — fared even worse, each landing at the bottom of the pack with a 0% security effectiveness score.

Read the full article here.

Ian Foo joins CyberRatings as Chief Technology Officer and EVP of Product.

Posted on by CyberRatings.org

Austin, TX – July 9, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, announced today that Ian Foo has joined as Chief Technology Officer (CTO) and Executive Vice President of Product. Tim Otto, also a veteran in cybersecurity technologies, has joined as Vice President of Test Operations.

Foo will be responsible for developing new testing programs, products, and building out the CyberRatings Spot Check service announced earlier this year. Otto’s responsibilities include test execution and expanding laboratory operations. Each executive brings more than 20 years of experience in evolving cybersecurity technologies.

Foo comes to CyberRatings from Google, where he was Senior Product Manager focusing on Cloud Networking and special projects within Google Cloud Platform (GCP). There he drove vision, strategy, roadmap, and development of networking and routing at global scale to create platforms enabling effective enterprise cloud transformation for Google’s customers. Prior to Google he was Director of Product & GTM for Service Providers at Commvault where he led product management for Service Provider transformation from traditional on-premises solutions to Cloud SaaS based models and platforms. Earlier in his career he held senior product and technical leadership positions focusing on security, enterprise solutions, service provider solutions, data center networking, global scale routing, and Software Defined Networking (SDN) at several global technology companies including Huawei, Cisco, and BBN/GTE Internetworking/Verizon.

Otto has a long history in testing cybersecurity products. Most recently he was Technical Marketing Engineer Director at Juniper Networks where he ran competitive and 3rd party testing for Juniper Networks Security branch. Prior to Juniper he was Domain Manager and Testing Team Lead for NSS Labs where he led the team that designed the harnesses and tests for all of the network security tests run by NSS Labs.

Both Foo and Otto will be reporting to CEO Vikram Phatak.

“We are incredibly fortunate to have both Ian and Tim joining our team,” said Vikram Phatak, CEO of CyberRatings.org. “Their wealth of experience and leadership skills will be a tremendous asset as we grow the organization.”

Best Practices for Enterprise Firewall Deployment in 2024

Posted on by CyberRatings.org

As previously announced, the security industry is working towards a secure-by-default configuration.

This is still an ongoing process; however, we already see vendors making improvements from when we published the cloud network firewall group test. In that test, we found that not all products were secure by default. Therefore, we documented the changes we made and published them. We are doing the same for this group test.

Last year, the Cybersecurity & Infrastructure Security Agency (CISA), along with ten U.S. and international partners, published guidelines for their “Secure by Design, Secure by Default” principle. In their April 2023 publication, they stated the following:

“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.

This guide should complement what the vendors already provide to their customers. Please refer to the links below for the best practices and guides for each vendor we tested. We have also included extra information for one vendor: Cisco.

The following steps were taken for each firewall:

  • Deploy the firewall in our lab in Austin, Texas (we are using Fortinet for this example).
  • Connect the interfaces required for the topology. This information can be found in each vendor guide.
  • Register the device to the centralized management system where needed. For our test, we only used centralized management for Cisco and Versa Networks. For Cisco, it is required to get some functionality working; more on this below. For Versa Networks, it’s both recommended and needed from a licensing perspective. This is information that is found in each vendor guide.
  • Validation of licenses, which, in turn, enable software updates, threat updates, etc. This information is found in each vendor guide.
  • Define access policies:
    • Trust to untrust
    • Untrust to trust
  • Define IPS policies:
    • Enable threat signatures, advanced protection, cloud lookup, etc. Each product handles this differently, but this information is in their guides.
  • Upload the required server certs, keys, and CA certs if necessary. This information is available in each vendor guide.
  • Define TLS decryption policies for versions 1.2 and 1.3. Configure them to decrypt all traffic. We make a few exceptions to test if the product can bypass decryption based on specific IP addresses or domain names. If something cannot be decrypted or is using an older TLS/SSL version or an insecure cipher, then the product is set to block.
  • Link IPS and TLS policies to the overall access policy.
  • Validate configuration:
    • Make sure you can pass traffic.
    • Make sure you can block attacks by sending something malicious. Tune out false positives where possible. If we couldn’t do so without disabling security or if it was practically impossible, we listed the false positive rate in the test report. Please refer to individual test reports for more details.

For each firewall listed below, we have included a link to best practices and additional information.

Firewalls Tested:

 

Check Point Quantum Force 19200 plus

https://www.checkpoint.com/downloads/products/quantum-force-19200-datasheet.pdf

Firmware: R81.20 Jumbo Hotfix Take 45
IPS Version: 635242922
Configuration: 2 x 40G – 1 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://support.checkpoint.com

 

Cisco Firepower 2130

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

Firmware: Threat Defense v7.3.1 (build 19)
IPS Version: 384
Configuration: 4 x 10G – 2 port-pairs

Follow their instructions; the product requires special configuration; see below.

Documentation: https://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-and-configuration-guides-list.html

We also registered the Cisco Secure Firewall Threat Defense into the Cisco Secure Firewall Management Center (FMC). We enabled TLS 1.2 and 1.3 following Cisco’s instructions. This included updating from Snort v2 to Snort v3, which is required to enable TLS 1.3—as per Cisco: “You must be using Snort 3 to match TLS 1.3 connections.” See https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-ssl-decryption.html for more details. This link also provides information about how to make TLS 1.2 and TLS 1.3 work, while also blocking other SSL/TLS version.

Note: Cisco does not support the CHACHA20 cipher suites despite claiming otherwise.

The following screenshot shows the instructions required for achieving our test’s use case.

 

Forcepoint 3410 NGFW

https://www.forcepoint.com/sites/default/files/resources/datasheets/datasheet-forcepoint-ngfw-3400-series-appliance-en_0.pdf

Firmware: 7.1.1 build 29059
IPS Version: 1707
Configuration: 2 x 40G – 1 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Note: From version 7.1, Forcepoint Next Generation Firewall is rebranded to Forcepoint FlexEdge Secure SD-WAN.

Documentation: https://support.forcepoint.com/s/article/FlexEdge-Secure-SD-WAN

 

Fortinet FortiGate-900G

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-900g-series.pdf

Firmware: v7.4.4 GA
IPS Version: 27.00783
Configuration: 4 x 10G – 2 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/954635/getting-started

 

Juniper Networks SRX4600

https://www.juniper.net/us/en/products/security/srx-series/srx4600-firewall-datasheet.html

Firmware: JUNOS 22.4X3.1 srx4600
IPS Version: 3701
Configuration: 2 x 40G – 2 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://www.juniper.net/documentation/product/us/en/srx4600/junos-os/

 

Palo Alto Networks PA-450

https://docs.paloaltonetworks.com/hardware/pa-400-hardware-reference/pa-400-firewall-specifications

Firmware: 11.1.1
IPS Version: Threat Version: 2024-05-14 (8849-8746)

AntiVirus Version: 2024-05-14 (4818-5336)
Configuration: 4 x 1G – 2 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Evasion defenses are now enabled by default, using their latest update. To verify this is the case, please follow the instructions below.

Documentation: https://docs.paloaltonetworks.com/best-practices

Next, you will have to follow the detailed instructions as documented by Palo Alto Networks: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions

After following those instructions, issue the commands in the command line interface (CLI).

To do this:

  • You will have to enable SSH on the device.
  • Then, log in to the device with your admin credentials.
  • Then, run the following commands:

Set system setting ctd block-on-base64-decode-error enable
set system setting ctd block-on-bdat-chunk-decode-error enable
set system setting ctd block-on-chunk-decode-error enable
set system setting ctd block-on-qp-decode-error enable
set system setting ctd block-on-utf-decode-error enable
set system setting ctd block-on-uu-decode-error enable
set system setting ctd block-on-zip-decode-error enable

set deviceconfig setting session resource-limit-behavior bypass

 

Sangfor NGAF 5300

https://www.sangfor.com/sites/default/files/2022-06/NGAF_DS_P_NGAF53-Datasheet_20220531.pdf

Firmware AF 8.0.85.1029 Build 20240423
IPS Version 2024-04-23 (Vulnerability Database)
Configuration 2 x 10G – 1 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://community.sangfor.com/plugin.php?id=sangfor_databases%3Aindex#?Product=NGAF&Document=Configuration%20Guide&Language=English

 

Versa Networks CSG5000

https://versa-networks.com/documents/datasheets/versa-csg5000-series.pdf

Firmware versa-flexvnf-20240405-041659-5186a33-22.1.4-B
IPS Version 6446
Configuration 5 x 10G – 5 port-pairs (limited to 40G)

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://academy.versa-networks.com/versa-academy-library/

Documentation: https://docs.versa-networks.com

2024 Best Practices for Cloud Network Firewall Deployment

Posted on by CyberRatings.org

The security industry is working towards a secure by default configuration. However, when setting up products for the 2024 Cloud Network Firewall group test, we found that not all products are secure by default. We, therefore, documented the changes we made and are publishing them in this guide.

Last year, the Cybersecurity & Infrastructure Security Agency (CISA), along with ten U.S. and international partners, published guidelines for their “Secure by Design, Secure by Default” principle. In their April 2023 publication, they stated the following:

“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.

This guide should be used as a supplement to what the vendors already make available to their customers. Please see the links below to the best practices and guides for each product we tested. We have also provided additional information for three products: Cisco Secure Firewall Threat Defense Virtual, Palo Alto Networks VM-Series, and Amazon Web Services (AWS) Network Firewall.

Cloud Network Firewall Test Topology

The following steps were taken for each firewall:

Deploy the firewall in Amazon Web Services (AWS). For this example, we are using Fortinet:

  1. Review Firewall options and pricing, then Click to Subscribe.

2. Once you have picked your instance type, Continue to Configuration.

3. Review selection and Continue to Launch.

4. Launch the software from the website, or the EC2 dashboard – selected in the drop-down menu.

5. In the EC2 dashboard, define who has access to the firewall, launch Instance.

  • Connect the interfaces required for the topology. This is information that is found in each vendor guide.
  • Register the device to the centralized management system. This is information that is found in each vendor guide.
  • Validation of license/s, which in turn enabled software updates, threat updates, etc. This is information that is found in each vendor guide.
  • Define access policies:
    • Trust to untrust
    • Untrust to trust

  • Define IPS policies:
    • Enable threat signatures, advanced protection, cloud lookup, etc. Each product handles this differently, but this information is in their guides.
  • Upload the required server certs, keys, and CA certs if needed. This is information that is found in each vendor guide.
  • Define TLS decryption policies (1.2 and 1.3). Configure it to decrypt all traffic. We make a few exceptions to test whether the product can bypass decryption based on specific IP addresses or domain name(s). If something cannot be decrypted or is using an older TLS/SSL version and or an insecure cipher then the product is set to block.
  • Link IPS and TLS policies to the overall access policy.
  • Validate configuration:

Make sure you can pass traffic.

Make sure you can block attacks by sending something malicious.

Tune out false positives.

Firewall Configurations

For each firewall listed below, we have included:

  • Link to the AWS page where the firewall can be selected and deployed
  • Link to best practices and additional information

Amazon Web Services (AWS) Network Firewall

Product, best practices, and documentation: https://aws.amazon.com/network-firewall/

Following the best practices resulted in a deployment that was unable to stop any threats in our Cloud Network Firewall testing harness. After consulting AWS, we were instructed to make changes to the policy. The resulting deployment was successful in blocking 5.39%.

The configuration suggested by AWS:

  • No stateless rules

  • No default stateful action

  • Only Alert actions in the unmanaged signatures

This configuration should send all traffic through the inspection engine.

Our configuration that was tested before the conversation with AWS was slightly different. We had a rule for all stateless traffic to be forwarded to the stateful engine. Under the Stateful default actions, we had “Drop established,”“Alert all,” and “Alert established enabled. For rules we had the following:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”allow-ssm”;flow:established,to_server;sid:88889;rev:1;)
pass tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”allow-ssm”;flow:established,to_server;sid:8888;rev:1;)
pass tcp any any -> any any (msg:”allow-ssm”;flow:established,to_server;sid:888888;rev:1;)
pass UDP any any -> any any (msg:”allow-udp”;sid:88881;rev:1;)
pass ICMP any any -> any any (msg:”allowing-ourbuddyping”;sid:88882;rev:1;)

Both configurations resulted in the same security block rate of 5.39%.

Barracuda CloudGen Firewall

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-nf2s254wcmqfw

Documentation: https://campus.barracuda.com/product/cloudgenfirewall/doc/98209931/overview

Check Point CloudGuard

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-3xp7nph2367yc

Documentation: https://support.checkpoint.com

Cisco Secure Firewall Threat Defense Virtual

Follow their instructions; the product requires special configuration. See below.

We followed the best practices for deploying Cisco Secure Firewall Threat Defense Virtual including updating the software from 7.2.0 to 7.2.5-208 and then to 7.3.0-69.

We also registered the Cisco Secure Firewall Threat Defense into the Cisco Secure Firewall Management Center (FMC). We enabled TLS 1.2 and 1.3 following Cisco’s instructions. This included updating from Snort v2 to Snort v3, which is required to enable TLS 1.3—as per Cisco: “You must be using Snort 3 to match TLS 1.3 connections.” See https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-ssl-decryption.html for more details.


After deploying the firewall following their best practices, we were able to verify that TLS 1.2 was decrypting properly, as seen in this screenshot:

Even though we followed the instructions provided by Cisco to enable TLS 1.3, the Cisco Firewall failed to decrypt TLS 1.3 and the logs issued an “SSL_Version_Not_Supported” error, as seen in this screenshot:

Unless you look at the logs, the user interface does not indicate that TLS 1.3 is not being appropriately As shown in the above screenshots. you can check a box that is supposed to turn on TLS 1.3 support, but it does not turn it on. Moreover, while Cisco says TLS 1.3 is on, and when TLS 1.3 traffic is sent across the Cisco cloud firewall, the logs clearly state that the TLS/Cipher suites are not supported and do not decrypt the data. In addition, Cisco does not support the CHACHA20 cipher suites despite claiming otherwise.

Forcepoint NGFW

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-svzncd5l73lu2

Documentation: https://help.forcepoint.com/ngfw/en-us/7.0.4/index.html

Fortinet FortiGate-VM

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-wory773oau6wq

Documentation: https://docs.fortinet.com/document/fortigate/7.2.6/administration-guide/954635/getting-started

Juniper Networks vSRX

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-z7jcugjx442hw

Documentation: https://www.juniper.net/documentation/us/en/software/vsrx/vsrx-consolidated-deployment-guide/vsrx-consolidated-deployment-guide.pdf

Palo Alto Networks VM-Series Next-Generation Firewall w/ Advanced Threat Prevention

Follow their instructions; the product requires special configuration. See below.

Evasion defenses are not enabled by default. Please follow the instructions below. These are a combination of their best practices guide as well as additional instructions per the Palo Alto Engineers we worked with.

Product page: https://aws.amazon.com/marketplace/pp/prodview-mn63yjbq37n4c

Documentation: https://docs.paloaltonetworks.com/best-practices/security-policy-best-practices/security-policy-best-practices

Next, you will have to follow the detailed instructions as documented by Palo Alto Networks: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions

After following those instructions, then issue the following commands in the command line interface (CLI).

To do this:

  • Enable SSH on the device.
  • Log in to the device with your admin credentials.
  • Run the following commands:

Set system setting ctd block-on-base64-decode-error enable
set system setting ctd block-on-bdat-chunk-decode-error enable
set system setting ctd block-on-chunk-decode-error enable
set system setting ctd block-on-qp-decode-error enable
set system setting ctd block-on-utf-decode-error enable
set system setting ctd block-on-uu-decode-error enable
set system setting ctd block-on-zip-decode-error enable

set deviceconfig setting session resource-limit-behavior bypass

request plugins vm_series set-cores dp-cores 3

While the below configuration change will not improve your evasion protection, it may improve your performance. If you are worried about client-side attacks, do not make this change!

Disable Server Response Inspection (DSRI) – see screenshot below.

To Enable or disable DSRI:

  1. Go to Policies>Security>untrust-to-trust>Action.
  2. Check the “Other Settings “section for the DSRI option.
  3. Select the checkbox to enable.
  4. Unselect the checkbox to disable.

We have been informed that an upcoming version of the Palo Alto OS will enable these evasions by default.

Sophos Firewall

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-ga4qvij427bvw

Documentation: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/index.html

Versa Networks NGFW

Follow their instructions; the product doesn’t require any special configuration.

Unlike the other products in this guide, Versa only offers a bring-your-own license (BOYL). This means products can be deployed using Versa Director (their central management system) or through EC2 on AWS.

Product page: https://aws.amazon.com/marketplace/pp/prodview-egtkta2usoxfa

Documentation: https://academy.versa-networks.com/versa-academy-library/

Documentation: https://docs.versa-networks.com

WatchGuard Firebox Cloud

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-5qg2dngtf3fgu

Documentation: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/_intro/home.html

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Posted on by CyberRatings.org

Today we focus on the diverse array of Cloud Network Firewalls available on Amazon Web Services (AWS). This comprehensive overview aims to inform IT professionals, network administrators, security analysts, and cybersecurity enthusiasts about the various firewall options on AWS, beyond just AWS’s native offerings.

Cloud Network Firewalls on AWS: A Broad Spectrum

AWS hosts a range of third-party cloud network firewalls, each offering unique features and capabilities tailored to different organizational needs. Here’s a rundown of some key players:

  1. Arista Networks Cloud Network Firewall
    Arista Networks provides a cloud network firewall offering for AWS environments, with a focus on traffic management and security. Its features include firewall capabilities, detailed traffic inspection, and policy enforcement tools. The offering is designed for compatibility with complex network architectures, providing various deployment options to meet diverse cloud security requirements.
  2. Barracuda CloudGen Firewall
    The Barracuda CloudGen Firewall, designed for AWS, offers security for cloud-connected networks. Its features encompass threat protection, VPN connectivity, and application-based traffic management. The firewall is developed to adapt to the evolving requirements of cloud infrastructures and includes centralized management for administration across distributed network setups.
  3. Check Point CloudGuard
    Check Point CloudGuard is a network security offering for AWS, including features like intrusion prevention, identity awareness, and anti-bot technology. It is designed for AWS service integration, aiming to protect cloud assets. CloudGuard supports auto-scaling to adapt its security measures in response to network traffic variations. This offering is intended for cloud environments, providing capabilities for managing security policies and handling network traffic.
  4. Cisco Cloud Network Firewall
    Known for its firepower series and ASA (Adaptive Security Appliances), Cisco offers a cloud network firewall tailored for AWS environments, equipped with features to manage network traffic and enforce security policies. This offering includes capabilities for inspecting and controlling traffic flow, as well as implementing security rules across cloud deployments. Designed to integrate with AWS, Cisco’s firewall aims to provide network security management suited to various cloud infrastructure requirements.
  5. Forcepoint Cloud Network Firewall
    Forcepoint’s cloud network firewall for AWS offers capabilities like SD-WAN integration and centralized management to safeguard network perimeters in cloud environments. The Forcepoint offering is structured to provide security management for cloud-based networks. It incorporates features for monitoring network activities and implementing security protocols to address potential threats.
  6. Fortinet FortiGate-VM: The Fortinet FortiGate-VM is a virtual firewall solution tailored for AWS environments, providing a range of network security capabilities. It offers features such as intrusion prevention, web filtering, and SSL inspection, aimed at safeguarding virtualized and cloud infrastructures. Key aspects include its ability to scale dynamically with AWS workloads, integration with AWS services for enhanced management and monitoring, and support for centralized control through Fortinet’s FortiManager. FortiGate-VM is designed to address various security requirements for AWS deployments, from basic VPC protection to advanced threat prevention, catering to diverse network architectures and compliance needs. As with any cloud network firewall solution, its effectiveness and suitability can vary based on specific organizational requirements and network configurations.
  7. Hillstone Networks: Focused on visibility and control, Hillstone offers advanced features for threat detection and mitigation. The offering includes capabilities for inspecting network activities and enforcing relevant security measures. Hillstone’s firewall is developed to support the security needs of cloud deployments, providing functionalities that facilitate the management of network traffic and the implementation of security policies in cloud environments.
  8. Juniper Networks vSRX Cloud Network Firewall
    Juniper Networks offers the vSRX Cloud Network Firewall for AWS, providing network traffic management and policy enforcement. This firewall includes features for monitoring network activities and implementing security protocols. The vSRX offering is designed for AWS environments, aiming to address various network security management needs in cloud infrastructures.
  9. Palo Alto Networks VM-Series
    The VM-Series from Palo Alto Networks is a cloud network firewall available on AWS, focusing on network traffic security and policy management. It offers features for inspecting network traffic and applying security rules. The VM-Series is developed to integrate with AWS, providing network security capabilities for different cloud deployment scenarios.
  10. Sophos UTM and XG Firewalls
    Sophos offers the UTM and XG Firewalls for AWS environments, delivering features to manage network security and traffic. These firewalls include tools for network activity monitoring and security protocol enforcement. Both the UTM and XG Firewalls by Sophos are structured to support security management in cloud-based networks, with functionalities aimed at maintaining network integrity and implementing necessary security measures.
  11. Versa Networks Cloud Network Firewall
    Versa Networks specializes in next-generation firewall capabilities integrated with SD-WAN, suitable for enterprises looking for a combination of security and network optimization. Its cloud network firewall solution for AWS is equipped to handle network security and traffic control. Versa Networks’ firewall is tailored for AWS cloud environments, focusing on meeting diverse network security management requirements in cloud infrastructures.

Choosing the Right Cloud Network Firewall on AWS

Selecting the right cloud network firewall on AWS depends on specific security requirements, scalability needs, and integration capabilities. Factors to consider include:

  • Security Features: Assess the firewall’s capability to protect against the specific threats your organization faces.
  • Performance and Scalability: Ensure the firewall can handle your current and projected traffic volumes without compromising performance.
  • Integration with AWS Services: Look for firewalls that offer seamless integration with other AWS services for streamlined security management.
  • Cost: Consider both upfront and ongoing costs associated with each firewall solution.

Conclusion

The choice of a cloud network firewall on AWS should be guided by your organization’s unique security, performance, and budgetary requirements. Each of the mentioned firewalls brings distinct advantages and specialties to the table, catering to a wide range of cloud-based security needs.

Stay tuned for our Cloud Network Firewall test results coming in March.