As previously announced, the security industry is working towards a secure-by-default configuration.
This is still an ongoing process; however, we already see vendors making improvements from when we published the cloud network firewall group test. In that test, we found that not all products were secure by default. Therefore, we documented the changes we made and published them. We are doing the same for this group test.
Last year, the Cybersecurity & Infrastructure Security Agency (CISA), along with ten U.S. and international partners, published guidelines for their “Secure by Design, Secure by Default” principle. In their April 2023 publication, they stated the following:
“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.
This guide should complement what the vendors already provide to their customers. Please refer to the links below for the best practices and guides for each vendor we tested. We have also included extra information for one vendor: Cisco.
The following steps were taken for each firewall:
- Deploy the firewall in our lab in Austin, Texas (we are using Fortinet for this example).
- Connect the interfaces required for the topology. This information can be found in each vendor guide.
- Register the device to the centralized management system where needed. For our test, we only used centralized management for Cisco and Versa Networks. For Cisco, it is required to get some functionality working; more on this below. For Versa Networks, it’s both recommended and needed from a licensing perspective. This is information that is found in each vendor guide.
- Validation of licenses, which, in turn, enable software updates, threat updates, etc. This information is found in each vendor guide.
- Define access policies:
- Trust to untrust
- Untrust to trust
- Define IPS policies:
- Enable threat signatures, advanced protection, cloud lookup, etc. Each product handles this differently, but this information is in their guides.
- Upload the required server certs, keys, and CA certs if necessary. This information is available in each vendor guide.
- Define TLS decryption policies for versions 1.2 and 1.3. Configure them to decrypt all traffic. We make a few exceptions to test if the product can bypass decryption based on specific IP addresses or domain names. If something cannot be decrypted or is using an older TLS/SSL version or an insecure cipher, then the product is set to block.
- Link IPS and TLS policies to the overall access policy.
- Validate configuration:
- Make sure you can pass traffic.
- Make sure you can block attacks by sending something malicious. Tune out false positives where possible. If we couldn’t do so without disabling security or if it was practically impossible, we listed the false positive rate in the test report. Please refer to individual test reports for more details.
For each firewall listed below, we have included a link to best practices and additional information.
Firewalls Tested:
Check Point Quantum Force 19200 plus
https://www.checkpoint.com/downloads/products/quantum-force-19200-datasheet.pdf
| Firmware: | R81.20 Jumbo Hotfix Take 45 |
| IPS Version: | 635242922 |
| Configuration: | 2 x 40G – 1 port-pairs |
Follow their instructions; the product doesn’t require any special configuration.
Documentation: https://support.checkpoint.com
Cisco Firepower 2130
| Firmware: | Threat Defense v7.3.1 (build 19) |
| IPS Version: | 384 |
| Configuration: | 4 x 10G – 2 port-pairs |
Follow their instructions; the product requires special configuration; see below.
Documentation: https://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-and-configuration-guides-list.html
We also registered the Cisco Secure Firewall Threat Defense into the Cisco Secure Firewall Management Center (FMC). We enabled TLS 1.2 and 1.3 following Cisco’s instructions. This included updating from Snort v2 to Snort v3, which is required to enable TLS 1.3—as per Cisco: “You must be using Snort 3 to match TLS 1.3 connections.” See https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-ssl-decryption.html for more details. This link also provides information about how to make TLS 1.2 and TLS 1.3 work, while also blocking other SSL/TLS version.
Note: Cisco does not support the CHACHA20 cipher suites despite claiming otherwise.
The following screenshot shows the instructions required for achieving our test’s use case.
Forcepoint 3410 NGFW
| Firmware: | 7.1.1 build 29059 |
| IPS Version: | 1707 |
| Configuration: | 2 x 40G – 1 port-pairs |
Follow their instructions; the product doesn’t require any special configuration.
Note: From version 7.1, Forcepoint Next Generation Firewall is rebranded to Forcepoint FlexEdge Secure SD-WAN.
Documentation: https://support.forcepoint.com/s/article/FlexEdge-Secure-SD-WAN
Fortinet FortiGate-900G
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-900g-series.pdf
| Firmware: | v7.4.4 GA |
| IPS Version: | 27.00783 |
| Configuration: | 4 x 10G – 2 port-pairs |
Follow their instructions; the product doesn’t require any special configuration.
Documentation: https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/954635/getting-started
Juniper Networks SRX4600
https://www.juniper.net/us/en/products/security/srx-series/srx4600-firewall-datasheet.html
| Firmware: | JUNOS 22.4X3.1 srx4600 |
| IPS Version: | 3701 |
| Configuration: | 2 x 40G – 2 port-pairs |
Follow their instructions; the product doesn’t require any special configuration.
Documentation: https://www.juniper.net/documentation/product/us/en/srx4600/junos-os/
Palo Alto Networks PA-450
https://docs.paloaltonetworks.com/hardware/pa-400-hardware-reference/pa-400-firewall-specifications
| Firmware: | 11.1.1 |
| IPS Version: | Threat Version: 2024-05-14 (8849-8746)
AntiVirus Version: 2024-05-14 (4818-5336) |
| Configuration: | 4 x 1G – 2 port-pairs |
Follow their instructions; the product doesn’t require any special configuration.
Evasion defenses are now enabled by default, using their latest update. To verify this is the case, please follow the instructions below.
Documentation: https://docs.paloaltonetworks.com/best-practices
Next, you will have to follow the detailed instructions as documented by Palo Alto Networks: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions
After following those instructions, issue the commands in the command line interface (CLI).
To do this:
- You will have to enable SSH on the device.
- Then, log in to the device with your admin credentials.
- Then, run the following commands:
Set system setting ctd block-on-base64-decode-error enable
set system setting ctd block-on-bdat-chunk-decode-error enable
set system setting ctd block-on-chunk-decode-error enable
set system setting ctd block-on-qp-decode-error enable
set system setting ctd block-on-utf-decode-error enable
set system setting ctd block-on-uu-decode-error enable
set system setting ctd block-on-zip-decode-error enable
set deviceconfig setting session resource-limit-behavior bypass
Sangfor NGAF 5300
https://www.sangfor.com/sites/default/files/2022-06/NGAF_DS_P_NGAF53-Datasheet_20220531.pdf
| Firmware | AF 8.0.85.1029 Build 20240423 |
| IPS Version | 2024-04-23 (Vulnerability Database) |
| Configuration | 2 x 10G – 1 port-pairs |
Follow their instructions; the product doesn’t require any special configuration.
Documentation: https://community.sangfor.com/plugin.php?id=sangfor_databases%3Aindex#?Product=NGAF&Document=Configuration%20Guide&Language=English
Versa Networks CSG5000
https://versa-networks.com/documents/datasheets/versa-csg5000-series.pdf
| Firmware | versa-flexvnf-20240405-041659-5186a33-22.1.4-B |
| IPS Version | 6446 |
| Configuration | 5 x 10G – 5 port-pairs (limited to 40G) |
Follow their instructions; the product doesn’t require any special configuration.
Documentation: https://academy.versa-networks.com/versa-academy-library/
Documentation: https://docs.versa-networks.com